Attackers Are Using AI to Automate Social Engineering

Threat actors continue to use AI tools to automate their attack flows and increase efficiency, according to researchers at ReliaQuest.

“In the incidents we reviewed, AI appeared in two main roles,” the researchers write. “First, it was embedded in the attack workflow: clues pointed to attackers using it to generate phishing pages, build web shells and credential harvesters, pad code to frustrate static analysis, and improve the fluency of social-engineering content. Second, AI was the lure itself. Attackers used demand for AI tools and trust in AI brands to get users to install malicious extensions, run commands, or follow fake setup steps that looked routine enough to pass initial scrutiny. We saw that pattern cut across sectors and actor type, from ‘ShinyHunters’-linked social engineering and ‘ClickFix’-driven malware delivery to DPRK IT-worker fraud. The goal varied—extortion, access, fraud, or espionage support—but AI consistently enabled these operators to achieve more, faster, with less effort.”

In one campaign observed by ReliaQuest, attackers used AI to create thousands of phishing pages, removing the need for tedious manual effort.

“One of the clearest examples of AI as a multiplier appeared in a recent sector-wide phishing campaign,” the researchers write. “Threat actors generated thousands of phishing pages impersonating well-known booking platforms and individual businesses. In the HTML, we identified several clues consistent with an AI-assisted workflow that likely contributed to both the infrastructure behind the campaign and the user-facing content. While none of these clues are definitive on their own, together, they point to a process built for speed, reuse, and believable presentation.”

While AI speeds up attacks and allows threat actors to easily scale their operations, most of the attacks still rely on traditional techniques such as social engineering.

“AI hasn’t yet fundamentally changed cyber intrusion tradecraft,” the researchers write. “For most threat actors, it’s cheaper and more practical to plug AI into proven attack chains than to build bespoke AI-first capabilities. The dark-web discussions in this report reflect that reality. Actors are treating AI as operational infrastructure, in other words, something to buy, tune, and slot into existing workflows, but they’re also looking to balance efficacy with reliability and cost.”

KnowBe4 enables your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 Platform to strengthen their security culture and reduce workforce risk.

ReliaQuest has the story: https://reliaquest.com/campaigns/how-threat-actors-use-ai/executive-summary

Scroll to Top