Rules-based defences depend on stable malicious patterns, but AI can continuously vary wording, sender style, and delivery shape. That makes the lure harder to signature-match even when the underlying attack is the same. Organisations need controls that judge behaviour and identity confidence, not just message similarity.
Why This Matters for Security Teams
Rules-based phishing defences are built to spot repeated patterns, but modern campaigns are designed to avoid repetition. Attackers now vary tone, sender structure, domain usage, and delivery timing so the same lure no longer looks the same twice. That is why a static blocklist or message signature can miss what a behaviour-aware control would catch. NIST Cybersecurity Framework 2.0 emphasises continuous risk management, which fits this problem better than one-time pattern matching.
This is not just a mail-filtering issue. Phishing often aims to steal credentials, session tokens, or OAuth consent, which means the first successful click can become a broader identity compromise. NHIMG research on CoPhish OAuth Token Theft via Copilot Studio shows how attackers are already adapting their social engineering to modern cloud workflows rather than relying on obvious bulk spam. In practice, many security teams encounter the failure of rules-based defences only after a novel lure has already been used to obtain trusted access, rather than through intentional detection testing.
How It Works in Practice
Effective phishing defence now depends on layered controls that evaluate identity confidence, message context, and user intent at the moment of interaction. Signature checks still have value, but they should be treated as one signal among many. Current guidance suggests combining mail hygiene with conditional access, phishing-resistant MFA, and runtime risk scoring so a suspicious message does not become an immediate breach path.
In practice, organisations should use controls that look beyond text similarity. That means assessing sender reputation, domain age, message origin, authentication results such as SPF, DKIM, and DMARC, and whether the request matches normal business flow. NIST CSF 2.0 provides the governance frame for this kind of continuous evaluation, while identity programmes should treat the authentication event as the real decision point, not the email itself. Where available, security teams also correlate mailbox activity with endpoint telemetry and cloud identity logs so a message that reaches the inbox is not automatically trusted.
One useful operational pattern is to make high-risk actions harder than low-risk ones:
- Require step-up verification for wire changes, inbox delegation, token grants, and password resets.
- Use short-lived sessions and phishing-resistant authenticators for privileged users.
- Quarantine suspicious links or attachments until they are detonated or scored.
- Monitor for lookalike domains, brand impersonation, and consent-grant abuse across cloud apps.
NHIMG’s State of Secrets in AppSec research is a useful reminder that once attackers get past a lure, the downstream damage often comes from compromised secrets and over-trusted access. That matters because modern phishing rarely ends at the inbox. These controls tend to break down in environments with legacy mail gateways, weak identity telemetry, and broad admin consent, because the security stack cannot reliably distinguish a real request from a convincing imitation.
Common Variations and Edge Cases
Tighter phishing controls often increase user friction and support overhead, requiring organisations to balance prevention against business speed. That tradeoff is especially sharp in sales, finance, and executive workflows where external communication is constant and message novelty is normal.
There is no universal standard for this yet, but current guidance suggests avoiding over-reliance on any single detection method. AI-generated phishing often defeats keyword rules because the payload changes faster than policy updates. However, highly targeted spear phishing can also bypass broad anomaly detection by staying within normal-looking business language. In those cases, behaviour-based controls work best when they are combined with identity assurance and transaction verification.
Edge cases include internal phishing from compromised accounts, callback fraud that moves the attack off email, and QR-based lures that sidestep URL scanning. Organisations should also be careful with legitimate automation, because marketing systems and service accounts can look suspicious if they are not properly authenticated and segmented. The DeepSeek breach reporting is a reminder that large-scale data exposure can feed later social engineering, not just direct credential theft. Best practice is evolving toward layered verification, not a single “phishing-proof” rule set.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | DE.CM-1 | Continuous monitoring is key when phishing patterns change faster than signatures. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Compromised credentials and tokens are a common phishing outcome. |
| OWASP Agentic AI Top 10 | A1 | Agentic and AI-driven phishing changes content dynamically to evade static controls. |
| NIST AI RMF | GOVERN | Risk governance is needed for adaptive AI-generated phishing threats. |
| CSA MAESTRO | T1 | Workload and identity trust must account for automated, adaptive attack paths. |
Correlate mail, identity, and endpoint telemetry to spot phishing beyond static indicators.
Related resources from NHI Mgmt Group
- Why do rules-based email controls fail against modern phishing and vendor impersonation?
- Why do one-time passcodes still fail against modern phishing campaigns?
- Why do indicator-based detections fail against modern identity attacks?
- Why do rule-based fraud controls fail against modern identity abuse?