TL;DR: GenAI now lets attackers generate convincing phishing and BEC messages at speed, while lookalike domains evade SPF, DKIM, and DMARC, according to Proofpoint. The control gap is no longer only message filtering, but source-domain protection, brand monitoring, and takedown discipline.
NHIMG editorial — based on content published by Proofpoint: AI-driven impersonation, lookalike domains, and the role of DMARC
By the numbers:
- Attackers attempt access within an average of 17 minutes when AWS credentials are exposed publicly, and as quickly as 9 minutes in some cases.
- 59% of infrastructure leaders cite "confidently wrong" AI configuration as their top fear, according to Teleport's 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
Questions worth separating out
Q: What breaks when organisations rely on DMARC alone against AI-driven phishing?
A: DMARC can block unauthorised use of your exact domain, but it does not stop attacker-owned lookalike domains or content that is convincingly written by AI.
Q: Why do lookalike domains remain effective even when email authentication is in place?
A: Lookalike domains work because SPF, DKIM, and DMARC validate legitimacy for the domain being used, not for visually similar domains that attackers register themselves.
Q: How do security teams know whether DMARC is actually reducing impersonation risk?
A: They should look for fewer unauthorised senders in DMARC reports, a shrinking list of unclassified mail sources, and faster detection of spoofed or adjacent domains.
Practitioner guidance
- Inventory every authorised sender Build and maintain a live inventory of all domains, subdomains, third-party senders, and bulk-mail services that can send on behalf of the organisation.
- Move DMARC from monitoring to enforcement Progress from p=none to quarantine or reject for domains that have been fully inventoried and validated.
- Monitor lookalike-domain registrations continuously Track newly registered domains that resemble your brand, executive names, or supplier names.
What's in the full article
Proofpoint's full article covers the operational detail this post intentionally leaves for the source:
- How the vendor stages DMARC deployment across complex mail streams and third-party senders.
- Examples of lookalike-domain monitoring and takedown workflows used to remove malicious infrastructure.
- The hosted SPF, DKIM, DMARC, and BIMI service model the vendor describes for email authentication operations.
- Consulting-led discovery and sender prioritisation steps for organisations that are still at the monitoring stage.
👉 Read Proofpoint's analysis of AI-driven impersonation, lookalike domains, and DMARC →
AI-driven impersonation and lookalike domains: are your controls keeping up?
Explore further
AI-assisted impersonation is now a governance problem, not just an email filtering problem. The article shows that GenAI reduces the effort required to produce convincing phishing and BEC content, but the real security issue is the abuse of trusted identity signals. Email security tools can still miss a campaign that looks legitimate in language, timing, and domain presentation. Practitioners should treat sender identity, domain integrity, and brand abuse as an integrated control domain.
A question worth separating out:
Q: Who is accountable when brand impersonation leads to fraud or credential theft?
A: Accountability should sit across identity, security operations, fraud, and domain ownership, because the attack exploits all four. The domain team owns authentication and registration response, security owns detection and containment, and fraud teams own abuse pathways such as payment redirection. If no one owns lookalike-domain takedown, the organisation leaves the trust layer unmanaged.
👉 Read our full editorial: AI-driven impersonation is outpacing email authentication controls