Notifications
Clear all
Topic starter
27/06/2026 1:11 pm
TL;DR: Attackers are using ChatGPT to craft more convincing email attacks and are exploiting known generative AI vulnerabilities to scale malicious campaigns, according to Abnormal AI. The real issue is not the text generator itself but the way AI lowers the cost of persuasion while existing email and identity controls still assume familiar human-driven attack patterns.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams defend against AI-generated phishing emails?
A: Security teams should combine behaviour-based detection with stronger verification outside the inbox.
Q: Why do AI-generated email attacks increase identity risk?
A: AI-generated email attacks increase identity risk because they make malicious requests more convincing at the exact point where people decide whether to trust, approve, or act.
Practitioner guidance
- Tighten verification on identity-changing requests Require out-of-band confirmation for password resets, MFA changes, payment approvals, and vendor banking updates so a convincing email cannot trigger sensitive action on its own.
- Move detection beyond content filters Correlate message traits with sender history, device posture, mailbox behaviour, and downstream request patterns to spot AI-assisted attacks that look linguistically normal.
- Harden approval workflows Separate request receipt from request approval, especially for high-risk access and financial actions, and force a second control to validate context before execution.
What to expect at the briefing
Abnormal AI's full webinar covers the operational detail this post intentionally leaves for the source:
- Live demo of how attackers can use ChatGPT to generate highly tailored email attacks that evade obvious telltales.
- Discussion of which vulnerabilities in generative AI models are being exploited in malicious campaigns.
- Examples of countermeasures security leaders are using against AI-generated email attacks.
- On-demand webinar format for teams that want the full presentation and supporting material.
👉 Watch Abnormal AI's webinar on ChatGPT-driven email attacks and AI risk →
ChatGPT email attacks: are your controls keeping up?
Explore further
27/06/2026 2:25 pm
AI-assisted phishing is not just better phishing. It is a trust-quality problem for identity programmes. Traditional anti-phishing controls were built to catch poor wording, broken grammar, and generic lures. Generative AI removes many of those signals, which means the defender is no longer judging obvious fraud but analysing whether a request fits the identity, role, and business context of the sender. The implication is that human identity governance must treat message credibility as a risk factor, not a guarantee of legitimacy.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to the same report.
A question worth separating out:
Q: How can teams tell whether their email controls are keeping up with generative AI?
A: Teams can tell by testing whether suspicious but well-written requests still reach human approval paths without challenge. If AI-generated lures can still trigger password resets, supplier changes, or payment approval with only a single click, the programme is behind the threat.
👉 Read our full editorial: ChatGPT-driven email attacks expose the AI-era phishing gap
