Skip to content

Email Security Has Become an AI Arms Race

Attackers and defenders are both using AI. Learn why email security now depends on speed, context, and adaptive detection. (Sponsored by Abnormal AI)

During a live recording of CYBR.HAK.CAST at the inaugural CYBR.HAK.CON, hosts Michael Farnum and Phillip Wylie sat down with Scott DeLuke, Field Technical Director at Abnormal AI, to discuss the rapidly evolving state of email security. While the conversation covered everything from phishing-as-a-service to cloud email security, one theme surfaced repeatedly: email security has become an AI arms race.

Check our the full episode:

AI vs. AI with Scott Deluke
In this episode of CYBR.HAK.CAST, hosts Michael and Phil speak with Scott Deluke of Abnormal AI live from the inaugural CYBR.HAK.CON.!
Why the Email Gateway Is No Longer Enough
Speaking on CYBR.HAK.CAST from CYBR.HAK.CON, Scott DeLuke argued that modern attackers increasingly bypass traditional email defenses altogether, forcing organizations to rethink where email security actually happens.

For years, email security was a game of signatures, blocklists, and known bad indicators. Security teams identified malicious domains, suspicious attachments, and recognizable phishing templates. Attackers responded by changing tactics, and defenders adjusted accordingly.

That era is ending.

Today, security teams are confronting something fundamentally different: AI-powered attacks capable of generating thousands of unique phishing messages, leveraging trusted services, and adapting faster than traditional security controls can respond. The result is a new reality where email security increasingly resembles an AI-versus-AI conflict, with humans playing a supporting role rather than serving as the primary line of defense.

Attackers Are Operating at Machine Speed

The evolution of phishing has mirrored broader changes across cybersecurity. Just as endpoint security evolved from signature-based antivirus to behavioral detection and EDR, email security is undergoing a similar transformation.

The reason is simple: attackers no longer need to rely on malware attachments or obviously malicious infrastructure. Modern phishing campaigns frequently abuse legitimate cloud services, trusted domains, and sophisticated phishing-as-a-service platforms designed to evade traditional detection methods.

According to DeLuke, AI has dramatically accelerated this shift.

More from CYBR.HAK.CON:

CYBR.HAK.CON. 2026: The Ghosts Still Haunt the Machine - Lessons From The Therac-25 Affair
Sean Satterlee’s CYBR.HAK.CON. presentation used the deadly Therac-25 radiation overdoses to expose how modern connected medical devices still repeat many of the same dangerous cybersecurity and safety failures.
CYBR.HAK.CON. 2026: A Brief Introduction to Cognitive Warfare
Stephen Cravey’s “A Brief Introduction to Cognitive Warfare” explores how modern influence operations exploit human psychology, identity, emotion, and social dynamics much like attackers exploit vulnerabilities in technical systems.

Where attackers once spent days crafting a handful of convincing phishing emails, they can now generate hundreds of thousands of highly personalized messages in a fraction of the time. Many campaigns are effectively zero-day attacks, meaning there are no existing signatures or indicators for traditional security tools to detect.

The volume alone presents a challenge. The sophistication makes it worse.

Modern phishing kits increasingly include anti-analysis capabilities, human verification checks, and infrastructure designed to frustrate investigators. Some can distinguish between human and automated interaction. Others hide behind trusted cloud services that make tracing activity back to the attackers significantly more difficult.

The result is an environment where attackers can innovate at unprecedented speed.

Why Human Defenders Can't Keep Up

Security operations centers were never designed to operate at the pace AI enables.

For years, analysts could manually investigate suspicious messages, review alerts, and identify patterns. That model becomes increasingly difficult when attackers can launch massive campaigns composed of messages that all look different from one another.

The challenge isn't simply volume. It's the disappearance of reliable patterns.

Traditional detection technologies were built around recognizing known threats. AI-generated attacks often lack those recognizable fingerprints. They arrive from legitimate domains, leverage trusted services, and mimic normal business communication with alarming accuracy.

During the CYBR.HAK.CAST discussion, DeLuke described a reality where human analysts can no longer sit in front of the problem and expect to keep pace. The economics no longer work. Attackers have automated their operations, and defenders must do the same.

That doesn't mean humans become irrelevant. It means their role changes.

The Future of Email Security Is Behavioral

The next phase of email security will be defined by behavioral analysis rather than signatures.

Instead of asking whether a message matches a known threat, security platforms increasingly ask whether a message behaves like normal communication. Does the sender typically communicate with this recipient? Is the request consistent with previous interactions? Does the behavior align with established patterns?

Those questions are difficult for humans to answer at scale. They are precisely the kind of problem machine learning excels at solving.

The organizations that adapt most successfully will likely embrace a partnership between humans and technology. AI will handle the overwhelming volume of routine threat detection, while security professionals focus on incident response, strategic decision-making, and the edge cases that require human judgment.

That shift is already underway.

Latest