Using Machine Learning To Customize Phishing Emails

I was recently asked about artificial intelligence (AI) and machine learning (ML) as it relates to cyber threats. One of the key areas of discussion involved the ability of ML to customize phishing emails. Keep reading for phishing email examples using machine learning and AI. 

To understand the latest phishing email developments, it is important to start with the difference between AI and ML. ML is a subset of AI that describes a specific style of artificial learning. In general, AI refers to making a computer mimic human behavior including the ability to reason. ML describes one learning technique in which the computer is able to learn without explicit programming to do so. Typically, this is done by giving the computer a large number (millions or more) of initial data points so it can build a statistical model of “the answer.” 

An example of ML would be teaching a computer to recognize a photo of a specific person by first giving it thousands of photos of said person and allowing it to build a statistical model of what that person looks like. This is essentially how facial recognition works. 

Given the above, it is entirely conceivable to use ML to teach a computer how to write a phishing email. You would first feed thousands or even millions of emails for the computer to learn from, and then it would have the ability to generate similar-looking emails with customized names, titles, offers, etc. This would allow attackers to automate better phishing emails and target more organizations specifically in shorter time periods.

Although we use phishing emails as an example, I also anticipate attackers using ML techniques more and more to avoid detection in their target environments. We already make heavy use of ML to detect malicious activities, so it is not unrealistic to think attackers are building similar capabilities. Imagine if attackers could build tools that would predict defensive tools and change their behaviors as a result! Detection of malicious activities would become even more complex. 

Nevertheless, this doesn’t change the enterprise security model. We already know attackers will continue to develop better and more sophisticated techniques, but they will always grab the lowest-hanging fruit first. Most organizations need to focus their enterprise security efforts on the basics before deploying any sort of advanced toolsets. One of the major downfalls of security plans we see time and time again is the thought that an expensive, advanced tool is a security silver bullet. While these tools can be incredibly useful and powerful, they are only enablers. They enable better security postures, but they do not provide security on their own. The technology is only as good as the teams using and monitoring it. This is where it is important to have human defenders investigating your environment. If you do not have the resources in-house, a managed detection and response provider can be an extension of your security operations team or act as your security operations team.  

Additionally, most organizations need to focus on security culture including employee cybersecurity awareness training, security of critical assets like domain controllers, incident response plans, and compliance configurations before thinking about advanced toolsets and machine learning. 

Learn more about domain controller attacks and the best way to prevent them in our whitepaper The Domain Controller…An Achilles Heel.