Exclusive: Phishing enters automation era
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Sarah Grillo/Axios
Cybercriminals are increasingly automating not just phishing emails but entire attack workflows, helping fuel a nearly 15-fold increase this year in phishing attacks that bypass traditional identity verification tools.
Why it matters: The cybercriminal ecosystem is still making gains despite generally lacking the money and compute resources needed to access the most advanced AI systems.
Driving the news: Researchers at Huntress said Tuesday in a report shared first with Axios that they've observed a 1,380% increase in so-called device-code phishing attacks in the first four months of 2026 compared to the second half of 2025.
- The report links much of that activity to phishing-as-a-service platforms that package identity-theft infrastructure, phishing kits and AI-powered workflows into subscription offerings for other criminals.
- Across hundreds of incidents, no two phishing lures were identical, according to the report — suggesting threat actors used generative AI to personalize messages at scale.
Threat level: Previously, cybercriminals primarily used AI to make phishing messages more convincing or tailor them to specific victims.
- This is some of the first evidence that prominent cybercriminal groups are combining generative AI with automated workflows to industrialize phishing operations, according to Huntress.
What they're saying: "When you're automating this much of the operation, you don't have to be a systems engineer ... you don't have to figure out how to do data normalization," Huntress CEO Kyle Hanslovan told Axios.
- "You just don't have to know this, and as a result, it democratizes access to anybody."
How it works: Device-code phishing abuses a legitimate Microsoft authentication process designed for devices that cannot easily accept passwords.
- Victims are directed to a real Microsoft login page and asked to enter a device code generated by the attacker. Once the victim completes the login and multi-factor authentication process, the attacker receives the resulting access token.
The intrigue: The tools needed to intercept authentication tokens and manage the resulting access are now available through subscription-based phishing kits sold to cybercriminals.
- Such toolkits make it possible for attackers with "little to no technical skill" to launch sophisticated phishing campaigns, according to the report.
What to watch: Hanslovan argues that the combination of AI-generated content, automated workflows and subscription-based attack platforms is lowering barriers to entry for cybercriminals while accelerating the pace of attacks.
- "Their operations are getting so good," Hanslovan said. "I would actually choose to invest in organized cyber crime over most businesses."
