Dave Baggett, SVP of Security Suite at Kaseya, put it plainly: "In the past year, AI-generated phishing became the baseline. Attackers can now produce highly convincing messages at scale, which means the traditional signals security tools relied on for years, bad grammar, suspicious domains, obvious links, are disappearing. Defenders now have to evaluate intent and context, not just indicators."

Large language models have reduced the time needed to craft a convincing phishing campaign from 16 hours to roughly five minutes. IBM X-Force research puts the efficiency gain even more starkly, finding that AI can generate highly convincing phishing emails in five minutes compared to the sixteen hours typically required by experienced human operators, a 192x improvement.

The practical result: the old "just look for typos" advice is obsolete. Attackers increasingly rely on trusted platforms and infrastructure, making traditional detection signals less reliable.

Trusted Infrastructure Is Now the Attack Surface

One of the sharpest findings in the Kaseya report is where attacks now originate. The top five legitimate platforms used to send phishing emails include DocuSign, PayPal, Microsoft, Google Drive, and Salesforce. Attackers are no longer registering obviously suspicious domains. They are routing malicious messages through the same SaaS infrastructure businesses use every day.

The report also found that no-payload phishing is increasingly common, with brand impersonation emails dropping malicious links and attachments entirely. In their place, attackers use phone numbers, trick recipients into replying, or include QR codes. "These techniques reduce detectable indicators while increasing reliance on user decision-making," the report noted.

QR code phishing, known as quishing, increased 400% between 2023 and 2025 according to Abnormal Security.

For marketers, this creates a direct operational problem. If your transactional emails, invoices, or onboarding flows come from DocuSign or Google Drive, recipients are being conditioned to distrust the very tools you depend on.

The AI Arms Race in Email Defense

The Kaseya report notes that AI is not only helping attackers. Kaseya's INKY platform expanded its GenAI-driven detection models, intent-based labeling, multi-label classification, and computer vision-based contextual understanding throughout 2025 to address these threats.

The report predicts that "the next phase of email security will not be defined by filtering alone, but by AI systems capable of analyzing messages holistically and adapting continuously as tactics evolve."

That prediction has direct implications for email program managers. Authentication protocols like DMARC, DKIM, and SPF remain essential, but they address domain-level spoofing rather than the content-level sophistication now in play. Static filters such as blocklists and simple pattern matching are less effective; defenders need behavior-based detection focused on login anomalies and unusual requests.

What This Means for Your Email Program

The overlap between email marketing and email security is no longer theoretical. When phishing attacks impersonate your brand, your domain reputation suffers. When recipients are tricked through platforms you also use, their email clients become more aggressive with filtering. When BEC attacks target your team, internal communication breaks down.

These threats disproportionately target small and mid-sized businesses, with 82% of ransomware attacks targeting organizations in that segment. Growth teams and marketing departments at SMBs often carry email responsibilities without dedicated security support, which makes awareness the first line of defense.

The practical starting point is the same for security and deliverability alike: lock down your sending domains with DMARC enforcement, audit which SaaS platforms send email on your behalf, and treat any unusual reply requests or QR codes in email as high-risk, regardless of how polished the message looks.

Dave Baggett, SVP of Security Suite at Kaseya, put it plainly: "In the past year, AI-generated phishing became the baseline. Attackers can now produce highly convincing messages at scale, which means the traditional signals security tools relied on for years, bad grammar, suspicious domains, obvious links, are disappearing. Defenders now have to evaluate intent and context, not just indicators."

Large language models have reduced the time needed to craft a convincing phishing campaign from 16 hours to roughly five minutes. IBM X-Force research puts the efficiency gain even more starkly, finding that AI can generate highly convincing phishing emails in five minutes compared to the sixteen hours typically required by experienced human operators, a 192x improvement.

The practical result: the old "just look for typos" advice is obsolete. Attackers increasingly rely on trusted platforms and infrastructure, making traditional detection signals less reliable.

Trusted Infrastructure Is Now the Attack Surface

One of the sharpest findings in the Kaseya report is where attacks now originate. The top five legitimate platforms used to send phishing emails include DocuSign, PayPal, Microsoft, Google Drive, and Salesforce. Attackers are no longer registering obviously suspicious domains. They are routing malicious messages through the same SaaS infrastructure businesses use every day.

The report also found that no-payload phishing is increasingly common, with brand impersonation emails dropping malicious links and attachments entirely. In their place, attackers use phone numbers, trick recipients into replying, or include QR codes. "These techniques reduce detectable indicators while increasing reliance on user decision-making," the report noted.

QR code phishing, known as quishing, increased 400% between 2023 and 2025 according to Abnormal Security.

For marketers, this creates a direct operational problem. If your transactional emails, invoices, or onboarding flows come from DocuSign or Google Drive, recipients are being conditioned to distrust the very tools you depend on.

The AI Arms Race in Email Defense

The Kaseya report notes that AI is not only helping attackers. Kaseya's INKY platform expanded its GenAI-driven detection models, intent-based labeling, multi-label classification, and computer vision-based contextual understanding throughout 2025 to address these threats.

The report predicts that "the next phase of email security will not be defined by filtering alone, but by AI systems capable of analyzing messages holistically and adapting continuously as tactics evolve."

That prediction has direct implications for email program managers. Authentication protocols like DMARC, DKIM, and SPF remain essential, but they address domain-level spoofing rather than the content-level sophistication now in play. Static filters such as blocklists and simple pattern matching are less effective; defenders need behavior-based detection focused on login anomalies and unusual requests.

What This Means for Your Email Program

The overlap between email marketing and email security is no longer theoretical. When phishing attacks impersonate your brand, your domain reputation suffers. When recipients are tricked through platforms you also use, their email clients become more aggressive with filtering. When BEC attacks target your team, internal communication breaks down.

These threats disproportionately target small and mid-sized businesses, with 82% of ransomware attacks targeting organizations in that segment. Growth teams and marketing departments at SMBs often carry email responsibilities without dedicated security support, which makes awareness the first line of defense.

The practical starting point is the same for security and deliverability alike: lock down your sending domains with DMARC enforcement, audit which SaaS platforms send email on your behalf, and treat any unusual reply requests or QR codes in email as high-risk, regardless of how polished the message looks.