#PacketHunters – From OSINT to AI prompting: the neverending evolution of phishing

There was a time when phishing emails were laughably easy to spot.
Misspelled words, broken grammar, the classic “Nigerian prince” asking for a wire transfer. It was clumsy social engineering, and yet, surprisingly effective.

Fast-forward to 2025, and phishing has become the most successful cyberattack vector worldwide. Not because it’s sophisticated in the traditional sense, but because it has learned to evolve. What once relied on bad English and luck now relies on data, automation, and AI-driven precision.

1. Phishing as an ecosystem, not a single attack

Phishing doesn’t start with an email. It starts with information.
Attackers build campaigns in stages, treating every interaction as a supply chain:

1. Collection → gather raw data
2. Enrichment → organize, correlate, and prioritize
3. Weaponization → build lures and payloads
4. Delivery → choose the best channel and timing
5. Adaptation → refine based on results

Understanding this pipeline is key: every phishing campaign is not a single shot, but an iterative process. And at each stage, tools and techniques have matured.

2. From OSINT to targeted intelligence

The first stage is collection. Here, attackers don’t need “hacking tools”, they use the same resources journalists, recruiters, and analysts rely on:

• LinkedIn & Social Media: employee names, job roles, language patterns
• company websites & Press Releases: tech stacks, new contracts, office moves
• Data Breach dumps: old credentials, password patterns
• metadata: EXIF data from photos, document properties, even GitHub commits

This is OSINT (Open Source Intelligence), and it’s cheap, scalable, and frighteningly effective.

3. Enrichment: connecting the dots, or just *do the PacMan* 😉

Data in itself is noise. Attackers need to enrich it, and this is where dedicated tools come in:

• Recon-ng, Maltego → for mapping relationships, organizational charts, email addresses
• Hunter.io, theHarvester → for confirming corporate email formats
• Shodan, Censys → for exposed services or forgotten servers

Enrichment turns fragments (“Anna works in finance”) into a targetable persona (“Anna approves invoices, reachable at [email protected], based in Zurich, works 9–5 CET”).

At this point, the attacker is no longer sending random spam. They are designing a custom lure.

4. Weaponization: the lure factory

With a profile built, attackers move to weaponization:

• lookalike domains: register compаny.com with a Cyrillic “а”
• cloned portals: Evilginx2 and similar tools for fake login pages
• phishing kits: pre-packaged HTML + scripts, available for a few dollars on dark markets

This is also where the psychological dimension matters:

• Authority (“CEO request”)
• Scarcity (“last day to update credentials”)
• Urgency (“payment overdue”)
• Curiosity (“invoice attached.pdf”)

What once required creative copywriting can now be outsourced, to AI.

5. Enter AI: the prompting revolution

This is the real leap. Attackers no longer need to write emails themselves. With LLMs (Large Language Models), they can generate:

• flawless, native-level phishing emails, tuned to match corporate tone
• localized campaigns, switching languages instantly
• adaptive scenarios, where follow-up emails respond naturally to victims’ replies

Prompting is the key here. With the right prompt, attackers can generate:

• imitation styles (“Write an urgent but polite request in the tone of a CFO”)
• brand impersonation (“Generate an email in Microsoft’s security notification style”)
• conversational bait (“Pretend to be IT support escalating a ticket”)

Combine this with image generation (perfect logos, watermarks) and voice cloning, and phishing evolves into multi-modal deception.

6. Delivery: beyond email

Phishing no longer lives in inboxes alone. Attackers adapt delivery to bypass defenses:

• thread hijacking: replying to legitimate email chains
• SMS (“Smishing”): fake delivery notices or MFA codes
• messaging ypps: WhatsApp, Signal, LinkedIn InMail
• hybrid scams: email + phone callback (“vishing”) + malicious portal

AI even assists with timing: sending during business hours, or aligning with cultural holidays to boost credibility.

7. Adaptation: learning from failure

Here’s where phishing feels alive. Every failed attempt is data.
Attackers monitor open rates, click rates, bounce backs.
They refine prompts. They test new homoglyphs. They adjust subject lines.

It’s marketing A/B testing.. weaponized!

8. Psychological patterns: the human factor

Technology enables the campaigns, but psychology closes the deal.
Phishing relies on exploiting predictable human patterns:

• speed over accuracy (we skim emails in seconds)
• trust in authority (if “the boss” asks, we act)
• fear of missing out (deadlines, invoices, offers)
• desire to help (a colleague in trouble)

AI makes this worse, because prompts can explicitly instruct: “Write in a way that triggers urgency and trust.”

9. What this means for defense

Firewalls and filters are necessary, but insufficient.
They don’t train instincts. They don’t break psychological patterns.

The only true countermeasure is resilience built through exposure:

• simulations → realistic, AI-enhanced phishing attempts, safe but effective
• continuous training → not annual workshops, but iterative learning
• cultural shift → from compliance to vigilance

10. Looking forward: the neverending story

Phishing has always been a story of adaptation. From spammy princes to AI-crafted deception, the arc is clear: more data, more automation, more personalization.

Defenders must adapt at the same pace. That means:

• Leveraging AI to anticipate attacks.
• Training people with realistic simulations.
• Embedding awareness as part of corporate DNA.

Because the real battleground is not the inbox. It’s the human mind.

Phishing is (and will remain) a neverending story.

✍️ This article is part of our Packet Hunters series. At Baited, we replicate phishing’s evolution – from OSINT to AI prompting – to train people before criminals exploit them. Stay tuned for The Catch #1 — Phishing Edition, our September wrap-up packed with stories, data, and insights.