What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Threat-Intel

0 sources verified·5 min read

By Lyrie Threat Intelligence·5/1/2026

The AI Phishing Inflection: 86% of Campaigns Are Now Machine-Crafted

TL;DR

KnowBe4's Q2 2026 Phishing Threat Trends Report reveals that 86% of phishing campaigns now leverage AI — up from 80% in 2024. AI-crafted lures are 4.5× more effective than human-written ones, and attackers are automating reconnaissance and multi-vector delivery (email → calendar invite → Teams message) at machine speed. The $20.87B US cybercrime loss figure proves this isn't academic.

What Happened

On April 30, 2026, KnowBe4 released the seventh edition of its Phishing Threat Trends Report, analyzing six months of threat data across millions of phishing campaigns. The headline finding: 86% now employ AI in some form, a steady two-year climb from 80% (2024) to 84% (2025) to 86% (2026).

The researchers flagged this as more than a novelty adoption curve — it's a fundamental shift in the attack economics. AI is no longer just writing better emails; it's orchestrating end-to-end phishing workflows, from initial reconnaissance to credential harvesting across multiple channels.

Key statistics:

49% increase in phishing via calendar invites (Outlook/Teams calendar poisoning)
41% increase in malicious Microsoft Teams messages impersonating IT support
4.5× higher click-through rate for AI-crafted vs. human-written lures (per Microsoft data)
$893 million of the $20.87B total US cybercrime losses last year attributed to AI-related fraud alone

Technical Details

The Multi-Vector Cascade

Modern AI-driven phishing no longer stops at email. The attack chain now works like this:

1. Automated reconnaissance: AI scrapes OSINT sources, LinkedIn, public databases, and compromised data brokers to build profiles (job titles, email patterns, recent company news, personal details).

2. Polymorphic lure generation: AI generates uniquely-personalized emails using these profiles, creating grammatically perfect, contextually relevant messages that evade both human and ML-based filters. Unlike templated campaigns, each recipient gets a custom-crafted lure.

3. Sequential multi-channel delivery: The initial email is often a soft engagement (suspicious link, innocent-looking attachment). If the target doesn't bite, the attacker's infrastructure pivots: Calendar invite → Teams direct message from someone impersonating IT → follow-up email with DocuSign link → phone call. The AI learns which vector works best for which target and escalates.

4. Credential harvesting at scale: Each vector can capture credentials, steal session tokens, or drop remote access implants. Attackers use the first success to branch into lateral movement.

Why AI Changed the Math

Human-written phishing requires:

Manual reconnaissance (slow, error-prone)
Template reuse (easily caught by filters and human security awareness)
Trial-and-error delivery (attacks fail at high rates)

AI-driven phishing requires:

Seconds to profile 10,000 targets
Unique variants for each recipient (filters can't scale)
Automated channel selection and retry logic (succeeds faster)

The result: Attackers no longer need high click-through rates on email. They can afford to lose 99.5% of emails if the remaining 0.5% converts at 4.5× the historical rate.

Lyrie Assessment: The Perimeter Collapsed

Here's what CISOs and security engineers need to hear: Your awareness training is now racing a machine.

KnowBe4's data proves this isn't about making employees smarter. It's about making phishing so frictionless that human decision-making becomes irrelevant:

A perfectly personalized Teams message from "IT Support" asking for an MFA reset is no longer user error — it's a structural vulnerability in how identity-first companies have built their access model.
Calendar poisoning (malicious meeting invites that execute code upon opening) exploits trust in your calendar system, not email judgment.
The 49% increase in calendar-based attacks specifically targets the assumption that your calendar is less dangerous than your inbox.

For Lyrie's audience (CISOs, threat researchers, autonomous defense builders), the 86% figure should trigger three conclusions:

1. Email filters are obsolete against ML-native attacks. Blocking phishing emails was always defense-through-obscurity. When 86% of the incoming lures are machine-optimized, content-based filtering becomes a speed bump, not a wall.

2. Identity validation now requires cryptographic binding, not training. Your employee will be tricked by a perfect Teams message. The defense isn't "make them better at spotting fakes" — it's "make impersonation cryptographically impossible." This means FIDO2, hardware keys, certificate-based Entra ID, or similar.

3. Multi-channel orchestration is the new baseline. Attackers aren't choosing between email and Teams — they're chaining them. Your detection logic needs to correlate suspicious calendar invites → Teams messages → email follow-ups across systems, not hunt them individually in silos.

Recommended Actions

Immediate (This Week)

Disable calendar sharing across external domains or require approval workflows for external meeting invites.
Audit Teams permissions: Ensure external federated users can't send direct messages unless explicitly allowed. Require DLP (Data Loss Prevention) scanning on Teams links.
Review MFA enrollment: Ensure all identity-based access (especially SSO) requires hardware keys or FIDO2, not SMS or TOTP.

Short-term (This Month)

Deploy behavioral anomaly detection on email-to-Teams-to-VPN chains. If a user receives a suspicious email, then a Teams message, then an RDP/VPN login within minutes, flag it as a correlated attack chain.
Implement conditional access that tightens MFA requirements when logins follow phishing-like signals (new device, unusual time, geographic anomaly).
Test multi-vector response: Run a red team exercise that chains email → calendar → Teams across your org to see where detection breaks.

Long-term (Q2–Q3 2026)

Migrate to passwordless identity (hardware keys, Windows Hello, biometric + hardware). This is the only way to break the phishing-to-credential-harvest pipeline.
Deploy autonomous response: Use SOAR or AI-driven playbooks to auto-disable suspicious accounts, revoke MFA, and alert security before the attacker's second vector lands.
Build cross-system threat correlation: Integrate email, Teams, calendar, VPN, and SSO logs into a single detection engine that understands multi-channel attack chains.