KnowBe4 finds 86% of phishing attacks now AI-driven

KnowBe4 has released research showing that 86% of phishing attacks are now AI-driven, highlighting a shift away from email-only campaigns towards attacks on workplace collaboration tools.

Its Phishing Threat Trends Report examined activity linked to more than 3,000 unique threat actors and found phishing attempts rose 17.1% over the previous six months. Attackers are increasingly using Microsoft Teams, calendar invitations and coordinated multi-channel tactics while posing as trusted internal colleagues.

The data reflects a change in how phishing campaigns are deployed inside organisations that rely on Microsoft 365 and hybrid working tools. Rather than focusing solely on inboxes, attackers are moving into day-to-day communications channels where messages may appear more routine and less suspicious.

Attack growth

Among the biggest increases tracked were a 49% rise in calendar invite phishing and a 41% increase in Microsoft Teams attacks. The report also noted a 139% surge in the use of reverse proxies to steal Microsoft 365 credentials.

The research also identified a move from single-vector phishing attempts to multi-channel attacks. In the first quarter, 30% of attacks involved internal team impersonation, a tactic designed to exploit trust between colleagues.

That suggests a widening gap between how many organisations train staff to spot phishing and where attacks are now appearing. Security awareness efforts have often centred on suspicious emails, yet collaboration software and calendar tools now form part of the same threat environment.

Broader attack paths

The latest data shows cybercriminals broadening the range of contact points used in social engineering campaigns. Finance, legal, healthcare, logistics and insurance were identified as the industries most affected by phishing.

The use of AI in phishing operations has become central to that shift. AI tools can help threat actors produce more convincing language, mimic internal communication styles and adapt messages across several channels within the same campaign.

Microsoft 365 environments appear to be a particular focus, both through credential theft and impersonation. Reverse proxies, which can capture login information and session data, have become a more prominent method for bypassing conventional authentication workflows.

Jack Chapman, SVP of Threat Intelligence at KnowBe4, said the threat picture had changed beyond the inbox.

"The inbox is no longer the only front line for coordinated social engineering attacks," said Jack Chapman, SVP of Threat Intelligence, KnowBe4.

"Cybercriminals are actively broadening the email threat landscape. As businesses rely on tools for real-time collaboration, cybercriminals have added this to their attacks, along with targeting people's calendars. This attack method targets people and technology together. This escalation in scale of threat brings a whole new issue to the forefront," said Chapman.

Trust exploited

The report's emphasis on impersonation points to a more targeted style of social engineering. By mimicking internal staff, attackers can exploit existing reporting lines, project discussions or meeting patterns, making fraudulent requests appear legitimate.

That matters in hybrid work settings where employees often rely on short-form messages and rapid responses. In those environments, calendar requests or collaboration prompts may receive less scrutiny than a formal external email.

KnowBe4 said this has made the line between legitimate and malicious communication harder to identify. The report characterised phishing activity as increasingly structured and persistent, with AI playing a growing role in scale and execution.

Chapman said the findings showed how social engineering had become harder to detect.

"Social engineering is becoming more targeted, making it more difficult to discern what is legitimate versus what is malicious," he said.

"The Phishing Threat Trends Report volume seven finds that phishing in 2026 is disciplined, persistent, multi-channel and increasingly AI-enabled. As cybercriminals expand their attack channels and evolve their tactics, we must focus our protection efforts on securing humans and the AI agents they utilise," added Chapman.