The fake Rolex problem: How AI turned amateur attackers into nation-state threats

Have you ever held a really good fake Rolex? Not the forty-dollar beach version. The kind that makes a jeweler pause.

The movement is Swiss. The crystal is sapphire. The bracelet is 904L steel, the same alloy Rolex actually uses. Every component genuine, sourced from real suppliers, assembled with real craftsmanship.

The only thing that's fake is the crown on the dial, and the person selling it to you.

That's the state of phishing in 2026. The emails hitting your inbox right now are built from real parts.

Real SendGrid accounts. Real Cloudflare CAPTCHAs. Real Google redirects. Real Microsoft domains. Your security tools inspect each component and return a clean verdict, because each component is legitimate. The only counterfeit is the intent.

What makes this moment different from every prior evolution of the threat is this: AI tools didn’t just make these attacks more convincing. It made the expertise required to build them nearly free.

The research was right. The prediction was wrong.

Advances in AI-automated spear phishing

In November 2024, researchers at Harvard Kennedy School published a study that should have reset how the industry thinks about AI-enabled attacks.

Led by Fred Heiding and co-authored with Bruce Schneier, the paper found that fully AI-automated spear phishing emails achieved a 54% click-through rate — statistically identical to emails crafted by human experts, and 350% higher than generic phishing. Cost per attack: roughly four cents.

AI doesn’t just make phishing cheaper. It makes it profitable at scale for almost anyone. The researchers calculated that AI-enhanced phishing can increase attacker profitability by up to 50 times compared to traditional methods.

The assumption going into this shift was that attackers would lean on AI for personalization — better writing, more convincing lures, deeper context. That turned out to be only part of the story.

The more important shift is structural.

Analysis of thousands of real-world attacks that bypassed leading enterprise email security systems shows that the biggest change is not better language. It is better construction.

Attackers are not just personalizing emails. They are personalizing kill chains.

Skill extension, not just cost reduction

The Harvard framing, AI as a cost collapses, was accurate as far as it went. But cost reduction is the first-order effect. The second-order effect is more consequential. When you eliminate the expertise barrier, you don’t just get more phishing. You get a collapse in the skill ceiling.

The kind of kill chain engineering now showing up in common attacks — dozens of evasion techniques, hundreds of unique combinations, tuned to specific behaviors of Microsoft Defender or Google Workspace — used to require nation-state resources. It required operators who understood enterprise security stacks well enough to design custom paths through them.

That level of capability is no longer rare. The floor has risen. Average attackers are now producing what used to be considered advanced persistent threat-level tradecraft.

That is a different problem than “AI makes phishing emails more convincing.”

And it requires a different response.

What a personalized kill chain actually looks like

In observed data, more than half of attacks use four or more evasion techniques simultaneously. The average attack combines just over four. Combination attacks are growing rapidly year over year.

One representative chain: a QR code attack targeting a Google Workspace tenant. The email contains no URL, only an embedded QR code. Automated scanners have nothing to analyze. The QR resolves to a CAPTCHA gate, blocking sandbox environments. Behind that sits a multi-hop redirect through trusted cloud providers — AWS, then Cloudflare — leading to a credential harvesting page impersonating a Microsoft MFA prompt. The language mirrors real authentication requests users see regularly.

Each step defeats a different layer of defense.

No URL defeats link scanning.

The CAPTCHA blocks sandboxing.

The redirect chain evades reputation filtering.

The MFA impersonation bypasses human judgment.

Now compare that to an entirely different attack pattern, like HTML smuggling inside a PDF where the payload assembles in the browser and never exists as a file in transit. There is almost no overlap in detection logic between the two.

The rules that catch one are blind to the other.

The combinatorial space is too large. And AI is expanding it faster than defenders can keep up.

Why rules can’t solve a skill problem

The Harvard study found that AI models still needed human intervention to match expert attackers in 2023. By 2024, that gap had closed. Fully automated systems reached parity. The expectation is that they will surpass human expertise outright.

Traditional secure email gateways were built for a different threat model.

- Pattern matching works when patterns repeat.

- Signature detection works when attackers cannot mutate continuously.

- Reputation filtering works when malicious infrastructure looks different from legitimate infrastructure.

None of those assumptions hold anymore.

Consider the same QR-based attack evaluated through different approaches.

A rule-based system sees no URL, no attachment, no known indicators. Verdict: clean.

A machine learning system flags a recently registered domain and assigns medium confidence. In most environments, that is effectively ignored.

A reasoning-based approach asks a different question: why is a new domain sending an MFA flow through a CAPTCHA-gated redirect chain to a user with no prior authentication activity tied to it?

That is the difference.

The parts are legitimate. The intent is not.

What to do with this

AI didn’t just increase the volume of attacks. It raised the baseline capability of attackers.

The question is not whether existing defenses were built for this environment. They weren’t.

The question is how detection evolves when attacks are no longer defined by individual indicators, but by how those indicators are assembled.

Three things are worth pressure-testing.

- How well does your detection approach handle multi-step attacks where every single attack component is “not suspicious” in isolation?

- Can your systems evaluate intent, so that attacks with seemingly no “smoking guns” can be detected when traditional security reputation checks fail (bad url, bad file, bad domain).

- How quickly can you analyze, verify and contain these advanced threats, with your current stack given that dwell times are compressing rapidly?

This is no longer a question of catching bad emails. It’s a question of whether you can recognize intent before it’s too late.

We've ranked the best Antivirus Software.

This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.

The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit