GenAI and email identity: how attackers are scaling trust abuse
Generative Artificial Intelligence (GenAI) is changing cybersecurity, but not always in the ways the headlines suggest.
For cybersecurity teams, AI brings faster detection, better analytics, and improved automation. For attackers, it brings something just as powerful: scale. Attacks that once required time, research, and skill can now be generated, refined, and deployed with minimal effort.
Nowhere is this shift more visible than in email-based identity abuse.
Email remains the backbone of business communication. What has changed is how convincingly attackers can impersonate trusted brands and how difficult these fakes are becoming to detect.
For partners securing customers across the UK and globally, this creates a clear challenge. Traditional controls are no longer enough when identity itself is being manipulated at machine speed.
Why email identity is the attacker’s favourite target
Despite the rise of collaboration platforms, email remains universal, open, and trusted. According to the Sendmarc 2025 Cyberthreat Report, more than 361 billion emails were sent and received every day, with over 4.4 billion users relying on email for business-critical communication in 2024.
Attackers follow opportunity, and the findings show they continue to prioritise email-based attacks:
- Over half of Q3 ransomware attacks were delivered via email
- Business Email Compromise (BEC) resulted in nearly $3 billion in losses
- Human actions or errors played a role in 68% of breaches
Organisations use email for payments, supplier coordination, account access, and customer communications — areas where trust is assumed.
This is why identity, not malicious payloads, has become the primary attack surface.
How GenAI is changing identity-based attacks
GenAI hasn’t invented phishing or impersonation — it has industrialised them.
Attackers now use GenAI to:
- Generate highly fluent, context-aware emails at scale
- Analyse historic communications to mimic tone and timing
- Automate reconnaissance using public and breached data
- Support scams with deepfake voice or video
In some cases, email is combined with messaging apps and voice to create attacks that feel consistent with internal communications.
The growing gap between detection and prevention
Most organisations still rely on:
- Spam and phishing filters
- Endpoint protection
- Security awareness training
These controls remain important but are largely reactive. Identity-based attacks abuse trust at the domain level before content is analysed.
Identity protection needs to start earlier
Domain identity: DMARC helps verify authorised senders and block unauthorised use once enforcement is in place. Monitoring alone does not prevent impersonation.
Brand identity: Lookalike domains using character swaps or alternative TLDs can be created at scale. Visibility allows earlier intervention.
Human identity signals: Leaked credentials and breached data increase impersonation accuracy and success rates.
What this means for partners and VARs
AI-driven identity abuse presents both a challenge and an opportunity. Customers know phishing is evolving, but many lack clarity on prevention.
Why Ignition and Sendmarc are aligned
Ignition Technology’s focus on AI and identity protection reflects the growing importance of identity in cyber defence.
- Preventing direct domain impersonation through enforced DMARC
- Providing visibility into lookalike domain threats
- Understanding credential exposure that fuels attacks
Get in touch with the Ignition UK team:
sendmarc_uk@ignition-technology.com
