The past year has marked a shift away from noisy, obvious scams towards attacks that look like ordinary business.
In a recent KnowBe4 webinar, the company’s senior vice president of Threat Intelligence, Jack Chapman, described a landscape where the most dangerous messages are not the ones that scream “phish”, but the ones that blend into day-to-day workflows, pass technical checks and arrive with just enough context to trigger action.
Compromised accounts doing the heavy lifting
For the first time, most phishing e-mails are being sent from compromised accounts. That matters because these messages often come from aged, trusted inboxes that pass SPF (sender policy framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance), and may already sit on “allow” lists. The result is a quiet but serious erosion of confidence in controls that rely heavily on sender reputation and authentication.
Attackers are using compromised accounts at both ends of the sophistication spectrum. At one end, they hijack random business inboxes and use them as infrastructure for bulk campaigns. At the other, they compromise supply chain accounts specifically to exploit existing relationships and conversation history. In those cases, the e-mail is not a cold approach. It is a continuation.
Legitimate platforms fuelling new kind of impersonation
A second shift is the growing abuse of legitimate platforms to deliver phishing. Instead of pretending to be trusted services, attackers increasingly use the real services themselves, taking advantage of the fact that organisations often allow these platforms through security controls to keep business running.
This is not just a branding problem. It’s a control problem. The list of platforms being abused changes quickly, which makes static rules and “known bad” lists less effective than many teams would like to admit.
Polymorphic phishing breaking pattern-based detection
Phishing campaigns are also becoming harder to cluster and block because the messages are increasingly polymorphic. Instead of sending one template at scale, attackers tweak each message so it looks unique. That can include altered wording, different payloads and variations designed to avoid repeatable fingerprints.
The practical impact is that some campaigns are shrinking in size but rising in effectiveness. Smaller waves, sharper targeting, less noise and fewer consistent signals for older detection approaches to catch.
Obfuscation targeting machines more than people
Techniques such as HTML smuggling and whitespace attacks are designed to confuse automated analysis rather than fool human readers. They can hide malicious intent inside large blocks of irrelevant content or insert invisible characters that break machine parsing while remaining readable to people. Add mobile reading habits, rushed approvals and limited visual cues, and the attack surface widens.
Phishing is going multi-channel, fast
E-mail remains the entry point, but many attacks now aim to move victims onto WhatsApp, Teams, Zoom or a phone call. Voice based social engineering is rising sharply, with attackers using convincing, AI-generated voices in callback scams. For defenders, this matters because the “payload” might be a phone number and a believable story, not a link or an attachment.
Preparing for 2026
The headline is simple: phishing is becoming quieter, more trusted and more personalised. “Legitimate” no longer means “safe”. The response is not one silver bullet, but layered practice: tighter verification for high-risk requests, stronger process controls, better visibility into platform abuse and continuous user education that reflects how attacks actually work today.
The full session, Inside the Inbox: How Cybercriminals are Rewriting the Phishing Playbook for 2026, is available to watch here:
