Can agentic AI personalize phishing security training for different users?

Yes. Agentic AI can tailor training based on how individuals interact with simulations, email, and AI tools. Users who show higher risk, such as repeated clicks or missed reports, can receive more targeted scenarios and reinforcement aligned to their specific exposure.

What role does human risk management play in AI-supported phishing training?

Human risk management helps connect user behavior, training outcomes, and risk signals into a unified view. This ensures that AI-supported training reflects real patterns of exposure and leads to measurable improvements in decision-making.

How does agentic AI for phishing training adapt to changes in user behavior over time?

Training evolves as behavior changes. Patterns like improved reporting, repeated mistakes, or new risk signals influence how simulations and follow-up are adjusted, keeping reinforcement aligned with current user activity.

How can agentic AI help security teams deliver more relevant phishing simulations?

By analyzing current threat patterns and user behavior, agentic AI can generate simulations that better reflect real-world attacks and scenarios users are more likely to encounter.

Can agentic AI improve phishing reporting behavior, not just simulation performance?

Yes. Timely, contextual feedback helps reinforce what to report and why it matters. Over time, this builds stronger reporting habits and improves how users respond to suspicious activity, not just how they perform in simulations.

Report: Device Code Phishing is Surging

Multiple sophisticated phishing kits are now focusing on harvesting device codes to breach accounts without a password, according to researchers at LevelBlue.

“Device code phishing exploits a legitimate Microsoft authentication flow to harvest Microsoft 365 access and refresh tokens without ever capturing a password,” the researchers explain. “The core mechanic is straightforward: whoever initiates the authentication request receives the resulting tokens. Once obtained, the tokens allow attackers to access Microsoft 365 services, maintain persistent access through refresh tokens, and conduct follow-on activities such as further reconnaissance, phishing, and data extraction.”

Top commodity phishing platforms, including Tycoon2FA, EvilTokens, Kali365, Ghost Hub, and Cyb3r, have incorporated this ability, allowing unskilled threat actors to launch device code phishing attacks.

“Tycoon2FA provides the clearest example of how phishing kits mature over time,” the researchers write. “What began in 2023 as a straightforward AiTM credential harvester evolved into one of the most sophisticated PhaaS platforms documented. Despite a coordinated Europol and Microsoft takedown in March 2026, Tycoon2FA resumed operations within weeks, now with device code flow capability layered on top of its existing AiTM infrastructure. EvilTokens and Kali365 follow a similar trajectory, launching in early 2026 with AI-augmented capabilities already integrated and continuing to improve their functionality since launch. Kits that survive their first year tend to become significantly more dangerous in their second.”

The researchers expect commodity phishing kits to continue incorporating new techniques in order to overcome defenses.

“Device code flow phishing is accelerating rapidly and shows no signs of slowing,” LevelBlue concludes. “What began as a relatively simple lure has evolved into a sophisticated process that is now easily accessible to threat actors. The affiliate programs offered by PaaS platforms further lower the barrier, enabling both experienced operators and less-skilled actors to launch targeted and opportunistic campaigns against organizations.”

LevelBlue has the story: The Device Code Phishing Tsunami: What We’re Seeing in the Wild

Secure the Digital Workforce: Human + AI

KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.

Report: Device Code Phishing is Surging

See KnowBe4 Defend™ in Action

Secure the Digital Workforce: Human + AI

ABOUT KNOWBE4 TEAM

Subscribe the KnowBe4 Blog

Posts By Topic

Get the latest insights, trends and security news. Subscribe to CyberheistNews.

Get the latest insights, trends and security news. Subscribe to CyberheistNews.