Researchers at Varonis warn of a new phishing automation platform called “SpamGPT” that “combines the power of generative AI with a full suite of email campaign tools.”
While previous phishing kits have automated parts of the attack chain, SpamGPT’s sophistication sets it apart from the rest
“SpamGPT’s interface and features imitate a professional email marketing service, but for illegal purposes,” Varonis writes. “The toolkit is promoted as AI-powered, encrypted, and includes an AI marketing assistant dashboard to help create and optimize campaigns.
“The dark-themed UI features modules for campaign management, SMTP/IMAP setup, deliverability testing, and analytics — offering all the conveniences a Fortune 500 marketer might expect, but adapted for cybercrime. The creators even market SpamGPT as an all-in-one spam-as-a-service platform, blurring the line between legitimate marketing tools and weaponized automation.”
While legitimate AI tools have guardrails to curb misuse, SpamGPT includes a built-in chatbot that will happily generate convincing phishing templates.
“The AI assistant (branded as ‘KaliGPT’ in the promo) is built into the platform and is ready to generate phishing email content and suggest optimizations,” the researchers write. “This means attackers no longer need to write convincing phishing emails; they can ask the AI for persuasive scam templates, subject lines, or targeting advice within the spam toolkit.”
Notably, SpamGPT’s developers emphasize that the tool is designed to send emails that bypass security filters.
“The platform promises guaranteed inbox delivery for popular email providers (Gmail, Outlook, Yahoo, Microsoft 365, etc.), implying that it has been fine-tuned to bypass their email filters,” Varonis says.
“In other words, the toolkit doesn’t just send bulk email; it engineers bulk email that lands in the inbox. Part of achieving this involves abusing trusted cloud providers like Amazon AWS or SendGrid to blend in with legitimate mail traffic. These features combine to give attackers a professional-grade spam operation at their fingertips.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.
Varonis has the story.
With KnowBe4 Defend you can:
