Earlier this month, OpenAI released its new Responses API, enabling developers to build AI agents with built-in functionality for web search, file search, and system interaction. Meanwhile, another emerging contender, Manus, a general AI agent developed by Monica, is positioning itself as a potential breakthrough in the space, aiming for its "DeepSeek moment." This trend is only set to accelerate, as agentic AI represents the next evolutionary step beyond traditional reasoning-based AI models.
In previous blogs, we have explored how cybercriminals leverage generative AI for phishing attacks - translating existing messages, crafting sophisticated lure texts, and even generating complete phishing websites. There have even been a handful of incidents where attackers likely utilized AI to generate malware scripts. The telltale sign? Scripts with detailed, inline code comments - an artifact commonly left behind by AI-generated outputs.
Agentic AI in phishing: a proof-of-concept demonstration
Our colleagues at Symantec’s Threat Hunter team have demonstrated just how capable agentic AI can be in the hands of cybercriminals. Their proof-of-concept attack leveraged OpenAI’s Operator AI, an agent with web browsing capabilities and the ability to execute complex, multi-step tasks autonomously.
In their demonstration, the AI agent successfully:
- Identified the name of a target individual within a specified team
- Deducted the target’s email address
- Created a PowerShell script to gather system information
- Uploaded the script to Google Drive
- Shared the file via email with a social engineering message
Notably, the only prompt engineering required to bypass the AI guardrails was telling the model that the target had already granted permission to receive such emails.
While this was a controlled demonstration, it underscores how AI agents can automate key stages of cyberattacks, making phishing campaigns more scalable and efficient. That said, the experiment was still highly directed, with researchers providing step-by-step guidance to the AI and not involving complex malware.
Conclusion
The implications are clear: as agentic AI continues to evolve, so does its potential for abuse. Cybercriminals will further automate their attacks using these new tools, leading to an expected surge in personalized phishing emails this year. Additionally, new local security risks are emerging - if an attacker hijacks AI agents, they could potentially commandeer local applications under the user’s identity, escalating threats beyond traditional phishing tactics.
The good news is that advanced email security solutions can still detect and mitigate these AI-driven phishing threats. Despite automation, these attacks continue to rely on classic techniques, such as sending emails from newly created or compromised accounts. Security tools can assess the trust relationship between sender and recipient, detect malicious intent within email content, and analyze embedded links and attachments.
Even if every phishing attempt evolves into a highly personalized spear phishing attack, the underlying methods remain fundamentally the same. The challenge for defenders is to adapt detection strategies to keep pace with AI-driven threats, ensuring that automation works for security teams - not against them.
