Traditional email spoofing attacks are technical attacks on protocol vulnerabilities. AI-based messaging is a perceptual exploit against humans. In 2026, they're both in play and the detection systems for one are ineffective against the other.
In October 2025, a mid-sized logistics firm reported a business email compromise attack that its security team originally assumed to be a spoofing attack. The CEO's email account was used to request that the CFO initiate a wire transfer. It met the company's DMARC policy. It passed SPF alignment. The DKIM key matched the sending domain's key.
After obtaining the complete email headers, they found what the authentication suite wasn't built to detect: it wasn't a spoofed email. The domain was a new lookalike, with legitimate authentication records the SPF, DKIM, and DMARC passing with flying colors. The email's body was a product of a prompt to an LLM with the text of the real CEO's previous messages, culled from a six-month-old phishing attack that the company had failed to properly investigate. The tone, the particular framing, and the specific signature were learned compositions of the personality of the legitimate sender.
This is an example of the key shift in 2026: the attack vectors for scam emails have split. Old-school spoofing attacks protocol vulnerabilities. Spoofing with AI exploits perception weaknesses. They are ongoing, they are growing, and you need different strategies to detect them.
How Classic Email Spoofing Works
To appreciate the change, we need an accurate description of how classic spoofing works and why the authentication system that should have stopped spoofing hasn't.
SMTP has no sender authentication. The From: line in the email header is an unchecked string any mail transfer agent can set this to any value without any checks. The design choice, before email was a protocol for unauthenticated communication between trusted networks (like universities), left the spoofing vulnerability space we have today. The trinity of authentication protocols (SPF, DKIM, and DMARC), designed to fix this, only closes some of the holes.
SPF (Sender Policy Framework) lists IPs of domains that can send email via DNS TXT records. Receiving mail servers verify that the IP address used is on the list. SPF does not secure against display name spoofing (where the From header is valid and the envelope sender is not) and is invalidated by email forwarding, as the message is not re-signed to show the new IP.
Domain Keys Identified Mail (DKIM) places a cryptographic signature on messages, enabling servers to check that the message has not been tampered with and was sent by an approved sender for the domain that signed the message. DKIM proves message integrity but doesn't stop a sending domain that is properly configured from being an imposter lookalike domain with a valid DKIM key. It authenticates the origin of the message as the domain in the From header it doesn't authenticate the domain.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) links SPF and DKIM with the domain in the From header and provides guidance to receiving servers on how to deal with inconsistencies. When a domain has a DMARC policy of reject, most traditional spoofing attacks are thwarted. But not all domains publish DMARC or publish non-enforcement policies and DMARC is of no help against the spoofing attack exemplified above involving the look-alike domain.
The Remaining Spoofing Surface in 2026
Even with the authentication framework, traditional spoofing attacks continue to be possible due to a number of factors:
• Domains lacking DMARC enforcement: Many domains do not publish DMARC policies or have monitor-only policies. Such domains are still spoofable. Organizations with supplier, partner, or client domains in this category are targeted by attackers for supply chain BEC attacks.
• Display name spoofing: The display name in the From header is "CEO Name ceo@company.com," and the actual sending address is the attacker's domain. The name is all that's shown in the inbox view. It can be assumed that many users do not expand to check the from address.
• Lookalike domain registration: Registering a domain similar to the brand company-name.net vs. company-name.com, or company-name.com (with the wrong "n") and setting up full SPF/DKIM/DMARC authentication for the lookalike. All authentication tests pass. The recipient is tricked by the lookalike.
• Compromised legitimate accounts: E-mail sent from a properly authenticated, properly owned e-mail account that has been compromised by stealing the account credentials. All the authentication checks are successful because of the legitimate sending infrastructure. This is not a spoofing attack it is an account takeover, which then uses the legitimate account for fraud.
The New Threat Model for AI-Assisted Messaging
Spoofing attacks leverage the authentication layer a technical vulnerability that can be eliminated by technical controls. AI-assisted messages exploit a layer that is structurally beyond the reach of technical controls: the linguistic content of the message.
Until the advent of powerful generative language models, the content of spoof messages was a reliable signal. Non-native English usage, awkward expressions, inconsistent registers of formality, and standard greetings were statistical signals of non-native or careless authorship that Natural Language Processing (NLP) classifiers could pick up at reasonable accuracy. The economics of fraud demanded campaigns be executed at scale with little cost per email, making content quality poor.
LLM message generation overcomes this economic constraint. A scam can now generate multiple messages tailored to the reader, in a style consistent with the writer and relevant to the circumstances, at a marginal cost per message of zero. Even more troubling from an identification standpoint: if the attacker has access to previous text messages or emails from a target or sender, it can prompt an LLM to mimic a particular person's writing style their preferred sentence length, word choice, level of formality, typical ways they might close a message, and contextual allusions to previous events. The end result is that the message doesn't look like a template. It reads like a person.
The logistics company attack showed the operational readiness this provides. The attacker had an investment in a model trained on the CEO's writing style before using it to request a financial transfer. The cost is low the prompt to an LLM with a corpus of writing samples can be done in minutes. The reward is a message that passes the human authentication test that the email header authentication stack is not designed to pass.
Detection Architecture Under Dual-Vector Attack
A detection stack tuned to catch classic spoofing-based attacks, header analysis, authentication checks, sending IP reputation, and domain blacklisting of known bad actors returns a "pass" for the AI-assisted attack pattern. The message is sent from an authenticated source, with no history of domain spoofing and with message content that is free from statistical indications of poor-quality authorship. All of the detection signals are normal.
The detection signals that remain discriminative of AI-assisted messages are at different levels:
• Speed of domain registration and lookalike scoring: The lookalike domain used in AI-assisted attacks is new and a visual match of the targeted domain. Log-based monitoring of certificate transparency logs and measuring the domain similarity with protected brand domains can detect the infrastructure before deployment (e.g., during the warm-up period).
• Communications graph anomaly in communication patterns: An executive who never emails the CFO directly to request wire transfers, whose previous financial communications always follow a multi-approval workflow, sends a one-message urgent request for a wire transfer, which is anomalous, regardless of email content. Workflow analysis and communication graph modeling identify the process anomaly that doesn't show up in content analysis.
• Out-of-band sender authentication: Process controls requiring phone verification of wire transfer requests from a pre-agreed phone number (not from the email) before accepting requests. This control applies to the use case of mail authentication, but not to sender verification.
• Crowdsourced domain intelligence: Newly registered lookalike domains involved in AI-assisted BEC attacks are frequently reported by their victims before pattern-based systems have collected sufficient information to detect them as new threats. Community sources of threat information like Scam Alerts, which crowdsource reports of new fraud infrastructure, can provide early detection of new domains before they have built enough volume to trigger pattern-based detection, which is where AI-based attacks are launched before they are detected.
The Double Vector Problem
The most significant operational concern for 2026 is not the emergence of either of the two attack vectors it is the growing preference for using both. An attack that leverages traditional spoofing of less secure supplier domains and AI-generated content tailored to the recipient's communication style is a vector that sidesteps the controls that would be effective against one or the other attack vector.
The supply chain attack is especially challenging to defend against: the attacker spoofs or compromises a legitimate third-party domain that is trusted by the recipient (a law firm, an accounting firm, or a software vendor) and generates a message via AI-generated content that is plausible in content and context for the domain. The recipient is familiar with the domain, authentication succeeds, and the content is consistent with legitimate content. The only way to detect this attack is via the anomaly of an atypical request type coming from a familiar source.
What 2026 Threat Models? Necessity in Detection
The split of the email attack surface into the technical spoofing and the cognitive impersonation vectors means the detection systems must explicitly handle both and assume the intersection of the two is the main attack vector.
For the technical spoofing vector: strict DMARC implementation with reject policies; proactive scanning of lookalike domain name registrations for registered brands; using certificate transparency feeds; and audits of third-party domain name authentication for supplier domains to identify the third-party domains that represent the greatest spoofing threat surface.
For the AI messaging vector: email communication baselines, detection of workflow-deviant communications for critical financial and access requests, out-of-band verification for actions above the threshold, and importation of community threat intelligence to identify new attack infrastructure before it appears in behavioral pattern data.
The shipping company's story ended with the transfer reversed before it was completed, because a "second" approver detected that the transfer request didn't follow the usual approval process and escalated for verification. The problem was a process, not technology a process control that detected behavioral anomalies after all the authentication signals were gone. That's the takeaway message: in 2026, crowd-sourced threat intelligence and process-specific behavior controls are doing something that authentication and content classification services can't. The detection architecture must be commensurate with the attack architecture and the attack architecture now has a technical and a cognitive component.
Authentication assures you the message is from whom it says it is. It doesn't say if it is true.
Top comments (0)