Phishing detection push

A phishing attack used to be a fake login page and a misspelled email. In April 2026, Microsoft said it was tracking a campaign that generated live sign-in codes on demand, used artificial intelligence to tailor lures to job roles, and spun up thousands of short-lived backend nodes to keep the operation moving. (microsoft.com) The trick in this campaign was not stealing a password first. The attacker sent a victim into Microsoft’s device code sign-in flow, then grabbed the authentication token that came out the other side, which let the attacker read mail and set malicious inbox rules without ever relying on a static fake page. (microsoft.com) That is why security teams keep talking about anomaly detection instead of just blocklists. A blocklist looks for a known bad address like a bouncer with a printed photo, while anomaly detection looks for behavior that does not fit the account’s normal pattern, like a finance employee suddenly authorizing a new app and exporting mail minutes later. (learn.microsoft.com) Microsoft’s own identity tools describe this shift in plain terms. Defender for Identity says it watches identity signals from systems like Active Directory and Microsoft Entra ID, then uses behavioral analytics, threat intelligence, and known attack patterns to flag suspicious activity across the full identity attack lifecycle. (learn.microsoft.com) Phone scams are moving the same way. Google’s Scam Detection listens for conversation patterns linked to fraud in real time on Pixel phones, so a caller claiming to be your bank and demanding an urgent transfer can trigger an alert during the call instead of after the money is gone. (security.googleblog.com) Google says that feature is off by default, runs on-device, and is not perfect. Its help page says Scam Detection works on Pixel 6 and later in the United States, gives audible beeps during monitored calls, and warns that scammers constantly change tactics. (support.google.com) The reason this matters is simple: account takeover is getting bigger and faster. Federal Reserve Financial Services said account takeover caused more than $15.6 billion in reported United States losses in 2024, up from $12.7 billion in 2023, and Suspicious Activity Reports rose more than 36% in 2024 from 2023. (frbservices.org) The same Federal Reserve piece says newer tools let criminals automate account takeover with more sophistication and at greater scale. It also says bots now mimic human behavior like mouse movements and typing patterns, which makes older bot detection less reliable. (frbservices.org) Government guidance has been catching up to that reality for a while. The Cybersecurity and Infrastructure Security Agency, the National Security Agency, the Federal Bureau of Investigation, and the Multi-State Information Sharing and Analysis Center published joint phishing guidance in October 2023 that told defenders to treat phishing as an evolving attack chain, not a single bad email. (cisa.gov) The practical change for companies is not “buy an artificial intelligence product” and stop there. It is to watch for small linked signals such as a new device authorization, a login from an unusual place, a mailbox rule that hides replies, or a phone call that pushes a user into an urgent account recovery flow, because each event alone can look normal and the sequence does not. (microsoft.com, learn.microsoft.com, support.google.com)