Mimecast Report Finds AI Fuels a new Wave of Human-Targeted Cyberattacks
Threat actors are getting smarter, faster, and far more personal. According to Mimecast’s newly released 2025 Global Threat Intelligence Report, adversaries are increasingly using artificial intelligence to manipulate the human element of cybersecurity, blending deception, trust exploitation, and multichannel tactics to overwhelm traditional defenses.
The findings paint a stark picture of an evolving digital battlefield where human touchpoints have become the new attack surface. Mimecast reports that phishing now represents 77% of all observed attacks, up from 60% in 2024, a surge likely driven by the growing use of generative AI tools among threat groups.
“We’re seeing a clear evolution in attacker behavior in 2025, headlined by an exponential rise in AI-driven threats,” said Ranjan Singh, Mimecast Chief Product & Technology Officer. “Financial platforms, regulatory agencies, and city governments have all been targeted by profit-driven ransomware groups and highly organized, state-sponsored adversaries. Threat actors are doubling down on human-focused attacks and exploiting trusted business services as their primary means of intrusion, making employee awareness and resilient systems more essential than ever.”
AI-Enhanced Deception: A New Era of Social Engineering
The report highlights how generative AI has redefined the art of manipulation. Attackers are now producing realistic, contextual lures that convincingly mimic internal communications, vendor updates, or partner requests. Phishing emails are increasingly paired with AI-generated voices or synthetic conversations, blurring the line between human and machine interaction.
Mimecast researchers also observed a sharp rise in ClickFix-style attacks, a deceptive technique where users are prompted to fix a fake error or verify their credentials, unknowingly executing malicious code. These schemes have spiked over 500% since January, now accounting for nearly 8% of reported incidents.
Weaponizing Trust: Everyday Tools Turned Against Us
A growing number of campaigns are also exploiting familiar business platforms—a trend Mimecast calls “living off trusted services” (LOTS). Attackers are embedding malicious content within legitimate workflows on platforms such as DocuSign, Salesforce, Adobe Pay, and DocSend, weaponizing the very tools organizations rely on to conduct business.
Mimecast’s analysis shows DocSend as the most frequently abused service of 2025, often used to host phishing pages disguised as document previews. Threat actors have even begun incorporating custom CAPTCHA challenges to appear legitimate and slow down detection efforts. Mimecast documented over 900,000 instances of this tactic linked to the Scattered Spider group across the U.S. and U.K.
Multichannel Coordination: Evading the Defenses
To further complicate detection, adversaries are now blending communication channels like email, voice, text, and even social platforms to bypass conventional monitoring systems. In many cases, phishing messages now include phone numbers directing victims to call fake support lines, minimizing digital traces.
This shift has coincided with a rise in deepfake-enabled impersonations of executives and IT personnel. Combined with generative voice cloning, these tactics make fraud attempts increasingly convincing and difficult to filter.
Sector-Specific Targeting: Following the Money
Mimecast’s report notes that attackers continue to tailor their approach by industry. Professional services, IT software, telecommunications, real estate, and legal sectors saw disproportionately high rates of impersonation and payment fraud attempts. Real estate professionals, in particular, experienced a surge in sophisticated phishing attacks, underscoring the sector’s exposure to high-value transactions and client data.
In one campaign uncovered by Mimecast’s Threat Research Team, criminals targeted hospitality industry professionals through spoofed emails imitating platforms like Expedia and Cloudbeds: a coordinated effort to harvest credentials from hotel management systems.
Defending the Human Layer
Mimecast’s 2025 Global Threat Intelligence Report concludes that while AI has become a major accelerator of threat evolution, it also provides defenders with new tools for automation, detection, and response. The key, the report argues, lies in aligning human awareness with machine intelligence.
“Cyber defense can no longer be treated solely as a technology issue,” said Mimecast Chief Information Security Officer, Leslie Nielsen. “It’s equally about people and organizational resilience. Since last year, cybercriminals have significantly increased their use of trusted services to bypass technical defenses that might otherwise block attacks. Countering these threats requires organizations to adapt by preparing employees to recognize suspicious activity and leveraging tools like AI internally to enhance both business workflows and security operations. As threat actors continue to target the human layer through deception, trust exploitation, and multichannel coordination, building awareness and resilient response capabilities becomes critical.”
View the full report here.