Cybersecurity researchers and major tech firms have spent the past few weeks documenting something that’s been building quietly for a while. Iranian-linked threat actors are running their cyber operations through western AI tools, using ChatGPT and Gemini to write malware, scan for vulnerabilities, and generate phishing messages in fluent Hebrew and Arabic.
The pressure that creates on a target shows up in the volume. The UAE government reported facing over half a million cyberattack attempts per day during the regional conflict, a large share of them AI-assisted. Israeli citizens have been hit by repeated waves of phishing texts and emails, some of them aimed at recruiting recipients as intelligence sources.
It’s a striking set of findings, though the most useful takeaway has little to do with Iran specifically.
The Skill Floor Just Dropped
For most of the history of organized cybercrime, a meaningful gap separated what nation-state actors could pull off from what lower-tier attackers could manage. Sophisticated operations required expertise: writing convincing phishing content, mapping target networks, developing or adapting malware, and operating fluently across language and cultural barriers. That gap was never impenetrable, but it was enough to keep a lot of would-be attackers out of the serious leagues.
AI has compressed it considerably. Both Google and OpenAI have made a point that’s worth sitting with, which is that AI mostly improves attacker workflows rather than handing them genuinely new capabilities. Reconnaissance, phishing content, vulnerability research, and malware debugging are all the same tasks they always were, just done faster and with far less prior expertise. A mid-tier actor can now operate with the throughput of a much larger, better-resourced one.
The practical result is that the pool of actors capable of running a credible attack operation is wider than it’s ever been, and that’s the part worth paying attention to.
The Language Barrier Is Gone
Security awareness training has long leaned on a heuristic that served reasonably well: suspicious emails tend to look suspicious. Odd phrasing, grammatical errors, and awkward sentence structures were never a foolproof signal, but they caught a decent share of phishing attempts before any damage was done.
That heuristic is becoming unreliable. The Iranian operations described in recent reporting were producing phishing messages in fluent Hebrew and Arabic, convincing enough to work at scale. The AI capabilities behind that go well beyond language, too. Attacks that once took weeks of careful human effort can now be put together in minutes:
- Grammatically flawless phishing content in virtually any language, calibrated to tone and cultural context
- Fake personas with AI-generated backstories and dialogue, capable of building trust with targets over time
- Automated vulnerability scanning that runs continuously across large target surfaces
- Malware written, tested, and debugged faster than a human team could manage
Building rapport with a target used to mean weeks of crafted conversation under a fake identity. Much of that can now be handled automatically.
For organizations operating across multiple countries or languages, this is a concrete change. Telling users to spot the red flags still has some value, but it’s increasingly thin as a primary defense, and it was always asking a lot of people to begin with.
More Volume, More Speed
The scale dimension makes all of this worse. We’ve covered in depth how AI has collapsed attacker timelines, including CrowdStrike’s finding that average breakout time hit just 29 minutes in 2025. What the nation-state story adds to that picture is volume, since operations that previously required human effort at each step can now run largely on their own, against far more targets, around the clock.
A phishing campaign that would have taken a team days to localize and deploy can be generated, customized, and launched in a fraction of the time. Automated scanning for exposed vulnerabilities runs without fatigue or downtime. The operational capacity of a given threat actor has grown without any matching growth in headcount or expertise.
You Can’t Train Your Way Out of This
None of this makes user security training pointless, and it’s still worth doing well. Treating it as your primary control, however, is increasingly a misallocation of confidence. When phishing emails are indistinguishable in quality from legitimate correspondence and arrive in a user’s native language with culturally appropriate context, whether someone clicks comes down largely to timing and circumstance. Some of them will, eventually, and your security posture shouldn’t depend on the answer being “no” every single time.
The more durable approach is building your environment so that a successful phish doesn’t hand an attacker much of anything. That means removing the standing privileges that make a compromised account immediately valuable, granting access on demand and scoped to what’s actually needed, and revoking it once the task is done. Always-on remote connections get the same treatment, replaced with ones that require approval and don’t persist.
The logic is straightforward: a constrained blast radius forces an attack to work a lot harder before it can do real damage.
Make a Successful Phish Less Useful
Admin By Request’s EPM solution removes permanent local admin rights from endpoints and replaces them with on-demand elevation, approved per application or session. Our Secure Remote Access solution applies the same principle to remote connections, with just-in-time access that’s MFA-gated and automatically terminated. Neither one stops a phishing email from landing in someone’s inbox, but both make that email far less useful to whoever sent it.
The threat pool is wider than it’s ever been and the quality floor has risen, which means better phishing detection on its own won’t carry an organization very far. The work now is in building environments where the inevitable successful attack runs into real resistance the moment it tries to do something useful.
Want to see the approach in practice? Start with our free plan and get full access for up to 25 seats, free forever.
