Microsoft published the Digital Defense Report 2025 (MDDR 2025) in October 2025, with one stat that landed harder than the rest. AI-generated phishing emails recorded a 54% click-through rate in controlled tests, against 12% for human-written phishing on the same target population (Microsoft, 2025). That is a 4.5× multiplier on the single technique that makes up the largest share of initial-access vectors in modern attacks.
The number landed during a year when the industry had become quietly comfortable with phishing as a "solved" detection problem. Email gateways had matured, user-reporting workflows had been deployed, and the click-through baseline was trending down. The MDDR 2025 stat broke that trend in a single report.
The shift from manual to AI-generated phishing
The mechanics of why click-through went 12% → 54% are not mysterious. AI-generated phishing emails are grammatically clean, tone-appropriate, and contextually relevant in ways that manual phishing only rarely achieved at scale. The 2024-era heuristics — "watch for typos, watch for awkward phrasing, watch for generic salutations" — no longer filter what an LLM can produce.
The Mandiant M-Trends 2026 report adds a second number to the picture: the median time from initial human-driven reconnaissance to AI-driven exploitation is twenty-two seconds (Mandiant, 2026). The attacker writes the prompt; the AI writes the lure; the email is dispatched faster than a human could draft a single line.
This combination — higher click-through, faster dispatch, more variant lures per campaign — is the asymmetry. Defenders who relied on signature-based detection of known-bad lures lost the engagement before they knew it had started.
Mandiant M-Trends 2026 puts the median human-to-AI handoff time in modern attacks at twenty-two seconds (Mandiant, 2026). A defender model that needs minutes to evaluate a lure is already losing.
Why Defender baseline is not enough
Microsoft Defender for Office 365 ships strong baseline protection — anti-spam, anti-malware, Safe Links, Safe Attachments, anti-phishing policies. For the bulk-volume phishing of 2022-2024, the baseline was reasonable. For 2025-2026 AI-generated lures with low-volume, high-personalisation characteristics, the baseline is structurally insufficient because it relies heavily on signature and reputation telemetry.
Reputation-based detection assumes recurrence — the more often a sender, domain, or URL is seen across the tenant fleet, the more confident the verdict. AI-driven campaigns deliberately defeat reputation by generating per-recipient lures with per-recipient infrastructure. Each lure is effectively zero-volume, which means each lure has zero reputation history, which means signature-based defenders default to "unknown" and let it through.
The structural answer is to add layers that do not depend on reputation: behavioural baselines per sender / per relationship, content-classification on intent, click-time URL detonation in a sandbox, and consensus across multiple independent detection engines so a single-engine miss is not a tenant miss.
Behavioural baselines as the next layer
A behavioural baseline tracks how each sender normally communicates with each recipient — typical hours, typical topics, typical link patterns, typical reply chains. When a lure deviates from the baseline (the CEO emails the finance director at 02:14 SAST about a wire transfer), the deviation is a signal independent of the lure's content. AI-generated lures have to break baseline behaviour to be effective; that is the leverage.
The baselines are per-relationship rather than per-sender, which matters because the CEO emails finance differently from how they email engineering. A vendor that ships sender baselines but not relationship baselines is providing one quarter of the available signal.
Consensus detection over single-engine verdicts
A consensus detection model runs multiple independent engines on each inbound message and requires agreement before assigning a high-confidence verdict. The structure is simple — the value is statistical. If each engine has a 5% false-negative rate independently, requiring two-engine consensus drops the false-negative rate to 0.25%. The trade-off is computational cost and latency, both manageable at modern hardware prices.
The "independent" qualifier matters. Two engines that share an underlying model or training set are not independent — they fail correlated. A practical consensus stack mixes signature-based, ML-based, behavioural, and link-detonation engines so each contributes a different angle.
POPIA Section 19 reasonable measures
POPIA Section 19 requires "appropriate, reasonable technical and organisational measures" for the integrity and confidentiality of personal information (Republic of South Africa, 2013). The Information Regulator has not specified what counts as "reasonable" for email-borne threats specifically, but the trend in regulator guidance globally is that "what was reasonable in 2022" is no longer reasonable in 2026 if the threat landscape has materially changed.
For an MSP serving SA tenants, this means the baseline expectation in a regulator post-incident review will move with the threat. A defence posture that has not added behavioural baselines and consensus detection by mid-2026 is harder to argue as "reasonable" than the same posture would have been two years earlier.
References
Microsoft (2025) Microsoft Digital Defense Report 2025. Microsoft Threat Intelligence. Available at: https://www.microsoft.com/security/security-insider (Accessed: 8 May 2026).
Mandiant (2026) M-Trends 2026 Report. Google Cloud / Mandiant. Available at: https://cloud.google.com/security/resources/m-trends (Accessed: 8 May 2026).
Republic of South Africa (2013) Protection of Personal Information Act, No. 4 of 2013. Government Gazette of the Republic of South Africa.