Security Researcher Details How to Detect LLM-Generated Phishing Emails Through Telltale Artifacts
Key Takeaways
- ▸LLM-generated phishing emails leave detectable artifacts including overly descriptive variable names with pseudo-random hex suffixes, over-engineered code structures, and unnecessary technical elements that can be used as threat hunting signals
- ▸While general AI-generated content detection is theoretically difficult, the specific patterns produced by LLMs in malicious emails currently provide valuable signals for identifying phishing campaigns
- ▸This detection advantage is likely temporary, as theoretical research and improving model capabilities will eventually make AI-generated content indistinguishable from human-created material
Summary
A security researcher and email detection engineer has published findings on identifying phishing emails created by large language models, drawing on patterns observed in malicious campaigns. Rather than attempting to detect AI-generated content generally (which research suggests may be theoretically impossible), the researcher focuses on specific artifacts that LLMs characteristically leave behind in phishing emails—including overly descriptive variable names with hex suffixes, over-engineered code structures, and unnecessary technical elements. The analysis builds on Microsoft's September 2025 disclosure of an LLM-obfuscated phishing campaign targeting US organizations and references theoretical work by Sadasivan et al. showing that reliable AI text detection may become impossible as models converge toward human-like output.
The researcher argues that while detecting AI-generated content broadly is problematic due to widespread benign use of generative AI, the specific patterns and artifacts left by LLMs in malicious emails currently represent a strong signal for threat hunting. However, the researcher predicts this advantage will be temporary, as bad actors improve their techniques and LLM-generated content becomes increasingly indistinguishable from human-created material. The findings provide practical detection signals for email security teams while acknowledging the longer-term arms race between defenders and attackers leveraging AI.
- The research builds on Microsoft's documented case of LLM-obfuscated SVG payloads in credential phishing attacks and applies these findings to broader email security detection strategies
Editorial Opinion
This research highlights an important but fleeting window in the AI security arms race. While the identified LLM artifacts provide practical value for defenders today, the theoretical impossibility of long-term AI detection raises uncomfortable questions about future email security. Security teams should implement these signals now while also preparing for a future where AI-generated phishing becomes indistinguishable from legitimate content, requiring fundamentally different defensive approaches.
