Likelihood: MODERATE
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is moderate because the technique is confirmed active in at least one observed sample and requires no special privileges or access — only a reformulated attachment — making it low-cost to replicate at scale, though campaign breadth and active exploitation in the wild remain unconfirmed from a single SANS ISC data point as of July 10, 2026. Impact is high because a successful bypass of the primary detection layer delivers phishing lures directly to employee inboxes, and a single credential compromise in this threat class is a documented precursor to ransomware deployment, BEC fraud, and unauthorized customer-data access — each carrying material financial, operational, and reputational consequences.
Treatment rationale: The attack directly exploits over-reliance on a single AI-based detection layer, making compensating control activation — specifically layered non-AI defenses, user awareness reinforcement, and detection rule augmentation — the appropriate primary response, while transfer is secondary and only partial given the residual exposure from a successful phish.
Third-Party / Supply-Chain Risk
Risk is vendor-agnostic and extends to any third-party AI/ML email security gateway (SEG) in the organization's stack — whether cloud-hosted or managed-service. Organizations that have outsourced email security to an MSSP or rely on a SaaS SEG as their primary phishing control inherit that vendor's model sensitivity to this evasion technique. Per NIST SP 800-161, organizations should query their SEG vendor for model update status and detection coverage against HTML comment stuffing as part of third-party risk oversight.
Loss Exposure (illustrative)
Magnitude: moderate to high — illustrative $250K–$3M per successful intrusion chain; lower bound reflects credential-reset, investigation, and lost productivity from a contained account compromise; upper bound reflects a BEC fraud event or ransomware incident with partial recovery, where the phishing bypass was the initial access vector
Frequency: For an organization with AI-augmented email security as its primary phishing control and no active compensating layers: illustrative 1–4 successful phishing-to-compromise events per year at the lower end of enterprise employee count, scaling with headcount and email volume. This technique lowers the effective filter detection rate, increasing the probability that any given phishing attempt reaches and is acted on by a recipient.
Annualized: Illustrative ALE: moderate — $250K–$3M loss magnitude x 1–4 frequency events yields an illustrative annualized range of $250K–$12M; the wide range reflects the significant difference in outcome between a contained credential compromise and a full ransomware or BEC event. No single point estimate is defensible without organization-specific data.
Basis: Loss magnitude driven by: (1) credential compromise response costs (forensics, identity remediation, legal notification review) as the floor; (2) BEC fraud or ransomware recovery as the ceiling, both being confirmed downstream consequences of initial phishing access in this threat class. Frequency driven by: baseline phishing attempt volume to a typical enterprise, discounted by non-AI detection layers (if any), discounted further by user reporting and awareness program effectiveness. No external report dollar figures were used.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• If a phishing email bypassing AI filters leads to a credential compromise resulting in unauthorized access to PII or PHI, state breach-notification requirements may be triggered — verify with counsel.
• A successful downstream ransomware event or BEC fraud originating from a bypassed phishing lure may constitute a cyber insurance reportable incident or invoke notice obligations under the policy — verify with broker.
• If customer data is accessed following account compromise, contractual data-processing agreements with clients or partners may impose notification or liability obligations — verify with counsel.