Three Things I'm Seeing in Our Inbox This Quarter That Didn't Exist a Year Ago

By Corey Mueller
Featured image for Three Things I'm Seeing in Our Inbox This Quarter That Didn't Exist a Year Ago

By Corey Mueller

The inbox looks different than it did eighteen months ago. Not dramatically. Most of the queue is familiar. But three patterns have crossed a threshold. They’re not theoretical. They’re showing up weekly, and defenders who haven’t recalibrated for them are operating on assumptions that no longer hold.

1. The quality floor has risen.

Phishing emails used to announce themselves. Bad grammar. Generic openers. Brittle urgency that real executives don’t write with. Those tells trained a generation of users to trust their instincts — and for a while, those instincts were reasonably reliable.

They’re less reliable now. AI hasn’t made every phishing email brilliant, but it has raised the floor. The bottom quartile of phishing quality has improved faster than anything else I’m watching in the threat landscape. The obviously bad stuff is a smaller share of the queue than it was eighteen months ago.

The practical problem: user training built around writing quality as a primary signal is teaching instincts attackers are already past. The tells haven’t disappeared. They’ve moved. Header analysis, sending infrastructure, behavioral patterns, and timing are doing more of the detection work now than they were two years ago. If your posture still leans heavily on “does this look weird to a human reader,” it’s worth revisiting.

2. The URL isn’t in the email.

A meaningful portion of the phishing I’m reviewing contains no visible URL. The link is in an image. A QR code. A redirect chain running through a legitimate click-tracking service. An attachment that opens a page.

This is deliberate. Email security tools built to scan for malicious URLs in message text don’t process a link inside a PNG the same way. When a redirect starts from a trusted service, the domain at scan time may look clean even if the final destination isn’t.

The gap between “cleared your filters” and “actually safe” is wider than it was in 2023. The practical question worth asking: when did you last audit what your infrastructure actually sees when a link is inside an image, or behind a multi-hop redirect?

3. The pretext knows things.

BEC attempts in my queue are increasingly org-specific. They reference real vendor relationships, use accurate internal framing for financial requests, and know enough about reporting structure to pick a plausible impersonation target.

None of that information is secret. LinkedIn, press releases, job postings, public filings. An attacker willing to spend twenty minutes on research produces a far more convincing pretext than one who doesn’t. That research is getting faster and easier, which means the cost of launching a targeted attempt has dropped.

Targeted BEC used to be rare because it was expensive. That cost is falling. The volume of well-researched, org-specific pretexting is up.

Three patterns. All real. All in motion.

The signals have moved. Defenders who know where to look for them are still ahead. Defenders running 2022 instincts against 2026 threats are increasingly not.

Views expressed here are my own, not those of my employer.