There is a moment in every security team’s worst-case scenario when the inbox stops being a communication tool and becomes a crime scene. What has changed is how quickly that moment can arrive, and how little advance warning precedes it.
Not long ago, phishing required a certain level of craft — a convincing sender address, plausible language, and enough polish to get past a skeptical user. Employees were trained to look for the tells, like spelling mistakes, slightly off branding, awkward tone, mismatched domains, and so forth. Those tells are fading because AI can now generate phishing emails that look and read like legitimate business communications in minutes, lowering the skill barrier for attackers and increasing the realism of what lands in the inbox. The attacker doesn’t need skill as much as motivation.
That shift has major implications for how organizations think about email security, and it explains the logic behind Barracuda’s Managed XDR Red Team’s recent simulation of a modern AI-assisted attack chain from phishing email to full compromise. The results are compelling.
In the exercise, a single phishing email led to credential theft, MFA bypass, endpoint compromise, and attacker persistence within five minutes of the victim’s first click. At each stage, conventional defenses were either not looking for the right things, or they weren’t fast enough to prevent the movement.
The Attack Chain Security Teams Now Need to Assume
The Red Team simulation combined three techniques that are already well known on their own, but far more dangerous when chained together with AI-assisted speed and realism.
The first stage was an AI-generated phishing email crafted to resemble a legitimate Microsoft SharePoint notification. The email was created with a widely available LLM and was structurally indistinguishable from a real SharePoint message, including the expected formatting, tone, and metadata. The target clicked the link 21 minutes after delivery — not instantly, and not irrationally, which is important in the context of AI-generated phishing campaigns.
AI-Generated Phishing Email
From there, the attack moved quickly. The victim landed on what appeared to be a legitimate Microsoft login page, but the page was being proxied through Evilginx, an adversary-in-the-middle framework designed to capture credentials and session tokens in real time. When Microsoft prompted for MFA, Evilginx passed the request through to the user, then intercepted the resulting authenticated session cookie. Within two minutes of the click, the attackers had the credentials, the session details, and the ability to open the compromised Microsoft 365 account like the legitimate user.
Legitimate MFA Request
That alone would have been serious enough. With access to the account, an attacker could read and send email, access SharePoint and OneDrive, create inbox rules to hide malicious activity, and approve OAuth applications designed to preserve access even after the original session expired. But, that’s not all.
Next came the ClickFix stage. In the simulation, the victim was shown a fake verification prompt and instructed to copy a code. In the background, a malicious command had already been placed on the clipboard. A few familiar Windows shortcuts later, the user triggered a PowerShell-based script that reached out to an external server and established persistence. Five minutes after the first click, the attacker had a foothold on the endpoint.
What makes the sequence so instructive is not that it relied on novel tools, because it didn’t. In fact, it was quite the opposite. Widely available tools and techniques are now enough to build an end-to-end compromise path that moves faster than many security teams can realistically investigate by hand.
Point-in-Time Email Security Is No Longer Enough
For years, email security has been designed around a single decision point: The moment of delivery. Scan the message, inspect the sender, check the link, assign a verdict, then either deliver or quarantine.
That model made sense when most of the danger was static, like a malicious attachment, a spoofed domain, or an obviously fraudulent message. The problem is that today’s attacks are increasingly dynamic. A message may look harmless at delivery and only become dangerous after the user clicks. A compromised account may become a launchpad for lateral movement within minutes and a stolen session token can turn a valid login flow into a bypass of MFA without triggering the kinds of alerts many organizations still rely on.
“Email is no longer a human-centric communication platform; it’s an operational fabric where humans and AI interact, making it a much bigger target and amplifying the speed, scale and impact of attacks when threats go undetected,” said Rohit Ghai, Barracuda CEO. “In the agentic AI era, effective security requires a platform approach that delivers continuous visibility and response across the full attack lifecycle.”
The inbox is no longer where the attack lives. It is where the attack begins.
Closing the Gap
Barracuda makes a similar architectural argument with its new Integrated Email Protection platform that features continuous, full-lifecycle security rather than point-in-time inspection. The premise is that effective email defense now requires the ability to detect, re-evaluate, and remediate threats after delivery by correlating signals across email, identity, network, data, and applications.
It reflects the realities of the modern attack chain where an attack does not stop at the inbox — so security can’t stop there either.
The product, built on the BarracudaONE platform, is designed to continuously detect and remediate threats across the full attack lifecycle, not just at the moment of message arrival. For Microsoft 365 and Google Workspace environments, it adds post-delivery message clawback and uses cross-domain signal correlation to identify threats that evolve after initial delivery. Barracuda also emphasizes explainability through its Bailey AI assistant, which presents verdicts in plain language, shows how different security systems reached different conclusions, and gives teams the ability to review or reverse automated actions.
One of the persistent weaknesses in AI-powered security tooling is that many systems still operate like black boxes. If defenders cannot understand why an action was taken, they are more likely to distrust or override it. Barracuda’s system automates response but still explains itself and, as such, has a better chance of being used effectively.
For MSPs, the design has another advantage. Barracuda says the platform is built for both single- and multi-tenant environments, which means service providers can identify, investigate, and respond to risks across customers from a shared operational layer. As attackers move faster and compromise spreads more easily from inbox to identity to endpoint, that level of visibility becomes an operational necessity, not just a convenience.
To be clear, none of this makes phishing less dangerous, and Barracuda’s Red Team simulation points to just the opposite. AI is making phishing faster to generate, more realistic in presentation, and easier to scale. Adversary-in-the-middle kits remain effective against organizations that still rely on conventional MFA patterns alone. ClickFix-style social engineering takes advantage of familiar operating system behaviors and user habits that many environments still permit.
That is why the practical defenses still matter, like phishing-resistant MFA, strong DMARC configuration, user training, monitoring for unusual session behavior, restrictions on risky actions such as unrestricted PowerShell execution, and rapid detection of malicious inbox rules and persistence mechanisms. No single layer is enough.
Still, basic email security that looks once, makes a verdict, and stops looking is no longer a good match for modern attacks. The inbox has become a launch point into identity, endpoint, and application compromise, and they move much more rapidly than ever.
The five-minute breach is not just a headline; it’s a benchmark for how quickly modern attacks can unfold. The question for MSPs and security teams is whether their current stack is designed to respond at that speed.
Edited by
Erik Linask
