Cybercriminals are using a new, sophisticated tool called SpamGPT to launch large-scale email phishing campaigns. The AI-powered software has been promoted in the dark web as a “spam-as-a-service” platform that automates most of the tasks involved in an email phishing attack.

According to Cybersecurity News, malicious actors have developed the cybercrime toolkit by leveraging AI systems and professional email marketing strategies for fraudulent email operations, and are selling it for $5,000.

The interface closely resembles legitimate email marketing services and includes multiple features, such as SMTP/IMAP email server, email testing, and real-time campaign performance monitoring.

SpamGPT integrates an AI marketing assistant named KaliGPT into its dashboard, which helps cybercriminals create and automate campaigns. The AI assistant suggests and crafts persuasive content, including subject lines, and recommends a target audience.

The program is promoted as an efficient tool for reaching inboxes from popular providers such as Gmail, Microsoft 365, and Outlook, by masking its malicious content and evading detection.

According to a recent report published by the cybersecurity firm Varonis, experts warned about SpamGPT’s capacities and its potential to facilitate cyberattacks for criminals with little technical knowledge.

“SpamGPT lowers the technical barrier for running effective spam and phishing campaigns,” states the document. “What used to require a team of skilled developers can now be accomplished by a single bad actor with a $5,000 toolkit.”

The cybersecurity expert recommends that companies strengthen their email defenses and include AI-powered security solutions, as the abuse of generative AI for cyberattacks is growing. “Staying ahead of this curve will require defenders to likewise leverage AI, monitoring, and collaboration across the security community,” added the researcher.

A few months ago, it was reported that cybercriminals were using another phishing toolkit to exploit Progressive Web Apps (PWAs) developed by security researcher mr.d0x. The expert also warned about the urgent need to enhance security layers against phishing campaigns.