- 01 July, 2026
- No Comments
In 2025, phishing is no longer the clumsy, typo-ridden scam it once was. Cybercriminals are now deploying large language models to craft hyper-personalised spear-phishing emails that mimic the writing style of your CFO, replicate your HR team’s signature blocks, and exploit real-time intelligence scraped from LinkedIn, company websites, and social media. Indian enterprises—especially in BFSI, pharma, manufacturing, and IT services—are prime targets. The cost of a successful phishing breach goes well beyond the ransom or data loss: under the DPDP Act 2023 and CERT-In’s 6-hour mandatory reporting rule, a single incident can trigger regulatory scrutiny, reputational damage, and significant financial penalties.
This post walks Indian IT leaders and CISOs through exactly what AI-powered phishing looks like in the wild, why traditional defences are failing, and the concrete technical and operational steps PJ Networks recommends to stop these attacks before they reach your employees’ inboxes.
What AI-Powered Phishing Actually Looks Like
Traditional phishing was a volume game: blast millions of generic emails and hope a small percentage clicked. AI-powered phishing is a precision game. Here is what the threat intelligence community is observing in 2025:
- LLM-crafted spear-phishing: Attackers feed publicly available information about a target (job title, recent press releases, LinkedIn activity, company announcements) into generative AI tools to produce emails that are grammatically flawless, contextually relevant, and timed to coincide with real business events such as mergers, audits, or product launches.
- Voice and video deepfakes extending the chain: A phishing email may be followed by a WhatsApp voice note or a brief video call using a deepfake of a senior executive, reinforcing the urgency of the request. This multi-modal social engineering dramatically increases click and compliance rates.
- Adversarial AI bypassing legacy filters: AI is also being used on the attacker’s side to mutate malicious payloads and rewrite email body text in real time, helping messages slip past signature-based and even older ML-based email security gateways.
- QR-code phishing (Quishing): Embedded QR codes in PDF attachments bypass URL-scanning engines and redirect employees to credential-harvesting pages hosted on legitimate cloud services like Google Sites or Microsoft SharePoint—domains that traditional threat intelligence feeds rarely block.
- Business Email Compromise (BEC) escalation: Once an attacker compromises one mailbox, AI tools automatically analyse the victim’s sent-mail history to replicate writing style and initiate fraudulent wire-transfer requests or vendor payment redirects to finance teams.
Why Indian Enterprises Are Particularly Exposed
India’s rapid digital transformation has outpaced security maturity in many organisations. Several structural factors increase exposure:
- Rapid cloud adoption without MX hardening: Many SME and mid-market firms have migrated to Microsoft 365 or Google Workspace but rely solely on the default built-in email security, which is insufficient against AI-generated content and zero-day malicious attachments.
- Flat network architectures: Legacy organisations often lack segmentation. Once an attacker gains initial access via a phishing link, lateral movement is trivially easy without ZTNA or micro-segmentation in place.
- Stretched security teams: India has a well-documented cybersecurity talent shortage. Many enterprises rely on IT generalists to double as security responders, delaying detection and response.
- DPDP Act compliance pressure: The Digital Personal Data Protection Act 2023 mandates breach notification to the Data Protection Board and affected individuals. A phishing-induced data breach now carries regulatory teeth—not just reputational damage.
- High-value targets in the supply chain: Indian IT services and BPO firms hold credentials and access to dozens of global client environments. Compromising one mid-tier supplier can give attackers a foothold into Fortune 500 networks.
The Technical Defence Stack: FortiMail + FortiGate + SOC
PJ Networks recommends a layered defence-in-depth approach anchored by Fortinet’s integrated security fabric. Here is how each layer contributes:
Layer 1 — FortiMail: AI-Driven Email Security at the Gateway
FortiMail is a dedicated Secure Email Gateway (SEG) that goes far beyond the default filtering in Microsoft 365 or Google Workspace. Key capabilities relevant to AI-powered phishing:
- FortiGuard AI/ML-based sandboxing: Attachments and URLs are detonated in an isolated sandbox environment. FortiMail integrates with FortiSandbox to catch zero-day malware delivered via PDFs, Office macros, or QR-code-linked pages.
- Impersonation analysis: FortiMail inspects display-name spoofing, lookalike domains (e.g., support@pjnetw0rks.com vs support@pjnetworks.com), and DMARC/DKIM/SPF authentication failures in combination to catch BEC attempts that pass individual checks but fail holistic analysis.
- Content disarm and reconstruction (CDR): Office documents and PDFs are stripped of active content—macros, embedded objects, JavaScript—and reconstructed as clean files before delivery. This eliminates an entire class of malware delivery vectors.
- Email encryption and DLP: Outbound DLP policies prevent accidental or malicious exfiltration of Aadhaar numbers, PAN card details, SWIFT codes, and other regulated data classes relevant to the DPDP Act.
Layer 2 — FortiGate NGFW: Blocking the Downstream Kill Chain
Even when a phishing email lands in an inbox, a properly configured FortiGate NGFW can break the kill chain at multiple subsequent stages:
- DNS filtering via FortiGuard: When a user clicks a malicious link, FortiGate’s DNS filter checks the destination against Fortinet’s continuously updated threat intelligence feed. Malicious or newly registered domains (common in phishing campaigns) are blocked before a TCP connection is established.
- SSL deep inspection: Most phishing pages now use HTTPS. Without SSL inspection, encrypted traffic passes through unchecked. FortiGate’s SSL deep inspection decrypts, inspects, and re-encrypts traffic, allowing IPS and web filtering to analyse the payload.
- Intrusion Prevention System (IPS): If a malicious payload executes and attempts command-and-control (C2) communication, FortiGate’s IPS signatures detect and block the beaconing traffic before data exfiltration begins.
- ZTNA application access: Moving application access to a Zero Trust Network Access model means that even a compromised endpoint cannot freely reach internal servers. Every access request is verified against identity, device health, and context—dramatically limiting blast radius.
Layer 3 — PJ Networks 24/7 NOC/SOC: Human-in-the-Loop Detection and Response
Technology alone is not sufficient. AI-powered attacks require AI-augmented human defence. PJ Networks’ integrated NOC/SOC provides:
- Round-the-clock alert triage: FortiAnalyzer and FortiSIEM aggregate logs from FortiMail, FortiGate, and endpoint agents. Our SOC analysts review correlated alerts 24/7, reducing mean time to detect (MTTD) from the industry average of weeks to hours.
- Threat hunting: Proactive hunting for indicators of compromise (IoCs) associated with phishing campaigns targeting Indian enterprises—including patterns shared through CERT-In and sector-specific ISACs.
- CERT-In 6-hour breach reporting support: In the event of a confirmed breach, PJ Networks assists with evidence collection, incident timeline reconstruction, and drafting the mandatory CERT-In notification—ensuring compliance under the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 and the updated 2022 directions.
- Playbook-driven response: Predefined runbooks for phishing incidents include automatic mailbox quarantine via Microsoft 365 / Google Workspace APIs, FortiGate policy pushes to block malicious IPs, and stakeholder communication templates.
Configuration Checklist: Hardening Email Security Today
If you are an IT or security team looking for immediate actions, work through this checklist:
- ☑ Enforce DMARC at p=reject for all owned domains. A surprising number of Indian enterprises have DMARC set to p=none (monitoring only), providing zero enforcement against domain spoofing.
- ☑ Enable MTA-STS and BIMI to harden inbound and outbound mail transport security and provide visible trust indicators in supported email clients.
- ☑ Deploy FortiMail in front of Microsoft 365 or Google Workspace using the SEG connector—do not rely on Microsoft Defender for Office 365 alone for high-risk environments.
- ☑ Configure FortiSandbox integration for zero-day file analysis. Ensure PDF, Office, and archive formats are in scope.
- ☑ Enable Content Disarm and Reconstruction (CDR) for all inbound attachments. Accept the minor formatting trade-off for a dramatic reduction in macro and exploit delivery risk.
- ☑ Activate SSL deep inspection on FortiGate for all outbound web traffic. Import the FortiGate CA certificate to endpoints to prevent browser warnings.
- ☑ Block newly registered domains (NRDs) at the DNS layer. Most phishing infrastructure uses domains registered within the last 30 days. FortiGuard’s NRD feed provides this blocking with minimal false positives.
- ☑ Conduct a simulated phishing campaign quarterly. PJ Networks can run these exercises and integrate results with security awareness training tailored to Indian workplace contexts.
- ☑ Document and test your CERT-In incident response runbook. The 6-hour reporting window is unforgiving—you cannot improvise evidence collection under pressure.
- ☑ Enrol in a threat intelligence sharing programme. CERT-In, RBI’s CSITE (for BFSI), and sector ISACs share IoCs that can be ingested directly into FortiGate and FortiMail via STIX/TAXII feeds.
Regulatory Implications: DPDP Act 2023 and CERT-In Compliance
India’s regulatory landscape has sharpened considerably. The DPDP Act 2023, once its rules are notified by the Central Government, will require Data Fiduciaries to notify the Data Protection Board of India and affected data principals of personal data breaches “in such form and manner as may be prescribed.” Simultaneously, CERT-In’s 2022 directions already mandate reporting of cyber incidents—including phishing and credential compromise—within 6 hours of detection.
The practical implication: if your SOC detects a phishing-induced compromise at 2:00 AM, the CERT-In clock starts immediately. Without a 24/7 SOC and pre-approved incident response playbooks, the 6-hour window is nearly impossible to meet. Violations can result in directions, penalties, and public disclosure—outcomes that senior management must now treat as operational risk, not just IT risk.
Key principle: Compliance is not a destination—it is an operational capability. The organisations that meet CERT-In’s 6-hour window are those that have invested in detection and response infrastructure before the breach, not after it.
Metrics to Track: Measuring Your Email Security Posture
Indian CISOs are increasingly being asked to report security outcomes to boards and audit committees. For email security, track these KPIs:
- Phishing simulation click rate: Target below 5% after 12 months of awareness training. Benchmark against your industry vertical.
- Mean time to detect (MTTD) phishing campaigns: Time from first malicious email delivery to SOC alert. Target under 15 minutes with FortiMail + SIEM integration.
- Mean time to contain (MTTC): Time from SOC alert to mailbox quarantine and network block. Target under 30 minutes with automated playbook execution.
- False positive rate on email blocks: High false positive rates erode user trust and create pressure to loosen policies. FortiMail’s AI models typically achieve under 1% false positives at enterprise scale.
- CERT-In compliance rate: Percentage of qualifying incidents reported within 6 hours. Target 100%—this is a binary regulatory requirement, not a KPI with acceptable variance.
PJ Networks: Your Managed Email and Network Security Partner
PJ Networks is an Indian managed security services provider with deep expertise in Fortinet’s security fabric. Our service stack for phishing defence includes:
- Managed FortiMail deployment, tuning, and 24/7 monitoring
- FortiGate NGFW management with SSL inspection and DNS filtering
- FortiSandbox integration for zero-day threat analysis
- 24/7 NOC/SOC with India-based analysts and CERT-In reporting support
- Quarterly phishing simulation campaigns and security awareness training
- ZTNA rollout for application-level zero-trust access
- DPDP Act and CERT-In compliance advisory
If your organisation is evaluating its readiness against AI-powered phishing, we offer a no-obligation Email Security Assessment that reviews your current MX configuration, DMARC posture, FortiMail/FortiGate settings, and SOC alerting gaps. Reach out to the PJ Networks team to schedule your assessment and start building a defence that is as intelligent as the attacks you are facing.