Another day, another million URLs, another reminder that cybercrime is basically a subscription service with extra steps. This time, the FBI disrupted an AI-powered phishing service using around a million URLs, tied to a Chinese phishing-as-a-service operation called Outsider Enterprise. Thousands of phishing sites. Credit card data and passwords as the main course. Yum.
AI Phishing Is Not “Innovation,” It Is Laziness With Better Markup
Let’s be clear. “AI-powered” phishing is not a brand-new horror genre. It is fraud authors using automation to scale what humans have been doing for decades. The only difference is now the con artists can spin up believable lures faster, tailor messages better, and rotate infrastructure with less effort. It is like upgrading from a rusty crowbar to a pneumatic drill. The door still comes off.
And sure, coordinated takedowns with Google and Black Lotus Labs are good news. But this is the part where IT culture does what it always does: applauds the disruption, then immediately goes back to business-as-usual. Because if you believe vendors will sell you safety and CISOs will dashboard it into existence, you do not actually have to worry about the boring stuff like email hygiene, phishing-resistant authentication, and user training that does not insult everyone’s intelligence.
The Million URL Detail Should Scare You More Than It Excites You
“A million URLs” is the kind of number that looks impressive in a press release and terrifying in a monthly incident review. That volume implies persistent targeting, heavy infrastructure churn, and repeat attempts against the same kinds of victims: the ones who will click “verify account” because the message looks slightly less wrong than the last one.
Also, note what was targeted: passwords and payment data. That means credential reuse, session hijacking, and financial fraud are likely downstream. So even if your organization avoided this specific campaign, the playbook remains the same. Criminals do not need your exact server. They just need your users.
What You Should Do (But Will Probably Not)
If you want a practical takeaway, here it is, straight from the drunk uncle of security: stop treating phishing like it is a one-time event. Enforce MFA everywhere with phishing-resistant options where possible (yes, that means not just “MFA enabled” as a checkbox trophy). Harden email and browsing controls. Tune detection for brand impersonation and credential harvesting indicators. Patch what you own. And run tabletop exercises that assume your users are going to click something, because statistically speaking, they will.
Pour yourself a scotch, if you must. Then do the work. The FBI can yank the lever on one service, but your environment is still wide open if you keep relying on hope, policy PDFs, and vendor promises instead of controls that survive contact with reality.
Read the original reporting here: FBI disrupts massive AI-powered phishing service using a million URLs.
