AI Email Security: Stop Targeted Phishing Like ForumTroll

Most phishing defenses still act like it’s 2016: block a few obvious bad domains, filter for “urgent” subject lines, and call it a day. ForumTroll’s latest campaign shows why that mindset fails—especially when attackers target specific people with personalized lures, aged domains, and payload chains designed to look like normal academic workflows.

In late 2025, researchers tracked a new wave of ForumTroll phishing aimed at Russian scholars in political science, international relations, and economics. The lure was simple and believable: a message that appeared to come from eLibrary (a widely used scientific electronic library) asking the recipient to download a plagiarism report. The mechanics behind it were anything but simple.

This post breaks down what happened, why it worked, and—most importantly—how AI in cybersecurity can spot the patterns that rules and signature-based email security often miss. If you run security for a university, research org, NGO, or any enterprise with knowledge workers, treat this as your blueprint for building stronger, AI-assisted phishing defenses.

What the ForumTroll campaign teaches us about modern phishing

ForumTroll’s 2025 activity is a clean example of how phishing has shifted from “spray-and-pray” to patient, identity-aware targeting.

Kaspersky reported the fall campaign focused on individuals rather than broad organizations. Attackers used emails sent from a lookalike domain (e.g., support@e-library[.]wiki) and hosted a copy of the legitimate eLibrary homepage on the fake domain to preserve credibility.

The technique stack: believable, personalized, and technically disciplined

Three details stand out because they explain why humans—and older security controls—get fooled:

1. Domain aging as a trust hack

   • The attacker domain was registered months before the campaign.
   • That reduces the “newly registered domain” signals many tools rely on.

2. High-fidelity web cloning

   • The bogus domain served a replica of a legitimate homepage.
   • Users see what they expect to see, so suspicion drops.

3. Deep personalization

   • Victims downloaded a ZIP file named like: <LastName>_<FirstName>_<Patronymic>.zip.
   • That’s a psychological anchor: “They know me, so it must be real.”

Phishing doesn’t need perfect grammar anymore. It needs context. ForumTroll delivered context in a way that’s hard to catch with static rules.

Attack chain breakdown: from email link to remote access

The core flow matters because it reveals what your email security, endpoint security, and SOC playbooks should be looking for.

Here’s the chain described in the reporting, simplified:

1. Email lure claiming to be from eLibrary, prompting download of a plagiarism report
2. One-time download link
   • If opened again, it shows an error message like “Download failed, please try again later.”
   • If accessed from non-Windows platforms, it prompts the user to retry on Windows.
3. ZIP archive downloads with victim-specific naming
4. LNK (Windows shortcut) file inside the ZIP
5. PowerShell execution launched by the shortcut
6. PowerShell-based payload fetched and executed from a remote server
7. Final-stage DLL retrieved
8. Persistence via COM hijacking
9. Decoy PDF displayed to keep the victim calm and “busy”
10. Tuoni C2 framework used for remote control

Why this particular chain is effective

A few choices here are tactical and consistent with mature threat actors:

• LNK + PowerShell is a familiar, flexible combo. It avoids the “classic macro document” stigma and can bypass controls that focus on Office malware.
• One-time links reduce forensic opportunities (less chance a colleague or SOC analyst can click the same URL and see the same content).
• Windows-only gating concentrates the success rate. It prevents noisy hits from mobile devices and automated crawlers that might trigger early detection.

This is exactly the kind of workflow where behavior-based detection beats indicator-based detection.

Where traditional email security falls down (and why AI helps)

Most organizations still over-invest in the first mile: “Is the sender domain known bad?” and “Does the URL match a known phishing kit?” That’s useful, but ForumTroll shows the gaps.

Static controls struggle with patient attackers

• Aged domains can look benign in reputation systems.
• Cloned sites can pass superficial visual checks.
• Personalization reduces user reporting rates.
• One-time URLs defeat easy triage and automated sandbox replays.

AI-driven phishing detection doesn’t magically fix everything, but it changes the game in one key way:

AI is good at spotting “almost normal” behavior that’s statistically off—especially when you combine email signals with endpoint and identity signals.

What AI can detect that rules often miss

In practice, AI email security models can flag anomalies like:

• A sender domain that’s syntactically similar to a known service, even when it’s not an exact typo
• A message theme that’s uncommon for your org (“plagiarism report”) suddenly directed at a narrow set of recipients
• A link pattern consistent with single-use tokenized URLs
• A mismatch between email content and the destination site’s observed behavior (for example, a download that only works once, or only on Windows)

The real win comes when AI correlates across systems.

How to use AI in cybersecurity to block campaigns like this

If you want AI to actually reduce phishing risk (not just create more alerts), design it around decisions, not dashboards.

1) Build an “email-to-endpoint” correlation loop

Answer first: You stop targeted phishing faster when your email system and endpoint telemetry talk to each other.

Minimum correlation signals to connect:

• Email event: user clicked a URL
• Endpoint event within minutes: ZIP download, LNK execution, PowerShell spawn
• Network event: outbound connection to an unusual domain or rare URL path

Even a basic correlation rule catches a lot. But AI improves it by learning what “normal” looks like for different user populations.

Example stance: a political science professor downloading a ZIP named after them is not normal. A build engineer downloading zips all day might be.

2) Use AI to model recipient targeting (not just message content)

Answer first: Targeted phishing stands out more in “who received it” than in “what it says.”

ForumTroll didn’t blast everyone. It honed in on a professional niche.

AI models can score:

• Unusual concentration: the same sender hitting a tight cluster of users in one department
• Rare-topic targeting: recipients whose historical email topics don’t match the lure category
• Relationship anomalies: sender has no prior interaction graph with recipients

This is one of the most practical applications of machine learning for cybersecurity: recipient-based anomaly detection.

3) Detect “living-off-the-land” abuse with behavior models

Answer first: PowerShell isn’t the problem; uncharacteristic PowerShell chains are.

Attackers used a shortcut to launch PowerShell, download more code, and persist with COM hijacking.

AI-assisted EDR can look for sequences like:

• explorer.exe → powershell.exe with suspicious flags
• PowerShell making outbound web requests shortly after a ZIP extraction
• LNK execution from user download directories
• COM object registration patterns associated with hijacking persistence

The goal isn’t to block PowerShell globally (that breaks real work). The goal is to catch rare chains that correlate with compromise.

4) Automate containment when confidence is high

Answer first: Speed matters more than perfect attribution.

When models and correlations align (clicked link + LNK executed + PowerShell download), the correct response is usually the same:

1. Isolate the endpoint
2. Revoke active sessions
3. Force password reset and re-issue tokens
4. Quarantine related emails in the tenant
5. Hunt for the same domain and same ZIP naming pattern across telemetry

This is where AI helps your lead-generation story too: buyers don’t want “better detection.” They want less time spent cleaning up.

A practical checklist for universities and research organizations

Academic environments are uniquely exposed: high email volume, frequent external collaboration, and lots of users who aren’t security-focused.

Here’s what I’d implement (or validate) before the next semester starts.

Quick wins (1–2 weeks)

• Block or heavily restrict LNK attachments and LNK files inside archives from email-originated downloads
• Add detections for PowerShell spawned from Explorer after ZIP/LNK activity
• Turn on tenant-wide URL detonation or safe link rewriting (where possible)
• Train staff on one thing: “If a message is personalized, that’s not proof it’s legit.”

Structural improvements (30–60 days)

• Deploy AI email security that supports recipient cluster anomaly detection
• Integrate email security with EDR/SIEM so click events trigger endpoint hunts
• Require stronger controls for high-risk roles (research leadership, grant offices, international programs)

Hardening moves (Quarterly)

• Reduce reliance on “download a ZIP from email” workflows; route documents through trusted portals
• Build playbooks for “single-user targeted phishing,” not only mass outbreaks
• Run tabletop exercises that include one-time links and decoy PDFs (both slow down incident recognition)

The bigger lesson for the AI in Cybersecurity series

ForumTroll’s campaign is a reminder that attackers don’t need flashy malware to win. They need a believable moment: an email that fits the recipient’s world, a website that looks right, and an execution chain that blends into Windows noise.

AI in cybersecurity earns its keep when it connects those moments—email, identity, endpoint, and network—into a single decision: this is abnormal enough to stop right now.

If you’re evaluating AI-driven phishing detection, don’t ask vendors for “accuracy.” Ask them to demonstrate three things:

• Can the model detect targeted recipient clustering?
• Can it correlate an email click to endpoint behavior within minutes?
• Can it automate containment without turning your SOC into an approval bottleneck?

The next targeted phishing campaign aimed at your org won’t look exactly like ForumTroll. The patterns will rhyme. Will your defenses recognize the rhyme fast enough?