Security teams face an impossible challenge: phishing campaigns evolve weekly, but most organizations test with the same outdated scenarios year after year. By the time you validate your email security against last quarter’s threats, attackers have already moved on to new tactics, malware strains, and social engineering techniques. Static test content creates a dangerous illusion of security—you’re validated against yesterday’s threats while today’s attacks slip through undetected.
We’ve solved this with automated phishing scenario “evergreening.”
Where automation ensures weekly freshness, ART provides the underlying intelligence. Evergreen content isn’t manually curated by ART each week. Rather, the automated pipeline is powered by ART’s accumulated expertise: the threat‑selection logic, ATT&CK mapping rules, safety boundaries, scenario‑engineering patterns, and validation heuristics that ART has refined over years of building adversary emulation content. ART’s intelligence and methodology are embedded directly into the automation, enabling the system to continuously convert new phishing campaigns into safe, framework‑aligned, runnable scenarios — at scale.
Every week, our system automatically queries global threat intelligence feeds for the top 10 actively circulating phishing campaigns. Within minutes, we download real malicious emails, complete with authentic sender addresses, carefully crafted subject lines, and actual malware attachments. The system parses these emails, extracts the content that attackers are actually using, stages the malware payloads used in the campaign in a secure infrastructure repository making it available to be used for testing within AttackIQ, and creates fresh AttackIQ scenarios that are then used for testing. That’s 20 new scenarios per week (10 email gateway tests + 10 network validation tests), 52 weeks per year, totaling over 1,000 current-threat scenarios annually—all made available to validate layers of security against current and active threats.
But we don’t stop at email gateway validation.
Each Sample File that is used to validate Email Filtering capabilities in the Latest Phishing Email Scenarios Template is also used to test the secondary methods often used by an active campaign to establish the initial foothold and ensure delivery of the malware. The Latest Phishing Download Scenarios is the Template that attempts to transfer those same samples into the organization’s network using a common file transfer method that avoids email scanning and attachment scrutiny.
The customer value is immediate and measurably ongoing.
First, you always have access to test with the latest threats – not theoretical attacks, vendor marketing samples, or year-old compromises. When threat actors launch new campaigns impersonating trusted brands or industry-specific vendors, those scenarios appear in your content library within several days of first detection in the wild. Your security validation stays synchronized with the threat landscape, not months behind it.
Second, automation respects your team’s time. Traditional threat intel consumption requires security analysts to hunt multiple sources, download samples, parse EML files, extract attachments, sanitize content, and manually configure scenarios—hours per campaign. Our automation completes this entire workflow in minutes, freeing your team to focus on analysis and remediation instead of scenario construction.
This week’s release highlights the evolving threat landscape. Week 5’s top 10 includes sophisticated DHL shipping document impersonations with waybill and bill of lading themes—targeting logistics and warehouse operations with Trojan.Taskun and Backdoor.Remcos payloads. We’re seeing increased use of legitimate business terminology (“BL Draft,” “customs clearance,” “House Bill”) designed to bypass keyword filters while exploiting employees’ familiarity with routine shipping communications. The endpoint tests reveal these campaigns deploy multi-stage payloads: initial droppers score 70% detection rate on antivirus engines, indicating mature, well-distributed threats that your security stack must handle today, not next quarter.
Security validation should keep pace with attackers, not lag behind them. With automated evergreen content, your phishing defense testing never goes stale, your security team never falls behind the threat curve, and your organization stays continuously validated against real, current threats—every single week, automatically, without fail.
