Multi-channel phishing attacks: How to manage the risk

Attackers are evolving beyond email towards phishing across multiple channels. Why is this, and what can be done to manage the risk?

A cartoon graphic depicting phishing as a service, shown as bugs, keys, fingerprints, bitcoins, shields, eyes, etc surrounding a fish hook. All are placed on a light grey background.
(Image credit: Getty Images)

Email phishing has always been a simple yet effective form of attack. While the method isn’t going away, research is showing attackers evolving beyond email to multiple channels such as Slack and cloud-based platforms.

That’s according to security firm KnowBe4’s Phishing Threat Trends report, which found hackers are leveraging new “touchpoints” when targeting victims, with calendar invites and messaging tools a frequent tactic. The company recorded a 41% increase in Microsoft Teams-based attacks between October 2025 and March 2026 as adversaries strived to create more avenues for success.

With AI offering cybercriminals the ability to supercharge phishing attacks further, what should businesses be doing to manage the risk?

Phishing evolution

In the past, phishing attacks relied on adversaries targeting a wide range of users in the hope that some of them would engage with malicious content, or give away valuable information. But since then, businesses have improved their security, with tools such as multi-factor authentication (MFA) used as standard. This has forced attackers to utilize more sophisticated techniques.

Latest Videos From

“When attackers cannot compromise technical controls, such as MFA, they are instead seeking to bypass the technology and move the attack onto end users through social engineering,” says Luiz Simpson, head of offensive security at Bridewell.

He cites the example of illicit consent grant attacks in Microsoft 365, which trick users into granting access to data. These attacks often “go completely under the radar”, says Simpson. “Users will accept an untrustworthy app while logged into their cloud workspace and under the legitimate Microsoft or Google workspace platforms. These attacks don’t require any bypass of MFA and almost always aren’t flagged by detection and response.”

Another reason attackers are targeting multiple channels is the fact that the workplace itself has changed. “Employees now spend far more time in collaboration platforms, cloud applications, messaging tools, and video conferencing environments,” says Ray Canzanese, director of Netskope Threat Labs. “Attackers are following that behavior.”

Canzanese describes how phishing lures are increasingly delivered through platforms such as Microsoft Teams, Zoom and fake meeting invitations. “These are designed to exploit the trust users place in familiar collaboration workflows.”

From a criminal perspective, multi-channel phishing is becoming “progressively structured”, according to Benson Varghese, a criminal lawyer and founder and managing partner at law firm Varghese Summerset. Rather than flooding potential victims with random messages, phishers will prepare their sequence, test the response rate, and react to engagement in real-time, he says. “This makes attacks more focused and effective.”

Security shift

Experts believe the evolution of phishing requires businesses to change the way they think about securing communication channels.

The shift means no longer treating phishing as purely an email security problem. “Security teams need visibility across a much broader digital environment that includes collaboration tools, cloud platforms, browsers, unmanaged devices and AI applications,” according to Canzanese.

Almost all social media platforms include user messaging, which supports the distribution of links and images. Yet historically, the focus on preventing social engineering attacks has been around traditional email-based messages, encouraging users to avoid clicking links. “None of these defences will help prevent attackers from contacting end users and sending malicious content across other channels,” says Simpson.

“As these interactions do not arrive via traditional email, there is no URL rewriting, sandboxing or inspections of content,” he points out. “This leaves you with just endpoint and identity-based controls to protect users.”

However, endpoint detection and response (EDR) solutions traditionally fall short in having visibility of what goes on within a browser, Simpon explains. “If a user is to bring your own device (BYOD) with access to enterprise resources, you are very much on the back foot to prevent identity-based attacks.”

Managing multi-channel phishing

The move to multiple channels is just one way phishing is changing. In tandem, AI is accelerating the quality and scale of attacks, while lowering the barrier to entry for new cybercriminals, according to Danny Jenkins, CEO of ThreatLocker.

“Attackers no longer need to spend hours researching targets or carefully crafting convincing messages,” he tells ITPro.

“AI can generate highly personalised, context-aware phishing content in seconds – whether that’s a Teams message, a fake document-sharing notification, or a voice deepfake impersonating a colleague or executive.”

There is also a rise in adaptive social engineering, where AI-driven phishing attempts evolve in real time based on how a user responds, he warns. “Instead of relying on static messages, these interactions can mimic natural conversations, making them significantly more convincing,” explains Jenkins.

The threat from multi-channel phishing is certainly growing, but firms can help boost defenses by making several key changes. Some of these are cultural.

From a security perspective, organizations need to accept that they will not stop every phishing attempt across every channel, says Jenkins.

“Humans are imperfect, and mistakes will happen, and no amount of training can prevent every phishing attempt.”

Instead, the priority should be reducing the impact of an attack and tightly controlling access, rather than trying to eliminate exposure, he advises.

Passkey use can help, says Simpson, pointing out that the UK National Cyber Security Centre (NCSC) has started to actively recommend the adoption of passkeys over passwords and MFA.

“Passkeys help address many of the shortfalls of traditional passwords and MFA. Notably, they’re resistant to phishing because they’re tied to the legitimate website only; they are fast and convenient, and cannot be stolen if a website is breached.”

As with traditional phishing, organizations should adopt a strategy of user awareness and technical controls to defend against multi-channel attacks, according to Simpson.

This means ensuring users are aware that a spectrum of social engineering attacks are possible, beyond solely email-based phishing. Users, especially those in high-risk roles, such as executives and finance teams, should be targeted with training to empower them to identify and report attacks, Simpson advises.

“This should be an ongoing message and constantly refreshed based on active attacks seen in the wild, rather than just an annual policy that’s read and signed off.”

Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.