SysAdmin Weekly - 049 - How Do Attackers Use Local LLMs to Phish at Scale?

[asyrewicze]

Hey everyone!

This week's episode comes straight off the back of a session I gave at InfoSecurity Europe in London. Eric Siron joins me to talk about something every SysAdmin has at least one toe in: phishing, and specifically how threat actors are now using local LLMs to generate it at scale. You can't defend against what you don't understand, so this one is about pulling back the curtain on the offensive side and then talking through what actually holds the line.

Here's what we get into:

• The guardrail gap. Cloud models refuse to write a phishing email. Pull an open-weight or uncensored model with a single Ollama command and that refusal is gone, no jailbreak needed.
• A walkthrough of my live demo: 15 targeted spear phishing lures generated in about 90 seconds, fully offline, each tailored to a specific person's role, seniority, and even native language.
• Why these capabilities are permanent once the model is downloaded, and why that matters for your threat model going forward.
• The defense half: why "spot the typo" awareness training is dead, and why verification culture, SPF/DKIM/DMARC, link and attachment controls, and behavioral detection are where the real work is.
• Plus the News React and Nerd Hour detours: Washington pressuring an AI model off the market, a New York ghost-gun printing law that nobody can actually enforce, voice cloning, and a brilliant low-tech deepfake defense.

Relevant Links Below!

Podcast Episode - YouTube
Podcast Episode - Spotify

One for the room: have you seen a phishing attempt land in your org that you're fairly sure was AI-generated? What tipped you off, or did nothing tip you off at all? That second answer is the one I'm actually worried about.