Spam used to give itself away with broken layouts and awkward formatting, especially when images were disabled. That era is ending. As Ernie Smith reports in Tedium, the same AI-driven “vibe coding” trend that lets non-developers build apps is now being used to generate clean, well-structured phishing emails that hold up even without images.

How It Works

AI coding assistants allow spammers to produce polished HTML email templates without any prior design or development skills. Guard.io researchers warn that “creating scamming schemes these days requires almost no prior technical skills” — lowering the barrier so far that commercial malware kits built with AI assistance now sell for up to $1,200.

The result: phishing emails that maintain visual coherence with or without images loaded, eliminating one of the most reliable tells that security-aware users have relied on for years.

What to Watch For

Even with improved visuals, AI-generated spam still leaves clues:

  • Generic greetings that use your email address instead of your name.
  • Obfuscated sender addresses that don’t match the claimed organization.
  • Firebase-hosted domains in links — a common shortcut that can be filtered at the gateway.

Why It Matters

The traditional advice to “look for bad formatting” is losing its value as a phishing indicator. Organizations need to shift detection strategies away from visual cues and toward infrastructure-level controls — domain authentication (DMARC/DKIM/SPF), link scanning, and sender reputation filtering. User training should emphasize verifying sender identity and link destinations rather than relying on the “does this email look professional?” test.

What to Do

  • Enforce DMARC, DKIM, and SPF. These email authentication protocols catch spoofed senders regardless of how polished the message looks.
  • Use email link scanning. Gateway-level URL rewriting and sandboxing can flag malicious destinations before users click.
  • Update security awareness training. Teach staff that professional-looking emails are no longer inherently trustworthy — verify sender addresses and hover over links before clicking.
  • Consider email aliasing. Unique aliases per service help identify which provider leaked your address when targeted spam arrives.