AI Tool Turns the Tables on Email Scammers by Gathering Threat Intelligence
What happened
A new AI-powered tool called ScamBuster aims to fight phishing campaigns by engaging directly with email scammers instead of simply deleting malicious messages. Developed by Laurent Giovannoni, principal software engineer at Filigran, ScamBuster was created as part of his thesis at École Polytechnique and has been running in production since November 2025. Giovannoni plans to officially present the project at Black Hat USA 2026.
Unlike traditional email security tools that block or quarantine phishing attempts, ScamBuster responds to scam emails using AI-generated personas. The system impersonates potential victims, such as an elderly retiree, a small business owner, or a busy executive, to keep scammers engaged in realistic conversations.
As attackers continue the exchange, ScamBuster collects valuable intelligence, including bank account details, payment domains, phone numbers, and other indicators associated with fraudulent operations. The information is then structured into threat intelligence formats such as STIX 2.1 and MISP, making it easier for security teams and law enforcement to investigate cybercriminal activity.
Who is affected
The approach is relevant for organizations of all sizes that receive phishing and business email compromise (BEC) attempts. Security operations teams, threat intelligence analysts, incident responders, and fraud investigators can benefit from the additional intelligence gathered through attacker interactions.
Rather than treating phishing emails as isolated incidents, organizations can use the collected indicators to identify broader campaigns and connect multiple attacks to the same criminal infrastructure. This helps build more complete profiles of threat actors and supports investigations beyond a single phishing attempt.
Why CISOs should care
Email remains one of the most common entry points for cyberattacks. While filtering malicious messages is essential, deleting them immediately often means losing opportunities to collect intelligence about attackers.
ScamBuster demonstrates how AI can shift organizations from a purely defensive posture to a more intelligence-driven approach. By safely engaging attackers through automated conversations, security teams may uncover infrastructure, financial information, and behavioral patterns that strengthen detection capabilities and support future investigations.
The platform also continuously improves its performance by learning which AI personas are most effective at convincing scammers to reveal useful information. According to Giovannoni, selecting the right persona can significantly increase the amount of actionable intelligence collected.
3 practical actions
Review whether your email security strategy includes processes for collecting threat intelligence from phishing attempts rather than simply deleting malicious emails.
Share phishing indicators such as domains, payment details, and phone numbers across threat intelligence platforms to improve detection of related campaigns.
Evaluate AI-assisted security tools carefully to ensure automated engagement with attackers aligns with legal, regulatory, and organizational policies.


