In The News | Phishing | Social Engineering

SpamGPT: Protecting Your Company From Large-Scale Phishing

ByNathan Anderson October 9, 2025October 5, 2025

A recently surfaced tool, known as SpamGPT, is circulating in underground forums. In today’s blog I’ll give an overview of what the tool can do and what to watch for to protect your company from these easily automated large-scale scams.

What is SpamGPT?

Functioning like a business‑grade CRM powered by generative AI to automate and scale scams, SpamGPT bundles contact management, campaign scheduling, customizable message templates, and AI‑generated copy for emails, SMS, and social‑media lures. This allows the attackers using it to run targeted, high‑volume phishing and fraud campaigns with minimal technical skills.

The platform can personalize messages at scale, track campaign performance, and iterate content quickly, effectively turning criminal operations into “marketing” workflows.

What Can Your Company Do?

To defend against these automated scams, there are several things companies can do:

Strengthen email authentication with monitoring and flagging on detection of AI‑generated messaging patterns across email, SMS, and other platforms.
Enforce multi‑factor authentication (MFA).
Tighten email and SMS filtering.
Strengthen email authentication through DMARC, DKIM, and SPF.
Run regular phishing simulations and user training so recipients can spot suspicious content.

In Conclusion

Attacks like these are not new, the difference here is how easy it is for an attacker with no technical prowess to send and manage complex sets of messages. This allows the attacks to become much more frequent, to build trust, and to sometimes hit the mark.

Over the years, as I’ve performed phishing and other social engineering engagements for our customers, I’ve found that the individuals who take a moment to stop and think before taking any action often save the day. If a phish like this makes it past all the technical controls and gets to your inbox or your phone, notifying your IT department so that they can warn others and block the attack is often the difference between a compromise and a non-event. Let’s all stay vigilant!

Nathan Anderson

Nathan has been working in Information Technology and Cybersecurity for nine years and has competed in several Capture The Flag (CTFs) events. He holds the Offensive Security Certified Professional (OSCP) certification and, for the past five years, has enjoyed using his skills in the Penetration Testing and Network Security realms.

In his off time, when he's not taking part in a CTF, security research, or working on a new IoT project, he enjoys building furniture and hiking.

How To | Security Recommendations

Remediating Account Enumeration Vulnerabilities From Your Penetration Test
ByRaxis Research Team April 9, 2021June 16, 2025

Account enumeration reveals whether usernames are valid for use in other attacks. Lead Penetration Tester Matt Dunn explains how it works and how to prevent it.

Read More Remediating Account Enumeration Vulnerabilities From Your Penetration Test
Penetration Testing

Three Reasons Why a Penetration Test Won’t Break Your Network
ByTim Semchenko November 20, 2020July 28, 2025

Fear not the penetration test for it is a good thing that brings no harm to your network. Raxis’ Tim Semchenko explains why.

Read More Three Reasons Why a Penetration Test Won’t Break Your Network
Penetration Testing | Security Recommendations

What to Expect When You’re Expecting a (Raxis) Penetration Test
ByBonnie Smyre July 31, 2020July 28, 2025

You know you need to do penetration testing, but you’re not sure how it works. Raxis COO Bonnie Smyre explains how we work.

Read More What to Expect When You’re Expecting a (Raxis) Penetration Test
Password Cracking | Security Recommendations | Tips For Everyone

Password Length: More than Just a Question of Compliance
ByBrian Tant June 4, 2024August 18, 2025

Password length requirements are a key part of password security, but, with PCI, NIST, OWASP, and CIS offering different recommendations, what length is best?

Read More Password Length: More than Just a Question of Compliance
In The News | Networks | Penetration Testing | Security Recommendations | Social Engineering

Lessons from the DaVita Healthcare Ransomware Attack
ByBrian Tant September 18, 2025September 15, 2025

The DaVita ransomware attack is one of the most impactful recent healthcare breaches. Learn what happened and what could have been done to limit the impact.

Read More Lessons from the DaVita Healthcare Ransomware Attack
Exploits | Penetration Testing | Phishing | Red Team | Social Engineering

An Inside Look at a Raxis Red Team
ByBonnie Smyre February 28, 2024

The Raxis Red Team Test is our top tier test that gives a true feel of what hackers could do. Curious to know more? Take a look at this short video.

Read More An Inside Look at a Raxis Red Team

The Exploit

Remediating Account Enumeration Vulnerabilities From Your Penetration Test

Three Reasons Why a Penetration Test Won’t Break Your Network

What to Expect When You’re Expecting a (Raxis) Penetration Test

Password Length: More than Just a Question of Compliance

About Raxis

Resources