When semantic plausibility becomes a liability: LLM-based phishing detection from an adversarial asymmetry perspective

With the rise of generative AI, a new generation of intelligent phishing has emerged, where attackers leverage Large Language Models (LLMs) to craft websites with high semantic plausibility, posing critical challenges to traditional defenses. Although existing LLM-powered detection approaches utilize semantic analysis, they often treat linguistic coherence as an indicator of legitimacy. Consequently, this reliance on semantic plausibility becomes a liability, creating a vulnerability that attackers adversarially exploit to bypass detection. To address this, we investigate the problem from an adversarial asymmetry perspective: while attackers can easily manipulate surface semantics at low cost, they face inherent constraints in concealing infrastructural evidence. Based on this observation, this paper proposes DEMO (Detection mechanism by integrating network Evidences and LLM-based semantic Optimization). DEMO operationalizes the adversarial asymmetry principle by explicitly incorporating network evidence auditing into semantic reasoning and employing Cyber Threat Intelligence (CTI) as knowledge anchors, thereby exposing the deep cross-layer inconsistencies in intelligent phishing. The proposed DEMO is evaluated on a real-world dataset containing 10,365 websites, achieving an F1-score of 95.97% and a recall of 99.05%, significantly outperforming state-of-the-art baseline models. Extensive experiments further demonstrate its strong robustness against adversarial perturbations and low inference latency, indicating its potential capacity for large-scale, real-time detection.