Phishing attacks disproportionately harm vulnerable populations, yet existing defenses are predominantly reactive and struggle against evasion techniques such as domain spoofing—resulting in a severe asymmetry between attack scale and defense capability. To address this, we propose an adaptive multi-agent system powered by large language models (LLMs) that treats deceptive behavioral signals as critical indicators. By jointly analyzing latent associations across network infrastructure—including domains, TLS certificates, and hosting environments—the system enables proactive identification of phishing attack chains and campaign-level mitigation. Our approach transcends conventional URL-based blocking by integrating dynamic evolutionary pattern recognition with cross-infrastructure relational reasoning, thereby enhancing both defensive proactivity and coverage breadth. Evaluated on real-world data, the system detects 100% of phishing campaigns with a median lead time of 7.2 days, achieving state-of-the-art response speed and operational granularity.

Phishing attacks are a significant societal threat, disproportionately harming vulnerable populations and eroding trust in essential digital services. Current defenses are often reactive, failing against modern evasive tactics like cloaking that conceal malicious content. To address this, we introduce PhishLumos, an adaptive multi-agent system that proactively mitigates entire attack campaigns. It confronts a core cybersecurity imbalance: attackers can easily scale operations, while defense remains an intensive expert task. Instead of being blocked by evasion, PhishLumos treats it as a critical signal to investigate the underlying infrastructure. Its Large Language Model (LLM)-powered agents uncover shared hosting, certificates, and domain registration patterns. On real-world data, our system identified 100% of campaigns in the median case, over a week before their confirmation by cybersecurity experts. PhishLumos demonstrates a practical shift from reactive URL blocking to proactive campaign mitigation, protecting users before they are harmed and making the digital world safer for all.