Upgrade your security strategy for the AI era.

How AI Is Changing the Cyber Threat Landscape — and What To Do About It
Organizations are adopting artificial intelligence (AI) at a fast pace to increase productivity and improve efficiency. Unfortunately, threat actors also are adopting AI to drive cyberattacks. As much as 87% of organizations experienced an AI-enabled cyberattack in 2025, and globally, there was a 47% rise in AI-enabled cyberattacks, according to DeepStrike's AI Cyber Attack Statistics 2025, Trends, Costs, Defense. When an organization experiences an attack, the average AI-driven breach costs an alarming $5.72 million.
Abbey Mirelli, Incident Response Manager, and Brooke Weiss, Incident Response Consultant, both on the Pondurance team, have seen firsthand how AI has changed cybersecurity. They recently presented detailed information on how AI is reshaping the threat landscape, how AI-enabled attacks have changed business email compromise (BEC) attacks, and ways organizations can defend against AI-enabled attacks.
Reshaping the threat landscape
AI is rapidly transforming how organizations operate and changing how threat actors work. Threat actors can attack faster and more relentlessly than ever before. Plus, the ease of use and the price point for purchasing AI tools offer a lower barrier of entry for new threat actors to launch and execute sophisticated AI cyberattacks. In particular, threat actors are using AI to improve phishing and BEC attacks, making traditional security indicators less reliable and significantly increasing phishing click-through rates.
Full visibility is an AI-related challenge for most organizations. As AI adoption accelerates, the number of common security gaps in the network increases, leaving organizations more vulnerable to possible attacks. These security gaps include weak identity controls, lack of multifactor authentication (MFA) enforcement, insufficient cloud logging, poor open authorization (OAuth) governance, limited visibility into AI tool usage, and an overreliance on traditional email security controls.
Many organizations don't know how employees are using AI tools, and many employees don't know the policies for using AI. The lack of knowledge can be a result of many issues including:
Outdated acceptable use policies. The use of AI is expanding so rapidly that organizations are having a difficult time keeping up with changes to the AI governance policies. Many organizations are still defining what acceptable AI usage actually means and where sensitive data should or should not be used. It's important to have up-to-date AI governance policies in place.
Logging and visibility gaps. Organizations often lack visibility into what data is being entered, what tools are being tracked, and what information is being retained externally by employees.
AI output influence. AI-generated recommendations and responses can directly influence user decisions, actions, and business operations. Implementation of proper validation or oversight of AI output ensures that decision-makers are relying on accurate information to make the best decisions possible.
AI can affect decisions on every level, but its impact on large-scale decision-making is critical to understand from security, operational, and infrastructure perspectives. For security, all organizations should establish oversight, approval workflows, and validation processes to ensure that AI-driven decisions are reasonable, explainable, and aligned with security and business objectives. For operations, organizations must determine where humans are required, define acceptable risk tolerances, and make sure employees understand when AI outputs should be challenged rather than accepted as fact. The team suggested that infrastructure may be the most important perspective because, without proper governance, visibility, and testing, organizations risk introducing automated decisions that create unintended outages, misconfigurations, or cascading operational issues across environments.
Changing BEC attacks
BEC attacks involve unauthorized threat actors gaining access to a legitimate email account through social engineering tactics, such as emails, texts, or phone calls. AI tools such as ChatGPT, Claude, and Copilot are changing the email environment, making it easier for threat actors to craft more targeted, credible phishing emails to use for credential harvesting and other malicious actions. In 2025, there was a 46% increase in AI-generated phishing content, and a 25% increase in phishing messages that bypass traditional filters, according to AI Cyber Attack Statistics 2025, Trends, Costs, Defense.
The team explained how threat actors are able to use AI-powered reconnaissance and AI-generated malware for a greater likelihood of success with a phishing scam. Threat actors use AI-powered reconnaissance to identify who to target, research the target to personalize the email content, and know how to quickly inject themselves into email conversations. AI-generated malware can be downloaded and can change from one device to the next. The malware often installs a remote management tool, such as AnyDesk or ScreenConnect, which is a legitimate tool, where the threat actors can log in, manipulate the operations, gain access, and take control of the system.
Recently, the team has seen an increase in AI-enabled device code phishing attacks. Device code phishing is an attack where an email with a link or attachment to a suspicious webpage is sent to a target within an organization. The attack differs from traditional phishing in three ways: It uses device authentication to bypass MFA, the code isn't generated until the link is clicked on, and it uses AI to create unique automations rather than scripts to inject the threat actors into the process.
In a device code phishing attack, threat actors ask a service, such as Microsoft or Google, for a device code, and the service provides it. The threat actors then send the device code to the target, and the target enters the code, username, password, and MFA code for the legitimate service. The service generates an access token, and the threat actors recover the access token.
Once the threat actors have access, several different actions typically occur. Threat actors will look through the mailbox to identify if the user is a good target for their objective. They will create rules within the environment to hide their actions from the account owner, including deleting emails that warn of a suspicious login, and they commonly inject themselves into the email conversations. Also, threat actors will sometimes use application registration, domain spoofing, and document sharing to further their malicious actions. Finally, once the goals have been completed or if the threat actors suspect they will be caught, they send mass phishing emails to find new potential victims.
Defending against AI-enabled attacks
AI-enabled attacks are allowing threat actors to attack faster and more relentlessly, so organizations need to strengthen the overall security of their threat landscapes. The team discussed several specific defensive actions that organizations should take to protect against AI-enabled attacks:
Control access and integrations. Organizations should control particular accesses and integrations to keep threat actors from exploiting them for financial gain or other nefarious reasons. Organizations should disable unnecessary device code authentication flows, limit long-term token persistence, review OAuth permissions and token-based persistence mechanisms, and review and limit software-as-a-service connectors, plug-ins, browser extensions, and application programming interfaces (APIs) that integrate with AI tools.
Improve visibility and monitoring. Organizations need to monitor AI platform activity. They should improve visibility into AI-related usage by logging prompt activity, connector access, file interactions, API usage, and authentication events associated with enterprise AI platforms. Organizations also should monitor device code sign-ins, impossible travel, and anomalous sessions where threat actors often gain legitimate access to accounts but for illegitimate purposes.
Set clear policies. Organizations should establish AI usage governance that defines approved AI tools, acceptable use cases, prohibited data types, and security review requirements before deploying the AI platforms. Also, organizations should establish processes that require humans to validate and oversee AI-generated recommendations, security guidance, operational actions, and automated workflows.
Train users. Training must expand beyond traditional phishing training. Instead, users need to understand modern identity phishing techniques, so they know how to recognize AI-enabled phishing scams and what to do if they experience suspicious activity.
Conclusion
The adoption of AI by organizations and threat actors alike has changed the cybersecurity landscape. Organizations need to understand how these changes affect cybersecurity and ways they can defend against threat actors using AI for their malicious exploits. For more detailed information about how AI is changing the cyber threat landscape, watch the webinar on-demand.


.png)


