As artificial intelligence (AI) continues to reshape the cybersecurity landscape, the 2026 RSA Conference highlighted a significant trend: speed in cyberattacks is increasingly driven by AI integration. Threat actors, ranging from nation-states to cybercriminal groups, are embedding AI into their strategies, refining the way they plan and execute cyberattacks. While the goals of these cybercriminals—such as credential theft and financial gain—remain constant, the tempo and scale of attacks have received a notable upgrade due to generative AI.
Despite the advancements, most cyberattacks still rely on a human element, with AI serving primarily to enhance the efficiency of various attack stages. Security professionals at the RSA Conference emphasized the need to adapt their resources and strategies to counter this evolving threat landscape, recognizing that AI is reducing the friction across the attack lifecycle. Attackers can now research potential victims, craft more convincing lures, and triage stolen data more effectively.
The geographical spread of cyberattacks illustrates the scale of this issue, with the United States accounting for nearly 25% of observed activities, followed by the United Kingdom, Israel, and Germany. However, the most significant change noted by experts is not geographic but operational: AI is now embedded in reconnaissance, malware development, and post-compromise operations, leading to more precise and persistent attacks.
Email remains the fastest and most cost-effective route for initial access, but the sophistication of phishing attempts has skyrocketed. With AI involvement, click-through rates for phishing emails have surged to 54%, a staggering 450% increase from traditional campaigns. This increase is largely due to AI’s ability to tailor content more effectively to the target audience, enhancing the chances of conversion from a mere email recipient to a breach victim.
One striking example of industrial-scale cybercrime presented at the conference was Tycoon2FA, a platform operated by a group known as Storm-1747. Unlike standard phishing kits, Tycoon2FA functioned as a subscription service that generated tens of millions of phishing emails each month and was linked to nearly 100,000 compromised organizations. At its height, it was responsible for approximately 62% of all phishing attempts blocked by Microsoft in a given month. With capabilities that allowed for real-time interception of credentials, Tycoon2FA exemplified the modular and scalable nature of modern cybercrime, effectively creating an assembly line for identity theft.
Recent actions by Microsoft’s Digital Crimes Unit disrupted Tycoon2FA by seizing 330 domains in collaboration with Europol and industry partners. This operation aimed to disrupt the ecosystem of cybercrime rather than simply dismantling individual services. The focus on targeting the economic engine behind these attacks reflects a broader strategic shift in combating cyber threats.
The conference also spotlighted the pervasive role of AI across the entire attack lifecycle. AI applications include accelerating reconnaissance processes, generating sophisticated social engineering narratives, refining initial access strategies, and even automating negotiation tactics during ransom situations. This comprehensive integration of AI allows for faster and more effective execution of cyberattacks.
Looking ahead, experts highlighted the emergence of an “agentic threat model,” emphasizing that the barrier to launching complex attacks has significantly lowered. What once required extensive resources is now accessible to motivated individuals equipped with the right tools. The traditional security analyst’s role is also evolving, moving from a hands-on practitioner to an orchestrator of security processes. Organizations lacking an understanding of their deployed software and agent behavior may find themselves increasingly vulnerable.
As the risk landscape continues to shift, the imperative for organizations is clear: they must embed intelligence and defense strategies throughout their operations. Microsoft Threat Intelligence will persist in its mission to track and act on emerging threats in real-time, reinforcing the notion that understanding patterns and sharing intelligence is crucial for effective defense in the ever-evolving cybersecurity landscape.
See also
Anthropic’s Claims of AI-Driven Cyberattacks Raise Industry Skepticism
Anthropic Reports AI-Driven Cyberattack Linked to Chinese Espionage
Quantum Computing Threatens Current Cryptography, Experts Seek Solutions
Anthropic’s Claude AI exploited in significant cyber-espionage operation
AI Poisoning Attacks Surge 40%: Businesses Face Growing Cybersecurity Risks
