New Threat Report Warns of AI is Automating High-Velocity Attacker Operations

The gap between human-led attacks and machine-driven intrusions is closing faster than most organizations expected. Cloudforce One, Cloudflare’s dedicated threat intelligence team, released the inaugural 2026 Cloudflare Threat Report on March 3, 2026, issuing a clear warning: artificial intelligence has become a core engine behind modern cyber attacks.

Built from trillions of network signals gathered over the past year, the report identifies a fundamental shift in how adversaries think, plan, and execute — one that demands a new approach to defense.​

Central to this shift is a concept called Measure of Effectiveness, or MOE — the cold calculation attackers use to decide where to strike next.

Today’s adversaries are not chasing technical sophistication for its own sake; they are measuring every action by how much effort it takes versus how much damage it delivers.

A stolen session token that bypasses authentication costs far less than a custom zero-day exploit and delivers the same access. AI accelerates this logic by compressing the time between identifying a target and compromising it.​

Cloudflare analysts noted eight major trends shaping the 2026 threat landscape, all driven by MOE calculations.

Generative AI is enabling real-time network mapping, rapid exploit development, and convincing deepfake creation, allowing low-skill threat actors to carry out operations that once required nation-state resources.

State-sponsored groups, including China-linked Salt Typhoon and Linen Typhoon, are burrowing into North American telecommunications, government, and IT infrastructure — anchoring long-term footholds meant to serve future geopolitical aims.

Hyper-volumetric DDoS attacks, powered by botnets like Aisuru, have pushed the baseline to a record 31.4 Tbps.​

Token theft has become one of the most damaging tactics in the current wave of attacks.

Infostealers like LummaC2 harvest active session tokens, letting attackers skip the login process entirely and move straight to post-authentication actions — effectively making multi-factor authentication irrelevant.

At the same time, phishing-as-a-service bots are exploiting a blind spot in mail server verification, spoofing trusted brands to land convincing emails directly in employee inboxes. The report found that nearly 46% of analyzed emails failed DMARC checks, and 94% of all login attempts now come from bots.​

Beyond digital infrastructure, North Korea has taken the deepfake threat to a new level. State-sponsored operatives now use AI-generated video and fraudulent identities to pass job interviews and get hired at Western companies, embedding spies directly inside corporate teams.

These insiders conduct espionage and send illicit funds back to state programs, representing a threat that network firewalls alone cannot stop.​

One of the most alarming shifts in attacker tradecraft involves hiding inside tools organizations already trust. Instead of setting up obvious malicious servers, threat actors are routing their command-and-control traffic through Google Drive, Microsoft Teams, and Amazon S3.

This method — known as Living off the Land, or LotX — makes malicious traffic nearly identical to normal business activity, giving attackers the cover they need to stay hidden inside compromised environments for weeks or even months.​

Cloudforce One tracked five nation-state groups applying this tactic in different ways.

China-linked FrumpyToad hides its C2 activity within reputable SaaS platform logic, while fellow China-affiliated group PunyToad uses legitimate developer tools for encrypted tunneling to evade detection.

Russia-based NastyShrew leverages public paste sites as dead drop resolvers, allowing it to shift its infrastructure without drawing attention.

North Korea’s PatheticSlug exploits the trusted reputation of cloud ecosystems to slip past perimeter defenses entirely, while Iran’s CrustyKrill embeds credential harvesting operations within everyday cloud service workflows.

Services like Amazon SES and SendGrid are also regularly repurposed to run phishing and malware distribution at scale.​

To counter this increasingly machine-driven threat model, Cloudforce One researchers recommend that organizations adopt autonomous defense capabilities rather than relying on manual detection and human-centric response.

When attacks move at AI speed, slow response cycles become a liability. Organizations should enforce DMARC, DKIM, and SPF to close the email authentication gap, apply Zero Trust access controls across all SaaS environments, and continuously audit third-party API integrations for over-privileged access.

Real-time automated response systems are no longer optional — they are the minimum standard for keeping pace with adversaries that never sleep and never stop.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.