As this report shows, there is no single AI tell and no separate playbook for AI-enabled attacks. The real issue isn’t whether AI is present, but whether defenders can still detect, investigate, and respond when attackers move faster, scale more easily, and produce more convincing output.
Security teams don’t need a new strategy built around AI as a category. But AI does change the pace of attacks, so they do need strong fundamentals, defense-in-depth, and AI and automation wherever operationally possible to match the new pace: broad visibility, strong controls, and fast response—correlating weak signals earlier, acting faster, and using AI to improve detection, investigation, and containment.
What’s most important isn’t how attackers are using AI—those hallmarks come and go—it’s how security teams are incorporating AI into their defenses. Attackers may not be using AI to create fancy end-to-end AI tools yet, but they’re certainly already using it to get much faster. And although this is a fact that’s been known a while, it can no longer be ignored. Security teams don’t need a whole new defense plan targeting AI specifically, they just need to get the fundamentals right and integrate. With defense-in-depth securely in place, combined with AI enrichment and correlation, machine-speed action, and visibility across the whole ecosystem, organizations will stay well-protected against AI threats in whatever shape or form.
ReliaQuest's Approach
Speed is a recurring theme in this report: device-code phishing can move from token theft to data collection in minutes, and AI-assisted campaigns leave little room for manual triage. GreyMatter Agentic AI correlates signals across the connected stack and runs detection, investigation, and response, reducing the delay between an alert surfacing and meaningful action being taken.
Speed isn’t only about how fast attackers act, but how quickly defenders can cut through noise. DeepLoad, for example, uses junk code and obfuscation to conceal its true logic. GreyMatter Transit applies detection logic to telemetry before it’s ingested, helping surface suspicious behavior earlier and reducing the impact of volume, noise, and processing delay.
Several campaigns in this report relied on infrastructure that sits outside the domains most teams are watching. ShinyHunters, for example, moved the brand into the subdomain rather than the registered domain and is spinning up domains at scale. Digital Risk Protection helps extend visibility across impersonation infrastructure, exposed credentials, and brand abuse across open-, deep-, and dark-web sources.
When incidents are moving at machine speed, the detection-to-containment-to-response chain has to keep pace. Workflows lets organizations build and tailor those automated response sequences, so actions like token revocation and device isolation can fire as a coordinated action.
Your Action Plan
- Extend behavioral detection across endpoint, identity, network, and cloud, especially after access is granted. Device-code phishing and OAuth abuse rarely produce fake login pages or malicious URLs to block. This means detection has to fire after access is granted on signals like unusual app consents, token use from datacenter IPs, rapid device registrations, and anomalous session behavior.
- Automate containment so it keeps pace with the attack. When token replay, inbox-rule creation, and rogue device registration can happen within minutes of initial access, manual triage simply can't keep up.
- Retrain users on the full range of what AI can fake (including voice, video, profile photos, and polished text), and require out-of-band verification for sensitive requests such as installs, approvals, and payments. The lasting habit that security teams must adopt should be verification before action, not trying to spot flaws by eye.
- Invest in a threat research capability that tracks the volume and timing patterns AI-scaled campaigns leave behind. Turn signals such as domain clusters, subdomain registration, and tightly grouped web-shell deployments into preemptive blocks, detections, and hunts.
- Use external threat intelligence to spot AI-enabled tradecraft before it reaches your environment, and route it to the right teams. Monitor open-, deep- and dark-web sources for emerging phishing infrastructure, identity-fabrication services, deepfake software, malware kits, and criminal experimentation with AI. Route these signals beyond the SOC to the teams responsible for identity, fraud, and hiring so they can act before the threat escalates.