AI is Automating High-Velocity Attacker Operations, Warns New Threat Report
A new report from Cloudflare’s threat intelligence team, Cloudforce One, released on March 3, 2026, warns that artificial intelligence is now a central driver of sophisticated cyber attacks. The “2026 Cloudflare Threat Report” indicates that the speed and effectiveness of cyber intrusions are rapidly increasing, blurring the lines between human-led and automated operations and demanding a significant shift in defensive strategies.
The report, compiled from trillions of network signals collected over the past year, highlights a fundamental change in how adversaries plan and execute attacks. This evolution is largely driven by a concept referred to as Measure of Effectiveness (MOE). Attackers are now meticulously calculating the effort required for an intrusion against the potential damage it can inflict, prioritizing efficiency and impact over sheer technical complexity.
Key Trends Shaping the 2026 Threat Landscape
Cloudflare analysts identified eight major trends contributing to the evolving 2026 threat landscape, all underpinned by MOE-driven calculations. Generative AI is a significant enabler, facilitating real-time network mapping, rapid development of exploits, and the creation of convincing deepfakes. This technology is lowering the barrier to entry, allowing less skilled threat actors to launch operations that previously required state-level resources.
Nation-state actors continue to pose a significant threat. Groups such as China-linked Salt Typhoon and Linen Typhoon are reportedly establishing long-term footholds within North American telecommunications, government, and IT infrastructure. These persistent intrusions are believed to be in preparation for future geopolitical objectives.
The report also notes a surge in hyper-volumetric Distributed Denial of Service (DDoS) attacks. Botnets like Aisuru are contributing to these attacks, pushing the established baseline to a record 31.4 Terabits per second (Tbps), indicating an escalating challenge in maintaining service availability.
Token Theft and Phishing-as-a-Service Emerge as Major Concerns
Token theft has emerged as one of the most damaging tactics in recent attack waves. Infostealers, including LummaC2, are designed to harvest active session tokens. This allows attackers to bypass authentication mechanisms entirely, rendering multi-factor authentication ineffective and enabling immediate post-authentication actions.
Concurrently, phishing-as-a-service bots are exploiting vulnerabilities in email server verification processes. These bots are capable of spoofing trusted brands to deliver highly convincing phishing emails directly into employee inboxes. The report indicates that a substantial portion of analyzed emails, nearly 46%, failed DMARC checks, and a significant 94% of all login attempts are now bot-driven, underscoring the pervasiveness of automated threats in initial access.
Deepfakes and Insider Threats Reach New Levels
North Korea has reportedly elevated the threat of deepfakes by employing AI-generated video and fraudulent identities for job interviews at Western companies. This tactic allows state-sponsored operatives to embed spies directly within corporate teams, facilitating espionage and the illicit transfer of funds to state programs. This form of infiltration presents a challenge that traditional network firewalls are ill-equipped to address.
Living off the Land (LotX) Tactics Escalate Stealth Operations
A particularly alarming trend involves threat actors hiding their command-and-control (C2) traffic within legitimate tools and services that organizations already trust. Instead of relying on overtly malicious infrastructure, adversaries are routing C2 traffic through platforms like Google Drive, Microsoft Teams, and Amazon S3. This “Living off the Land” (LotX) approach makes malicious activity nearly indistinguishable from normal business operations, allowing attackers extended periods of undetected presence within compromised environments.
Cloudforce One observed five nation-state groups employing LotX tactics in various ways. China-affiliated groups FrumpyToad and PunyToad are noted for hiding C2 activity within SaaS platform logic and using legitimate developer tools for encrypted tunneling, respectively. Russia-based NastyShrew reportedly uses public paste sites as dead drop resolvers to facilitate infrastructure changes without drawing attention. North Korea’s PatheticSlug leverages cloud ecosystems for stealth, while Iran’s CrustyKrill embeds credential harvesting within cloud service workflows. Additionally, services like Amazon SES and SendGrid are being repurposed for large-scale phishing and malware distribution.
Recommendations for Autonomous Defense
In response to this accelerating, machine-driven threat model, Cloudforce One researchers advocate for the adoption of autonomous defense capabilities. Organizations are advised to move away from manual detection and human-centric response due to the speed at which AI-powered attacks can operate. Slow response cycles are identified as a significant liability.
Key recommendations include enforcing DMARC, DKIM, and SPF to strengthen email authentication, implementing Zero Trust access controls across all Software-as-a-Service (SaaS) environments, and conducting continuous audits of third-party API integrations to prevent over-privileged access. The report concludes that real-time automated response systems are no longer optional but a necessary baseline to keep pace with adversaries that operate continuously.