Something subtle but important has changed in how cyberattacks are put together. It’s not that attackers suddenly became more skilled or more creative. It’s that diversifying an attack no longer costs them much of anything.
Russian, North Korean, and Chinese linked groups were found using public large language models to support live operations. They used them to draft phishing messages tailored to specific industries, to experiment with credential-stealing techniques, and to refine command and control logic. None of this was especially novel on its own. What stood out was the speed and flexibility with which these campaigns could be adjusted.
When content can be rewritten instantly and workflows can be reassembled on demand, repetition disappears. Attacks stop looking familiar, even when the underlying objective has not changed. That shift puts pressure on defenses that quietly assume tomorrow’s attack will resemble yesterday’s.
Legitimate behavior as an attack surface
The appearance of EchoLeak in mid 2025, tracked as CVE 2025 32711, was the first widely documented zero click AI attack. In the event, Microsoft 365 Copilot was manipulated through prompt injection into retrieving and exfiltrating sensitive data using its own internal mechanisms. There was no exploit payload and no malware execution. The system behaved as designed, just not as intended.
What EchoLeak revealed was not a failure of one product, but a broader shift in how attacks can unfold. AI systems are no longer just tools attackers use on the outside. They can be woven directly into the mechanics of an intrusion. The attack surface expands, not through new vulnerabilities, but through new ways of chaining legitimate behavior.
At the same time, disruption has become fleeting. Campaigns blocked on one platform tend to resurface elsewhere, changed just enough to avoid the last set of controls. The pace of iteration now favors the attacker. Detection logic that depends on static patterns or known indicators struggles to keep up with activity that is intentionally designed to stay fluid.
When detection assumes stillness
Attackers can revise how they operate continuously, while most detection systems still require stability to work well. Even when AI is introduced into security workflows, it’s often layered on top of engines that were built to look for matches, thresholds, or anomalies in isolation.
Modern intrusions rarely begin with anything that looks obviously wrong. The early stages are quiet and procedural. Valid credentials are used. Familiar tools appear. Access paths look reasonable. Each action fits within expectations, which is precisely why these campaigns are so easy to miss.
The problem is not a lack of telemetry. It is that most detection systems are still built to judge events one at a time. When attackers operate patiently and coherently, especially with AI helping them adjust along the way, intent only becomes visible across a sequence. By the time individual signals stand out on their own, the intrusion is already well underway.
What attackers can’t randomize
If attacks are becoming more variable on the surface, detection cannot depend on surface features. What stays consistent across successful intrusions is not the tooling or the content, but the way activity unfolds. Attackers still have to explore, move, reuse access, and progress toward an objective. Those steps leave structure, even when they leave very little noise.
Teams are beginning to address this gap by shifting attention from individual events to how activity unfolds across time. That can take several forms. Some organizations lean on threat modeling and manual correlation, mapping sequences of actions against known intrusion paths. Others invest in exposure management and continuous validation to understand where coordinated movement would be most damaging if it occurred.
Manual correlation and rule based sequencing can surface intent in hindsight, but they do not scale to the pace and variability AI now introduces. Every new campaign forces defenders to decide what to encode, what to ignore, and what to update next. Over time, those decisions accumulate into brittle logic that reflects yesterday’s attacks, not today’s behavior.
This shift cannot be addressed by applying generative AI on top of existing detection workflows. The challenge is not explaining alerts or assisting analysis, but recognizing structure and progression across the system behavior as it unfolds. The deep learning approaches that deal with this problem are trained on structured activity to learn how environments operate as a whole, rather than relying on predefined paths or static assumptions. Because they internalize behavior instead of encoding rules, these models adapt as activity shifts instead of being rewritten every time attackers adjust. In the environment where surface-level tactics can change instantly, that adaptability is what makes intent visible before damage is done.
Coordination over coincidence
A majority of security programs are still tuned to react to moments rather than motion. They fire on individual alerts, discrete anomalies, or single suspicious actions, then ask analysts to stitch together meaning after the fact. That approach breaks down when attackers operate deliberately across time.
The detection methods that hold up are the ones that can recognize behavioral patterns as they develop, understand how activity evolves, and recognize coordination rather than coincidence. This requires models designed to reason over structured system signals like process behavior, authentication flows, network relationships, and access patterns, not generative systems optimized to predict language or user intent. It also means relying on approaches that remain effective when payloads are encrypted, logs are sparse, and infrastructure is ephemeral.
Detection that lasts
When intent becomes visible, detection moves earlier. Security teams gain insight while attackers are still exploring or staging, not after execution has begun. That timing difference changes outcomes.
It also changes the sustainability of defense. Approaches grounded in behavior do not need to be rewritten every time attackers change infrastructure or content. Analysts spend less time chasing variations and more time understanding what is actually happening. Over time, that reduces fatigue and improves trust in detection decisions.
As AI continues to accelerate how quickly attacks can change, defenses built on static assumptions will continue to fall behind. Detecting intent does not eliminate that challenge, but it offers a way to keep pace by focusing on the one thing attackers cannot easily randomize. The path they have to take.
