TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Microsoft Threat Intelligence

AI as tradecraft: How threat actors operationalize AI

Microsoft Threat Intelligence · 2026-03-06 · Read original ↗

ATT&CK techniques detected

27 predictions
T1583.001Domains
94%
“and summarize required skills. these outputs are then used to tailor fake identities to specific roles. resource development threat actors increasingly use ai to support the creation, maintenance, and adaptation of attack infrastructure that underpins malicious operations. by est…”
T1566.002Spearphishing Link
89%
“) actor profile : moonstone sleet actor profile : sapphire sleet microsoft security copilot customers can also use the microsoft security copilot integration in microsoft defender threat intelligence, either in the security copilot standalone portal or in the embedded experience …”
T1566.002Spearphishing Link
83%
“antivirus product to cover rapidly evolving attack tools and techniques. cloud - based machine learning protections block a majority of new and unknown variants invest in user awareness training and phishing simulations. attack simulation training in microsoft defender for office…”
T1683.002Audio-Visual Content
83%
“365 and third - party indicators to identify potential malicious or inadvertent insider activities. the solution includes privacy controls like pseudonymization and role - based access, ensuring user - level privacy while enabling risk analysts to take appropriate actions. perfor…”
T1588.007Artificial Intelligence
82%
“western candidates in remote hiring processes. operational persistence and defense evasion microsoft threat intelligence has observed threat actors using ai in operational facets of their activities that are not always inherently malicious but materially support their broader obj…”
T1588.007Artificial Intelligence
80%
“at a higher operational tempo without requiring deep expertise across every stage of the malware development process. microsoft threat intelligence has observed coral sleet demonstrating rapid capability growth driven by ai ‑ assisted iterative development, using ai coding tools …”
T1598Phishing for Information
78%
“threat actors to craft highly tailored, convincing lures and personas at unprecedented speed and volume, which lowers the barrier for complex attacks to take place and increases the likelihood of successful compromise. crafting phishing lures : ai - enabled phishing lures are bec…”
T1683.002Audio-Visual Content
78%
“engineering campaigns by mimicking trusted individuals or fabricating entire digital identities. the observed behavior includes : generating realistic names, email formats, and social media handles using ai prompts writing ai - assisted resumes and cover letters tailored to speci…”
T1078.004Cloud Accounts
78%
“‑ risk scenario, focusing on detecting misuse of legitimate credentials, abnormal access patterns, and sustained low ‑ and ‑ slow activity. for detailed mitigation and remediation guidance specific to north korean remote it worker activity including identity vetting, access contr…”
T1566.002Spearphishing Link
70%
“##cycle management to manage the lifecycle of organizational data by retaining necessary content and deleting unnecessary content. these tools ensure compliance with business, legal, and regulatory requirements. use retention policies to automatically retain or delete user prompt…”
T1588.007Artificial Intelligence
69%
“ai as tradecraft : how threat actors operationalize ai threat actors are operationalizing ai along the cyberattack lifecycle to accelerate tradecraft, abusing both intended model capabilities and jailbreaking techniques to bypass safeguards and perform malicious activity. as ente…”
T1566Phishing
68%
“threat actors to craft highly tailored, convincing lures and personas at unprecedented speed and volume, which lowers the barrier for complex attacks to take place and increases the likelihood of successful compromise. crafting phishing lures : ai - enabled phishing lures are bec…”
T1588.007Artificial Intelligence
62%
“coral sleet, sapphire sleet, and jasper sleet, who frequently employ financial opportunity or interview - themed lures to gain initial access. the observed behaviors include : researching job postings to extract role - specific language, responsibilities, and qualifications. iden…”
T1588.002Tool
51%
“behind their use of these platforms is to deceive the recipient into believing that a fake identity is real. observed behaviors across threat actors include : translating messages and documentation to overcome language barriers and communicate fluently with colleagues prompting a…”
T1583.001Domains
50%
“in using ai models, threat actors can design, configure, and troubleshoot their covert infrastructure. this method reduces the technical barrier for less sophisticated actors and works to accelerate the deployment of resilient infrastructure while minimizing the risk of detection…”
T1588.007Artificial Intelligence
50%
“engineering campaigns by mimicking trusted individuals or fabricating entire digital identities. the observed behavior includes : generating realistic names, email formats, and social media handles using ai prompts writing ai - assisted resumes and cover letters tailored to speci…”
T1586.002Email Accounts
49%
“scale and persistence. to illustrate these trends, this blog highlights observations from north korean remote it worker activity tracked by microsoft threat intelligence as jasper sleet and coral sleet ( formerly storm - 1877 ), where ai enables sustained, large ‑ scale misuse of…”
T1588.007Artificial Intelligence
46%
“threat actors to craft highly tailored, convincing lures and personas at unprecedented speed and volume, which lowers the barrier for complex attacks to take place and increases the likelihood of successful compromise. crafting phishing lures : ai - enabled phishing lures are bec…”
T1195.001Compromise Software Dependencies and Development Tools
45%
“at a higher operational tempo without requiring deep expertise across every stage of the malware development process. microsoft threat intelligence has observed coral sleet demonstrating rapid capability growth driven by ai ‑ assisted iterative development, using ai coding tools …”
T1566.003Spearphishing via Service
43%
“threat actors to craft highly tailored, convincing lures and personas at unprecedented speed and volume, which lowers the barrier for complex attacks to take place and increases the likelihood of successful compromise. crafting phishing lures : ai - enabled phishing lures are bec…”
T1566.002Spearphishing Link
42%
“| where isnotempty ( accountobjectid ) | where isempty ( devicename ) | where isempty ( aaddeviceid ) | project timestamp, ipaddress, accountobjectid, applicationid, sessionid, risklevelduringsignin, browser microsoft sentinel microsoft sentinel customers can use the ti mapping a…”
T1588.006Vulnerabilities
37%
“ai as tradecraft : how threat actors operationalize ai threat actors are operationalizing ai along the cyberattack lifecycle to accelerate tradecraft, abusing both intended model capabilities and jailbreaking techniques to bypass safeguards and perform malicious activity. as ente…”
T1588.007Artificial Intelligence
37%
“threat actors leveraging ai today. subverting ai safety controls as threat actors integrate ai into their operations, they are not limited to intended or policy ‑ compliant uses of these systems. microsoft threat intelligence has observed threat actors actively experimenting with…”
T1078.004Cloud Accounts
34%
“of ai security posture by aggregating security, identity, and data risk across microsoft defender, microsoft entra, and microsoft purview. this allows organizations to understand what ai assets exist in their environment, recognize emerging risk patterns, and prioritize governanc…”
T1598Phishing for Information
33%
“, hunting queries, and incident reports. customers can also deploy ai agents, including the following microsoft security copilot agents, to perform security tasks efficiently : threat intelligence briefing agent phishing triage agent threat hunting agent dynamic threat detection …”
T1525Implant Internal Image
33%
“of ai security posture by aggregating security, identity, and data risk across microsoft defender, microsoft entra, and microsoft purview. this allows organizations to understand what ai assets exist in their environment, recognize emerging risk patterns, and prioritize governanc…”
T1583.001Domains
31%
“| where isnotempty ( accountobjectid ) | where isempty ( devicename ) | where isempty ( aaddeviceid ) | project timestamp, ipaddress, accountobjectid, applicationid, sessionid, risklevelduringsignin, browser microsoft sentinel microsoft sentinel customers can use the ti mapping a…”

Summary

Threat actors are operationalizing AI to scale and sustain malicious activity, accelerating tradecraft and increasing risk for defenders, as illustrated by recent activity from North Korean groups such as Jasper Sleet and Coral Sleet (formerly Storm-1877).

The post AI as tradecraft: How threat actors operationalize AI appeared first on Microsoft Security Blog.