AI Attackers Have Moved Past Phishing. The Data Shows Where They Went

Everyone braced for AI to flood their inbox with better phishing. Instead, AI-assisted phishing declined while attackers moved AI into malware development and autonomous intrusion. Here's what 832 banned accounts reveal, and what it changes for companies that aren't banks.

Usman Akram · · 5 min read

For two years the warning was that AI would flood your inbox with phishing so convincing nobody could spot it. Everybody trained their staff. Everybody bought the awareness module.

Then Anthropic studied 832 accounts it banned for malicious cyber activity between March 2025 and March 2026, and the number that jumps out is this one: AI-assisted phishing fell 8.6% over the period.

Meanwhile, AI-assisted account discovery rose 8.9%. And 67.3% of those accounts, 560 of them, used AI for malware development and attack preparation.

The attackers did not use AI to write better bait. They moved it into the break-in.

Why phishing was never the AI story

In hindsight the decline makes sense, and it is a useful lesson in how attackers actually think about cost.

Phishing was already cheap. It was already effective. A competent criminal did not need a frontier model to write a passable invoice email, and the ones who did need help had templates and translation tools years ago. AI offered a marginal improvement to a step that was not the bottleneck.

The bottleneck was always the technical work. Writing the malware. Understanding the target environment. Chaining an initial foothold into actual access. That part required genuine skill, and that skill requirement was, quietly, one of the better defenses the industry had. It kept a lot of would-be attackers out.

That is the barrier AI just lowered. Two thirds of these actors used it to do the hard part.

The severity curve is the number that should worry you

Volume is not the alarming figure here. Capability is.

Anthropic risk-scored the actors it banned. In the first six-month period of the study, 33% were rated medium risk or higher. By the second six-month period, that share had reached 56%.

Sit with that for a second. Inside a single year, the share of meaningfully dangerous actors in this population went from about a third to more than half. Not because more people showed up, but because the people already there got better, faster, with tools that improve every few months.

Whatever you assume about attacker capability today, the honest planning assumption is that it is a moving target that moves faster than your roadmap.

An agent ran an intrusion, and it was not a demo

In November 2025, Anthropic disrupted an operation where a malicious actor manipulated Claude Code into attempting to infiltrate targets around the world with little human intervention. It was assigned the maximum risk score of 100.

That sentence is worth reading carefully, because it quietly ends a debate. Autonomous agent-run intrusion is not a thing security researchers worry might eventually happen. It happened, at scale, across multiple targets, with a human supervising rather than driving.

The reason this changes the economics is simple. An attacker running intrusions by hand is limited by their own hours. An attacker supervising agents is limited by their compute budget. One of those scales and one does not, and we just learned which.

We have written before about governing AI agents before they become your breach. This is the mirror image of that problem: not your agent misbehaving, but someone else's agent, pointed at you.

Your security framework does not have a word for this

Here is the finding that got the least attention and probably deserves the most.

Anthropic reports that many of the behaviors distinguishing its highest-risk actors are not yet included as techniques in the MITRE ATT&CK framework. On agentic orchestration specifically, it is blunt: there is no ATT&CK ID for it.

If you do not work in security, that sounds like paperwork. It is not. ATT&CK technique IDs are the shared vocabulary that detection rules, security tooling, vendor reports, and threat hunting are all organised around. Detection engineers write rules mapped to techniques. Vendors advertise coverage in terms of techniques.

When a behavior has no ID, it tends to have no rule, no coverage claim, and no line in the report. The framework is being updated, and MITRE and Anthropic are reportedly discussing exactly this. But right now there is a gap between what the most capable attackers are doing and what the industry's shared map can even describe.

What this means if you are not a bank

The instinct on reading threat intelligence like this is to assume it is about somebody else. Nation-state actors, defense contractors, large enterprises with something worth stealing.

That instinct was reasonable when attacks were expensive, because expensive attacks get aimed at valuable targets. It stops being reasonable when the cost of a capable attack collapses. The whole point of the 67.3% figure is that the skill barrier came down, and when the barrier comes down, the target list gets longer, not shorter. Small companies were previously protected by not being worth the effort. That protection is eroding.

None of which means you need an enterprise security program. It means the cheap fundamentals matter more, not less:

  • Assume credentials get stolen and design for it. Phishing-resistant multi-factor authentication on anything with real permissions, and short-lived credentials instead of static keys that work forever.
  • Watch identity behavior, not just files. As we covered in why attackers log in rather than break in, the modern intrusion often involves no malware at all. Files are not where the signal is.
  • Scope your AI tooling like a privileged user. Any agent you have connected to production is credentialed access with autonomy. Least privilege, real audit logs, human approval on consequential actions.
  • Do not confuse tooling coverage with actual coverage. If your vendor's coverage story is a grid of ATT&CK techniques, remember the grid is missing squares for the newest behaviors. Ask what happens when something does not map.

The honest summary

Attackers did not become geniuses. They became efficient. They dropped AI where it gave them leverage, which turned out to be the technical work rather than the social engineering, and they are getting more capable at a rate that a yearly security review cannot track.

The defense is not exotic. It is the boring discipline of identity, least privilege, real logging, and paying attention to the few signals that matter, applied with more urgency than the last time you looked at it.

If you are running software in production and want an honest read on where you would actually get hit, that is what our Security and Compliance practice does. Tell us what you are running and book a discovery call.

All figures in this post are from Anthropic's published analysis of AI-enabled cyber threats mapped to MITRE ATT&CK (3 June 2026). Verified against the primary source on 12 July 2026.

Frequently asked

Is AI making phishing attacks worse?

Less than everyone predicted, and that is the surprise. In Anthropic's study of 832 accounts banned for malicious cyber activity between March 2025 and March 2026, AI-assisted phishing actually fell 8.6% over the period, while AI-assisted account discovery rose 8.9%. The reasonable reading is not that phishing stopped working. It is that phishing was already cheap and effective without AI, so AI gave attackers little advantage there. The real gains were in the technical work further along the attack, which is where they moved it.

What are attackers actually using AI for?

Building the weapon, not just writing the bait. Of the 832 banned accounts Anthropic studied, 560, or 67.3%, used AI for malware development and attack preparation. That represents AI compressing the genuinely hard, skilled part of an attack, which historically was the barrier that kept less capable actors out. The concerning implication is a lowered floor: attacks that once required real expertise are now available to people who do not have it.

Are AI attacks getting more dangerous over time?

Measurably, and quickly. Anthropic scored the actors it banned and found that in the first six months of the study period, 33% were classified medium risk or higher. By the second six-month period, that share had risen to 56%. The population of AI-abusing attackers is not just growing, it is getting more capable. That trajectory over a single year is the part worth planning against.

Can AI agents carry out attacks autonomously?

It has already happened. In November 2025, Anthropic disrupted an operation in which a malicious actor manipulated Claude Code into attempting to infiltrate targets around the world with little human intervention. It received Anthropic's maximum risk score of 100. This matters because it moves autonomous agent-run intrusion from a theoretical concern into a documented event, and the economics of an attack change completely when one operator can supervise many simultaneous intrusions instead of running one by hand.

Why doesn't MITRE ATT&CK cover agentic AI attacks?

Because the behaviors are new and the framework has not caught up. Anthropic found that many of the behaviors distinguishing its highest-risk actors are not yet represented as techniques in MITRE ATT&CK, noting plainly that there is no ATT&CK ID for agentic orchestration. This is a practical problem, not an academic one: a great deal of security tooling, detection engineering, and reporting is organised around ATT&CK technique IDs. When the framework has no name for a behavior, the tools built on it tend not to look for it.

Usman Akram

CTO, IrenicTech

Usman is the CTO of IrenicTech. He builds AI agents, RAG systems, and automations into web and mobile products, and gets them shipped in weeks instead of quarters. He's focused on AI that learns from the people using it, and that's secure enough to trust with real data.

Connect on LinkedIn

Start a conversation

Tell us what you’re building.

Share the essentials and we’ll reply within 4 hours with a real next step, not an auto-responder.

What happens next

  1. We reply within 4 hours, from a real person, not an auto-responder.
  2. A short scoping call to understand the goal, constraints, and timeline.
  3. A fixed-scope discovery sprint: a working prototype and a written estimate.
Office
Austin, TX, United States
Hours
Mon–Fri · Async + scheduled calls

Fields marked are required. By sending you agree to our Privacy Policy.