THREAT actor abuse of AI is moving from a tool into the cyberattack surface itself, with threat actors embedding AI to plan, refine, and sustain operations, not just accelerate them, according to Microsoft Security Blog. The piece notes that the shift is global in scope—threat activity spans every region, with the United States representing nearly 25% of observed activity and the UK, Israel, and Germany following closely.
It highlights that threat actors are embedding AI across reconnaissance, malware development, and post‑compromise operations, while still retaining a human in the loop to power campaigns.
A key exemplar is Tycoon2FA, a subscription platform that generated tens of millions of phishing emails per month and was linked to nearly 100,000 compromised organisations since 2023, accounting for roughly 62% of all phishing attempts blocked by Microsoft at its peak, with the operation designed to defeat MFA through adversary‑in‑the‑middle techniques.
The post also describes disruption efforts, noting that Microsoft’s Digital Crimes Unit seized 330 Tycoon2FA domains in coordination with Europol and industry partners earlier this month, aiming to pressure the supply chain and disrupt the economic engine behind attacks. According to Microsoft Security Blog, the broad shift is toward an ecosystem that industrialises access, with AI enabling scalable, interoperable services across phishing templates, infrastructure, distribution, and monetisation. 2 April 2026.