Enterprises are rapidly integrating agentic AI assistants with high-privilege connections to ticketing systems, source code repositories, chat platforms, and cloud dashboards, enabling actions such as opening pull requests, querying internal databases, and triggering automated workflows with limited human oversight. Reporting citing Cisco’s State of AI Security 2026 indicates many organizations are moving forward with these deployments despite low security readiness, expanding exposure across model interfaces, tool integrations, and the broader supply chain.
Multiple sources highlight that attacker techniques against AI systems are maturing, particularly prompt injection/jailbreaks and multi-turn attacks that exploit session state, memory, and tool-calling to drive unsafe actions or data leakage. Separately, adversaries are using generative AI for deepfake-enabled social engineering (including video/voice impersonation to bypass identity verification and authorize sensitive actions) and for scalable brand impersonation via malicious ad campaigns; one widely cited example involved Arup, where a deepfake video call led to authorization of a fraudulent HK$200 million transfer. Overall, the material is primarily risk and threat reporting (not a single incident), emphasizing that AI systems’ contextual behavior and privileged integrations create new control gaps that traditional security testing and defenses may not detect.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
By February 2026, industry reporting described attackers using generative AI to scale social engineering, brand impersonation, CAPTCHA evasion, voice-biometrics attacks, and emerging attacks on AI agents and MCP-connected infrastructure. Experts noted that criminals were primarily using AI to automate language- and workflow-heavy tasks rather than consistently discovering novel vulnerabilities end-to-end.
By February 2026, security guidance emphasized that traditional scanning and fuzzing were insufficient for stateful, tool-using Model Context Protocol environments and recommended testing full conversation flows, tool-calling logic, and data-exfiltration paths. The same guidance also called for validating post-quantum cryptography deployments against downgrade, fallback, and performance-failure scenarios.
Cisco's State of AI Security 2026 found that most organizations planned to deploy agentic AI into business functions, but only 29% said they were prepared to secure those deployments. The finding underscored a widening gap between adoption and security readiness.
A documented attack showed that a malicious GitHub issue could embed hidden instructions delivered through a Model Context Protocol server, causing an AI agent to be hijacked and private repository data to be exfiltrated. The case highlighted indirect prompt injection risks in tool-connected agent environments.
In the Arup fraud case, a finance worker approved a fraudulent HK$200 million transfer after joining a videoconference that used deepfake impersonation of the company's UK-based CFO. The incident became a prominent real-world example of generative AI-enabled business fraud.
By 2025, prompt-injection and jailbreak techniques had advanced significantly, with multi-turn attacks reportedly achieving up to 92% success across eight open-weight models. This marked a broader escalation in practical offensive techniques against enterprise AI systems.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
gopher.security
Open sourcehelpnetsecurity.com
Open sourcecsoonline.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.