Mandiant's M-Trends 2026 report puts the median time from initial access to handoff to a secondary threat group at 22 seconds in 2025. In 2022, that same median sat above eight hours. What changed is not that attackers got smarter. What changed is that initial access brokers started pre-staging secondary group malware before the handoff, turning what used to be a marketplace transaction into an automated delivery pipeline. The number is a readout on an assembly line, not a creativity contest.

That assembly line is the through-line for everything below. Three examples follow, each grounded in primary sources, each pointing to a specific shift in what defenders should prioritize. The offense side standardized while the defense side is still calibrating. Closing that gap starts with being precise about what changed.

The vishing-to-MFA-reset path is the cloud entry of choice now

Voice phishing is the top initial access vector in cloud-specific compromises at 23%, per M-Trends 2026. Second place is not close. The reason is not that attackers invented a new technique. It is that vishing bypasses MFA at the help-desk procedure, not at the protocol.

UNC3944, also tracked as Scattered Spider, built this playbook. The group pivoted from broad phishing toward targeted vishing: specifically calling IT help desks to push through password resets and MFA changes. The May 2025 UK retail wave hit M&S, Co-op, and Harrods using variations of the same approach. LLM-assisted lures, AI-generated pretexts, and clean-accent call audio make this more scalable. The technique was already working before AI entered the picture. AI made it cheaper to run at volume.

Picture a Saturday afternoon at a 1,000-person org running M365 and Entra. The help desk is staffed by an IT generalist, not a security analyst. The attack is a phone call. It ends with a reset MFA token. Technical controls are not in the loop for any of that, which is exactly why the controls that actually catch this attack are procedural. Callback verification to a known number before any MFA reset. Manager approval as a second gate. Post-reset anomalous sign-in detection to catch the cases where the call still went through. M-Trends 2026 makes the point directly: interactive attacks are significantly more resilient against automated technical controls. The control that closes this gap is a procedure, not a product.

PhaaS at $120 a month is the commoditization story, not the kit story

Vishing exploits a human procedure. The next category exploits the protocol itself, and it has become a subscription business.

Before the March 2026 coordinated disruption led by Microsoft and Europol with an industry coalition of partners, Tycoon 2FA was an adversary-in-the-middle phishing-as-a-service platform reaching more than 500,000 organizations per month. Priced at $120 for ten days or $350 a month. Web-based admin panel. Pre-built M365, OneDrive, SharePoint, and Outlook sign-in templates. Session-cookie theft that bypassed M365 MFA at the protocol layer.

The kit is gone. The model is not. Dozens of similar kits operate on the same subscription structure, and the next one is already in market. This is what commoditization looks like on the attacker side: a moderately skilled operator can run enterprise-scale credential theft through software they rented this week.

Tycoon 2FA mimicked the exact sign-in surfaces a 1,500-employee org running M365 sees every day. The bypass is session-cookie theft, which means the MFA prompt fires, the user authenticates, and the attacker wins anyway. The user did everything right. The attacker still walked away with an authenticated session token.

That is the point about MFA worth holding onto: it is not the control that catches AiTM. The controls that catch it are session-token telemetry, conditional access policies that bind tokens to device posture and network signals, and detections tuned for anomalous token reuse from a new device or geography. If your detection engineering is focused on the authentication event and not the post-authentication session behavior, you are looking at the wrong layer.

The Anthropic disclosure is the first time the kill chain ran itself

Those first two examples are well-documented tradecraft executed at scale. The third example is more recent, and qualitatively different.

In September 2025, a Chinese state-sponsored actor used Claude Code to execute a multi-target espionage campaign against approximately 30 organizations, including large technology companies, financial institutions, chemical manufacturers, and government agencies. Anthropic published its disclosure in November 2025. The attackers broke the operation into seemingly innocuous subtasks, misrepresenting the system as a defensive security tool. Humans set strategy and provided approvals at four to six decision points per campaign. The AI handled the rest: reconnaissance, exploit development, credential harvesting, persistence, and exfiltration, roughly 80 to 90 percent of operational tasks.

The novel part is not what an AI can do in a controlled environment. It is that the operation was deliberately fragmented and shipped against live targets. Each individual step looked like routine administrative activity. The campaign only resolves as a campaign when you look at the full timeline across endpoint, identity, and network. A suspicious PowerShell call at 3:02am. A new persistence key at 3:03am. An unexpected outbound HTTPS connection at 3:04am. The alert on any one of those is low-confidence. The three together, in that sequence, on a user account that has never worked a Saturday night, are a campaign.

Two malware families documented by Google's Threat Intelligence Group point in the same direction. PROMPTSTEAL is a Python data-miner that queries an LLM at runtime to generate Windows exfiltration commands on the fly. It is attributed to APT28/FROZENLAKE and has been deployed operationally against Ukrainian targets. PROMPTFLUX is a VBScript dropper that rewrites its own source code periodically via the Gemini API and persists via the Startup folder. GTIG assesses PROMPTFLUX as experimental, but it shows where this category is heading. A Defender for Endpoint rule matched to a known hash catches neither of them. The detection posture that works is behavioral: unusual outbound connections to AI API endpoints and runtime code generation activity.

Pull all of that together and the defender response that matches it is correlation across endpoint, identity, and network telemetry, anchored by analysts working campaign-shaped timelines rather than ticket-shaped events. Behavioral baselines on administrative activity so the anomaly surface is actually calibrated. Against a sophisticated actor running an AI-orchestrated kill chain, the assumption that an attacker still has to manually advance each step is not reliable. That changes the detection posture, not just the detection speed.

What this changes

Three examples, one through-line. AI did not invent the vishing playbook, the session-cookie bypass, or the fragmented kill chain. It made each of them cheaper, faster, and more accessible to operators who would not have run them otherwise. That is the structural shift, and it is what compressed the time window and lowered the skill floor on the attacker side.

The defender response that matches this is not a faster automated triage layer on its own. It is verification applied to human-facing procedures. Token-binding and conditional access tuned to the bypass path the kit actually uses. Analyst attention applied to campaign-shaped timelines rather than individual alert queues. Each of those is a place where attacker tooling created a gap that the corresponding defender response closes through judgment, not just throughput.

The SANS SOC Survey 2025 found that 42% of SOCs are using AI and ML tools with no customization, and satisfaction with generative AI tools specifically ranks last among SOC technologies in that survey. That is not a story about defenders refusing to adopt. It is a story about defenders still calibrating what good looks like. The attacker side did not wait for that calibration to finish.

My take: defenders are not behind because they are slow. They are behind because the adoption curve on the offense side required a Telegram account and a monthly subscription. The adoption curve on the defense side required procurement, integration, and change management. That gap is closable, and being precise about where attacker tooling actually changed the threat is the first move toward closing it.

If attacker speed is the edge AI gave the offense, the question that follows is what defenders keep human, and where.

Next in the series: Machines Triage. Humans Decide. The attacker's agentic tooling is optimized for throughput. The question is what defenders optimize for in response, and whether "faster" is even the right axis.