Blogs

AI executes attack chains as enterprise data leakage doubles: Check Point

AI executes attack chains as enterprise data leakage doubles: Check Point


Key Points

  • AI executed 5,317 commands from 1,088 human instructions in Mexican government breach
  • Check Point found security weaknesses in 40 per cent of 10,000 MCP servers examined
  • High-risk AI prompts doubled from 2 to 4 per cent between October 2025 and May 2026

Artificial intelligence is moving beyond assisting cyber criminals and is now performing substantial parts of attacks itself, while rapid enterprise adoption is creating new routes for data loss and system compromise, according to Check Point Research’s AI Report 2026.

The report, released on Wednesday, found that AI was used during the past year for social engineering, malware development, vulnerability research and post-intrusion activities. The techniques are mostly familiar, but automation allows them to be executed faster, at greater scale and with less specialist knowledge.

Advertisement


EVENT

Infosec Reimagined

Infosec Reimagined

Infosec Reimagined 2026 is the premier information security summit where top leaders—CISOs, CROs, CIOs, CTOs and risk executives—converge to redefine cyber resilience.


Register Now →

EVENT

Digital SenateDigital Senate

Digital Senate

Digital Senate is a premier conference uniting government leaders, technologists and innovators to share ideas, success stories and strategies on digital governance, public sector transformation, cybersecurity and emerging technologies in India.


Register Now →

EVENT

CIO PrismCIO Prism

CIO Prism

CIO Prism unites forward-thinking technology leaders to exchange transformative insights, shape digital strategies, and foster innovation, empowering enterprises to excel in an era of rapid technological change.


Register Now →

For chief information security officers, the primary change is speed. Vulnerability disclosures can be converted into working exploits within hours, phishing operations can run across several channels and autonomous tools can continue carrying out tasks between an attacker’s instructions, the report said.

Check Point based its findings on incidents investigated by its researchers, security telemetry and publicly reported cases. Some examples also rely on disclosures from AI providers and could not be independently verified.

The report describes AI-assisted malware as moving from experimentation into operational deployment. In the more common model, AI helps developers write, test and refine malicious code, but the finished malware contains no visible AI component. This makes it difficult for defenders to determine whether AI was involved by examining the final code.

Cybersecurity firm cited VoidLink, a modular Linux command-and-control framework containing about 88,000 lines of code and more than 30 post-exploitation plugins. Researchers initially thought it had taken a team several months to develop. They later concluded that one person had built it in less than a week using a commercial AI coding environment.

The report also cites the Pakistan-linked Transparent Tribe group, also tracked as APT36, as using AI to produce disposable malware targeting Indian government systems. Russian and North Korean-linked groups have similarly used mainstream AI tools to develop customised malware, according to the report.

Commercial AI platforms remain the main source of capability for attackers, rather than specialist criminal chatbots. Criminals typically use legitimate accounts, bypass safety restrictions or obtain stolen credentials for services such as ChatGPT, Gemini and Claude. One campaign examined by researchers collected AI service credentials from more than 30,000 exposed developer configuration files.

Advertisement

AI operates autonomously during intrusions

The greater concern is AI’s emerging role as an active operator during intrusions. In a breach involving nine Mexican government agencies, researchers said one attacker entered 1,088 instructions that produced 5,317 AI-executed commands across 34 sessions. The incident reportedly exposed about 400 million tax, civil registry, vehicle, health and electoral records.

The case showed that a relatively small number of human instructions could produce a much larger volume of automated activity. It also highlighted a detection gap: the AI involvement was reconstructed from the attacker’s infrastructure rather than identified by the affected organisations.

In a Chinese-linked espionage case disclosed by Anthropic, the AI tool Claude Code reportedly completed 80 to 90 per cent of tactical work across about 30 targets, but no indicators of compromise were released.

AI is also accelerating vulnerability research for both defenders and attackers. Models can review software, identify flaws and help produce exploit code, reducing the gap between public disclosure and attempted exploitation. The operational bottleneck is shifting from discovering vulnerabilities to reviewing and deploying fixes.

The report cites an unreleased Anthropic research model that reportedly found more than 10,000 high and critical-severity vulnerabilities during its first month and produced a working exploit on the first attempt in about 83 per cent of cases.

By the numbers

5,317
AI-executed commands from 1,088 human instructions
40%
MCP servers with security weaknesses
4%
Enterprise AI prompts classified as high risk

Check Point said this development should push CISOs to review whether existing vulnerability management processes are fast enough. The report refers to CERT-In guidance calling for immediate containment and patching of critical -facing systems within 12 hours of discovery.

Enterprise AI systems become attack surfaces

The second major risk comes from enterprise AI systems themselves. As organisations connect AI agents to email, documents, source code, cloud services and internal business applications, those agents gain access to sensitive information and the ability to take actions.

Prompt injection — where a malicious instruction is placed inside an email, web page, document or calendar invitation that an AI agent later reads — is one of the main threats. Because large language models may struggle to distinguish instructions from the data they process, the agent could treat hidden content as a legitimate command.

The severity depends less on the model and more on the permissions granted to the agent. An assistant restricted to summarising documents creates limited risk. An agent able to access email, execute code, modify files or approve payments could cause considerably more damage.

The report also flags risks in Model Context Protocol servers — infrastructure that allows AI models to access external data sources and tools — as well as coding assistants, agent skills and configuration files. Check Point said its researchers identified security weaknesses in 40 per cent of 10,000 MCP servers examined.

In another review, researchers found that 428 of about ,500 published code packages accidentally contained local Claude Code settings files. About one in 13 of those exposed live credentials such as NPM tokens and GitHub or Hugging Face keys.

AI-generated voices, faces, documents and live video are reducing the reliability of traditional identity verification. Voice-cloning services can now conduct automated calls designed to obtain passwords and one-time passcodes. Real-time face-swapping has been used during video calls, while synthetic documents and selfie videos can be used to bypass remote know-your-customer checks.

The report cites a controlled study in which people trained to identify faces correctly detected only about 41 per cent of AI-generated faces. Ordinary viewers identified about 30 per cent.

For CISOs, this means that a familiar voice, a video call or an identity document should no longer be accepted as sufficient proof for sensitive requests. High-risk actions should be confirmed through a separate trusted channel, secure credentials or stronger forms of live verification.

The report’s enterprise telemetry shows that generative AI is now embedded in everyday work. Organisations used an average of 10 AI applications each month between October 2025 and May 2026, while average prompts per user rose from 56 in December to 70 in May.

Between 87 and 93 per cent of organisations recorded at least one high-risk AI interaction each month. Check Point defines these as prompts containing sensitive corporate, personal or regulated information sent to an external AI service.

The share of high-risk prompts doubled from 2 per cent to 4 per cent, equivalent to an increase from about one risky prompt in every 50 interactions to one in every 25.

In the Asia-Pacific region, 2.88 per cent of prompts were classified as high risk between January and May, or about one in every 35. Government organisations recorded a 3.01 per cent rate, equivalent to approximately one high-risk interaction in every 33 prompts. Business services had the highest sectoral rate at 5.91 per cent.

Many of these exposures do not involve a malicious employee or external attacker. They result fromnormal work, such as copying source code into a , uploading contracts for analysis or connecting an AI assistant to a corporate document repository. Shadow AI — where employees use personal accounts or unapproved tools — adds another layer of risk. The report cites research indicating that about one in five organisations had company information exposed through such use.

Priorities for security leaders

The report recommends that CISOs treat AI risk as part of the organisation’s core security programme rather than as a separate technology project. That means maintaining an inventory of approved and unapproved AI tools, mapping the data and permissions available to each agent and applying least-privilege access.

Security teams should test agents for prompt injection, unsafe tool use, data leakage and excessive permissions before deployment and after significant changes to models, instructions, integrations or access rights. Real-time monitoring is needed at the point where employees submit prompts or upload files, the report said.

The report also advises organisations to assess third-party AI providers as part of supply-chain risk, monitor exposed model infrastructure and shorten patching and incident-response cycles. Its central message is that the fundamentals have not changed: visibility, identity controls, data protection, vulnerability management and risk assessment remain essential. What has changed is the number of systems that must now be covered and the speed at which attackers can operate.

Your Questions, Answered

How is AI being used in cyber attacks according to Check Point?

AI is now performing substantial parts of attacks autonomously, including social engineering, malware development, vulnerability research and post-intrusion activities. In one case, 1,088 human instructions produced 5,317 AI-executed commands across 34 sessions.

What percentage of enterprise AI interactions are high risk?

Between 87 and 93 per cent of organisations recorded at least one high-risk AI interaction monthly. The share of high-risk prompts doubled from 2 per cent to 4 per cent between October 2025 and May 2026.

What is prompt injection and why is it dangerous?

Prompt injection occurs when malicious instructions are hidden in emails, documents or web pages that AI agents read. Because large language models struggle to distinguish instructions from data, they may treat hidden content as legitimate commands.

How fast can vulnerabilities be exploited with AI assistance?

Vulnerability disclosures can be converted into working exploits within hours. An Anthropic research model reportedly produced a working exploit on the first attempt in about 83 per cent of cases.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *