Attackers Went Agentic First

The report synthesizes 2025–2026 observations showing a structural shift: attackers standardized and commoditized access (vishing to MFA resets, subscription AiTM phishing services) and began using AI to fragment and automate kill chains. Consequences include faster, lower‑skill attacks that bypass MFA via session‑token theft and human‑procedure manipulations; defenders should prioritize procedural verification, token‑binding/conditional access, and cross‑telemetry correlation to detect campaign‑shaped activity.