{"id":7701,"date":"2026-04-06T09:01:00","date_gmt":"2026-04-06T09:01:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7701"},"modified":"2026-04-06T09:01:00","modified_gmt":"2026-04-06T09:01:00","slug":"6-ways-attackers-abuse-ai-services-to-hack-your-business","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7701","title":{"rendered":"6 ways attackers abuse AI services to hack your business"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Attackers are starting to exploit AI systems to mount attacks in the same way they once relied on built-in enterprise tools such as PowerShell.<\/p>\n

Instead of relying on malware, cybercriminals are increasingly abusing AI tools enterprises depend on \u2014 a trend some experts describe as living off the AI land.<\/p>\n

\u201cWe\u2019re seeing it in things like poisoned MCP servers in the supply chain, attackers using legitimate models like Claude to extract sensitive data, and even viral agents like OpenClaw accidentally causing destructive actions,\u201d says Kaushik Shanadi, CTO at Helmet Security, a startup focused on securing agentic AI communications. \u201cThe problem is most of these systems were deployed before anyone stopped to think about governance or security.\u201d<\/p>\n

The shift from simple prompt injection to \u201cagent hijacking\u201d represents a fundamental change in the AI threat landscape, other security experts told CSO.<\/p>\n

\u201cAttackers are no longer just trying to trick a chatbot; they are living off the AI land, abusing the same legitimate automation and memory features that make AI assistants useful,\u201d says Pascal Geenens, VP of cyber threat intelligence at cybersecurity vendor Radware.<\/p>\n

Below are some examples of how attackers are subverting AI-based services to stage attacks.<\/p>\n

MCP server impersonation<\/h2>\n

In September 2025, attackers promoted a counterfeit model context protocol (MCP) server mimicking technology to integrate Postmark<\/a>, a transactional email service owned by ActiveCampaign, into AI assistants.<\/p>\n

The fake MCP server package looked legitimate and functioned as a legitimate tool across 15 versions before a single-line code change was introduced that meant sensitive communications \u2014 password resets, invoices, internal memos \u2014 were silently siphoned off for days before the hack was detected.<\/p>\n

The malicious package, which attracted 1,500 downloads per week on the popular node.js package registry, exposed enterprises that relied on the tool to a form of supply chain attack.<\/p>\n

\u201cThis is the AI equivalent of name-squatting a package registry, except there\u2019s no central MCP authority verifying server identity and no cryptographic link between an MCP server and the organization it claims to represent,\u201d says Brad Micklea, CEO at Jozu, an AI security and MLOps platform. \u201cThis breaks the trust model before the MCP is deployed.\u201d<\/p>\n

MCP servers \u2014 which allow AI agents and chatbots to connect to data sources, tools, and other services<\/a> \u2014 have recently become the target of varied (for example against Cursor\u2019s built-in browser<\/a>) and sustained malicious attacks<\/a>. Locking down these systems<\/a> to minimize risks has become a priority for enterprise CISOs.<\/p>\n

\u201cThese servers expose tools, memory, and APIs to AI agents so they can perform tasks,\u201d says Zahra Timsah, PhD, CEO of i-GENTIC AI, an agentic AI governance platform. \u201cIf an attacker inserts a poisoned tool, modified connector, or malicious retrieval source into that chain, the AI agent can unknowingly execute it.\u201d<\/p>\n

Abusing AI platforms as covert C2 channels<\/h2>\n

Cybercriminals are also abusing AI platforms as covert command-and-control (C2) channels by turning AI services into proxies that hide malicious traffic inside the flow of legitimate content.<\/p>\n

Instead of running a dedicated C2 server, malware is programmed to fetch commands and exfiltrate data through AI services, circumventing traditional security controls in the process.<\/p>\n

For example, the SesameOp backdoor<\/a> hid command traffic inside the OpenAI Assistants API, camouflaging instructions to malware as normal AI development activity.<\/p>\n

This is far from an isolated example and the potential for misuse is rife.<\/p>\n

For example, Check Point Research demonstrated how Microsoft Copilot and Grok might be manipulated<\/a> through their public web interfaces to fetch attacker-controlled URLs and return responses. This behavior opens the door to abuse of AI systems without requiring an API key or authenticated account.<\/p>\n

Dependency poisoning in AI workflows<\/h2>\n

Rather than attacking an AI system directly some assaults have relied on poisoning downstream dependencies that an agent relies on for data processing.<\/p>\n

In one case, a compromised NPM package was injected into an agentic workflow\u2019s dependency chain<\/a>.<\/p>\n

\u201cThis mirrors classical supply chain attacks (e.g. SolarWinds), but a poisoned dependency in an agentic pipeline doesn\u2019t just leak data \u2014 it can alter the agent\u2019s decision-making, tool selection, or output without any visible anomaly,\u201d says Jozu\u2019s Micklea.<\/p>\n

Double agents<\/h2>\n

Some attackers are weaponizing vulnerabilities in agents rather than abusing components of an enterprise\u2019s legacy IT infrastructure.<\/p>\n

For example, the \u201cEchoLeak\u201d command injection vulnerability in Microsoft 365 Copilot (CVE-2025-32711<\/a>) shows that a single email with concealed prompt-injection instructions is sufficient to force the AI assistant to exfiltrate internal files and emails to an external server without user interaction.<\/p>\n

A series of vulnerabilities (such as CVE-2026-25253<\/a>) in OpenClaw, the popular open-source personal AI assistant, created a route for a malicious website to take complete control of the developer\u2019s AI agent.<\/p>\n

\u201cMore than 21,000 such instances were detected, and the researchers further observed that 12% of the skills marketplace for the OpenClaw platform was distributing malware,\u201d says Dr. Suleyman Ozarslan, VP of Picus Labs at Picus Security, a specialist in breach and attack simulation.<\/p>\n

Security researchers at Varonis discovered an attack against Microsoft Copilot Personal<\/a> that sidestepped built-in AI safeguards simply by asking for sensitive data twice.<\/p>\n

The Reprompt vulnerability<\/a> \u2014 which effectively turned Microsoft Copilot into a data exfiltration tool \u2014 was reported to Microsoft, which has responded by issuing a patch.<\/p>\n

AI-orchestrated espionage campaigns<\/h2>\n

Anthropic caught threat actors abusing Claude Code<\/a> to manage operational tasks in a cyber-espionage campaign in September 2025.<\/p>\n

A suspected Chinese state-sponsored group designated GTG-1002 used Claude Code to execute 80-90% of tactical operations independently<\/a>, at physically impossible request rates for human operators.<\/p>\n

Attackers abused the AI agentic capabilities of Claude Code to automate the process of scripting, target research, building attack tooling, and other functions.<\/p>\n

\u201cThe attackers decomposed their operation into thousands of small, individually innocuous tasks, combined with role-play framing that convinced the model it was operating as part of a legitimate security assessment,\u201d explains Yagub Rahimov, CEO at cybersecurity startup Polygraf AI.<\/p>\n

Creating modular black-hat AI platforms<\/h2>\n

The threat landscape has shifted from abusing chatbots to building dedicated, weaponized AI stacks like Xanthorox AI.<\/p>\n

Unlike general-purpose LLMs, Xanthorox is a purpose-built offensive platform designed specifically for cybercrime. The platform features modules for functions such as malware generation and vulnerability exploits.<\/p>\n

\u201cHexstrike AI Model Context Protocol (MCP) integration allows Xanthorox to move beyond mere \u2018assisted\u2019 hacking into the realm of fully autonomous agent systems, moving it into the realm of \u2018vibe hacking,\u2019\u201d says Radware\u2019s Geenens. Hexstrike is an open-source, AI-powered offensive security framework originally designed for ethical penetration testing.<\/p>\n

Check against delivery<\/h2>\n

Zbyn\u011bk Sopuch, CTO of cybersecurity vendor Safetica, says that many attackers are no longer just exploiting software vulnerabilities, preferring instead to exploit the trust organizations place in AI.<\/p>\n

\u201cThis means security teams need to treat AI assistants the same exact way they treat human privileged users: with tight control, specific monitoring, and most importantly, never assume anyone or anything to be safe,\u201d Sopuch concludes.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Attackers are starting to exploit AI systems to mount attacks in the same way they once relied on built-in enterprise tools such as PowerShell. Instead of relying on malware, cybercriminals are increasingly abusing AI tools enterprises depend on \u2014 a trend some experts describe as living off the AI land. \u201cWe\u2019re seeing it in things […]<\/p>\n","protected":false},"author":0,"featured_media":7702,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7701","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7701"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7701"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7701\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7702"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7701"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7701"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7701"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}