AAIE: HOW ARTIFICIAL INTELLIGENCE IS RESHAPING THE THEFT OF TRADE SECRETS, MODELS, AND ACCESS

Published On : 2026-07-16
Share :
AAIE: HOW ARTIFICIAL INTELLIGENCE IS RESHAPING THE THEFT OF TRADE SECRETS, MODELS, AND ACCESS

EXECUTIVE SUMMARY

Industrial espionage has always been a game of cost. Stealing a competitor’s formula, a rival state’s defense design, or a company’s unreleased product roadmap has traditionally required time, trained people, and risk: a recruited insider, a skilled intrusion team, months of patient reconnaissance. That cost structure is what made espionage rare enough to be a specialist’s problem rather than every organization’s problem.

Artificial intelligence has broken that cost structure across every stage of the espionage lifecycle at once. Reconnaissance that once took a human analyst weeks can now be automated across thousands of public sources in hours. Intrusion campaigns that once needed a coordinated team can now be orchestrated by an AI agent with only a handful of human checkpoints. Building a false identity convincing enough to pass a job interview once required real tradecraft; it can now be assembled from generative tools in an afternoon. Even the theft of an AI model’s own capabilities, its weights, its reasoning patterns, has become a viable espionage target, not just the data the model was trained on.

This report defines that shift as AI-Accelerated Industrial Espionage (AAIE): the use of artificial intelligence to reduce the cost, time, and skill required at any stage of stealing proprietary information, technology, or competitive advantage. AAIE is not one technique. It names a pattern across six distinct vectors, each independently documented in the past year, that together describe how AI has reshaped this threat category.

None of these six vectors is speculative. Each has a real, named, publicly documented case behind it. What makes AAIE a distinct category worth naming, rather than six unrelated stories, is that these vectors increasingly compound. A leaked credential from one vector becomes the entry point for another. A stolen dataset from a negligent AI use case becomes training material for a rival’s model. A fabricated employee becomes the delivery mechanism for a technical exploit. This report also looks past what has already been reported, identifying assumptions that current security programs are likely still making, and where AI has quietly invalidated them.

METHODOLOGY AND SCOPE

This report covers publicly reported activity from roughly June 2025 through July 2026, the window spanning the first named AI-native malware family through the most recent vishing and distillation reporting cited here. Everything in it is drawn from public sources: vendor threat intelligence disclosures, court filings, government advisories, and breach reporting.

Confidence varies across the report, and it is worth being explicit about where. Most of it rests on named, publicly documented cases, GTG-1002, PROMPTFLUX and its companion malware, the North Korean IT worker reporting, the Charter Communications breach, and the distillation disclosures from OpenAI, Google, and Anthropic. A claim resting on a single vendor’s account, GTG-1002 being the clearest example, is presented with that same single-source caveat rather than upgraded to a confirmed finding, including the independent researcher pushback on that disclosure noted later in this report.

The AI Supply Chain Espionage and Agent Privilege Escalation sections sit in a middle tier. The underlying technical patterns, slopsquatting, malicious models surfacing on public repositories, and agents accumulating broad system access are independently documented. Their specific application to industrial espionage, rather than to malware distribution or availability risk more broadly, is CYFIRMA’s own reasonable extension of that documented pattern, not a named espionage case being cited as proof. That distinction is called out inline in both sections rather than left implicit.

Two remaining sections depart from public sourcing entirely, on purpose, and are labeled as such throughout. Doors No One’s Watching Yet and When the Dots Connect are CYFIRMA’s own forward assessment, reasoned from technical building blocks that already exist rather than from an observed campaign.

THE SPEED OF COMPROMISE

A handful of figures make the scale of this shift concrete.

  • Anthropic’s disclosure of the GTG-1002 campaign describes AI executing an estimated 80 to 90 percent of tactical operations across roughly 30 targeted organizations, with human operators intervening only at a handful of strategic checkpoints.
  • Mandiant’s M-Trends 2026 reported the threat group UNC3944 going from initial access via help desk vishing to domain administrator privileges in roughly 40 minutes.
  • Mandiant reports that highly interactive vishing attacks recently became the second most observed intrusion vector, accounting for 11 percent of all intrusions.
  • The Verizon 2026 Data Breach Investigations Report attributes pretexting, meaning live voice, chat, or callback manipulation, to 6 percent of initial access in its breach sample, with phone-centric attack simulations failing at a median rate roughly 40 percent higher than email.
  • Voice cloning now needs as little as three seconds of source audio to produce a convincing replica of someone’s voice, and AI-generated voice has reportedly crossed the threshold where average listeners can no longer reliably distinguish it from a real one.
  • Vishing attacks surged 442 percent in the second half of 2024 and now account for over 60 percent of phishing-related incident response engagements.
  • In April 2026, the ShinyHunters group used a vishing scam to breach Charter Communications and obtain 4.9 million records.
  • Anthropic disclosed a first campaign in February 2026, detecting roughly 16 million queries from approximately 24,000 fake accounts believed to be part of a coordinated attempt to distill its models without authorization. A second, larger campaign followed in June 2026, this one tied to Alibaba’s Qwen models, involving roughly 28.8 million queries across about 25,000 accounts. OpenAI and Google have each made comparable disclosures independently, against the same category of activity.

One figure here is a forecast rather than a confirmed event and is worth weighing differently from the incident and prevalence data around it; Deloitte projects deepfake-enabled fraud losses will reach 40 billion USD by 2027.

WHAT IS AAIE

AI-Accelerated Industrial Espionage describes the use of artificial intelligence to compress the cost, time, and expertise required at any point in the espionage lifecycle, from initial reconnaissance through exfiltration. It is a category, not a single technique, and it spans six distinct vectors:

Autonomous Agentic Intrusion: AI agents conducting reconnaissance, exploitation, and data triage with minimal human direction.

AI-Native Malware and Tooling: Malicious code that calls out to an AI model as part of its own operating logic, rather than AI merely being used by the operator beforehand.

Model and Data Distillation Theft: The theft of an AI model’s weights, outputs, or reasoning patterns, treating the model itself as the intellectual property target.

AI-Enabled Insider Infiltration: Generative tools are used to fabricate a credible employee identity and pass hiring screens, embedding an operative with legitimate access.

Shadow AI Leakage: Unintentional exposure of proprietary information through employees’ everyday use of consumer AI tools, with no adversary directing it.

AI Voice Cloning and Synthetic Pretext: Real-time, conversational cloned voices used to defeat the human trust that help desks, finance teams, and executives rely on.

These vectors map differently onto different actor types. Nation-states lean on autonomous agentic intrusion and AI-native malware, and increasingly on insider infiltration too. Criminal-for-hire operations lean heavily on voice cloning; the Scattered Spider and ShinyHunters pattern is the clearest example, alongside AI-native malware. Corporate rivals show up mainly in distillation theft, and even there, the publicly documented cases are isolated rather than routine. We have not found a publicly documented case of a corporate rival using voice cloning specifically, so that combination stays off the table rather than being asserted on the strength of the other five. Insider infiltration sits at the intersection of state-sponsored operations and organized cybercrime. Shadow AI leakage is different in kind: it is almost never the product of a directed actor at all; it is a byproduct of ordinary employee behaviour, which is precisely what makes it hard to defend against using tools built to stop intentional attacks.

Actor Type Primary Vectors Evidence Basis
Nation-state Autonomous Agentic Intrusion, AI-Native Malware, Insider Infiltration Confirmed
Corporate rival Distillation Theft (isolated, publicly alleged cases) Alleged
Criminal-for-hire Voice Cloning, AI-Native Malware Confirmed
Negligent insider (no adversary) Shadow AI Leakage Confirmed

WHO’S IN THE BLAST RADIUS

Technology and software companies sit closest to the blast radius. Source code, model weights, and unreleased product roadmaps are the assets most worth stealing, and the same engineers who write that code are also the heaviest users of AI coding assistants, which makes this sector unusually exposed to both distillation theft and shadow AI leakage at once.

Financial services face different combination of pressures. Trading algorithms, M&A due diligence data, and customer financial records are valuable enough to justify real investment from an attacker, and the sector’s traditional reliance on call centers and phone-based identity verification makes it a natural target for voice cloning and vishing specifically.

Pharmaceutical and biotechnology firms have been a top target for classic industrial espionage for decades, long before AI entered the picture, and nothing about that has changed. What has changed is the timeline: formulas, trial data, and years of research investment can now be exfiltrated in minutes rather than smuggled out over months.

Chemicals and manufacturing companies might seem like an unlikely target for an AI-driven threat, but they were named specifically in the GTG-1002 disclosure, a useful reminder that this is not a software-industry problem wearing a new label. Process designs and proprietary formulations are just as exposed as anything digital.

Government-adjacent contractors and defense supply chains carry a particular kind of risk. Subcontractors typically have weaker security postures than the prime contractors they serve, which makes them an attractive intermediate step for state-linked actors trying to reach classified or export-controlled designs without attacking the harder target directly.

Semiconductor and hardware companies round out the picture, and increasingly for a reason specific to this report’s subject: AI hardware is now a strategic asset, not just a tool used to conduct espionage against other industries. Chip architecture and fabrication process details are drawing the kind of attention once reserved for defense technology.

KNOWN METHODS: SIX DOORS, ALREADY OPEN

Autonomous Agentic Intrusion: An AI agent is given a target and broad operating latitude rather than a fixed script, then conducts reconnaissance, identifies exploitable weaknesses, harvests credentials, and triages stolen data by intelligence value largely on its own, with a human operator approving only a small number of strategic decisions. Anthropic’s disclosure of the GTG-1002 campaign, attributed to a Chinese state-linked group, describes this pattern across roughly 30 organizations spanning technology, finance, chemicals, and government, with AI performing an estimated 80 to 90 percent of the tactical work. Some independent researchers have publicly questioned how novel or fully verifiable the claims are, which is worth noting for balance, but the underlying pattern, AI handling the bulk of tactical execution while humans set direction, is consistent with what defenders are now seeing more broadly.

AI-Native Malware and Tooling: Rather than an operator using AI before an attack, the malware itself queries an AI model mid-execution. Mandiant’s M-Trends 2026 names PROMPTFLUX, a dropper that rewrites its own code hourly via a live API call to a generative model, PROMPTSTEAL, a malware attributed to the group tracked as APT28 that queries an LLM to generate its document-theft commands on the fly, and QUIETVAULT, a credential stealer that specifically hunts for local AI command-line tools and their stored authentication tokens. This is a meaningful shift from AI as a productivity aid for attackers to AI as a runtime dependency inside the malware.

Model and Data Distillation Theft: Sometimes the thing being stolen is not a document or a database but the AI model itself, its weights, its outputs, the reasoning patterns embedded in how it answers. OpenAI, Google, and Anthropic have each separately reported large-scale unauthorized distillation attempts against their frontier models, generally traced back to competing labs, carried out through enormous volumes of automated queries submitted via networks of fake accounts built specifically to reconstruct a proprietary model’s behavior on the cheap. It is a target most organizations have never had to think about defending, and it barely existed as a category before AI made it valuable.

The same logic extends further back in the pipeline than the finished model. Training datasets, human feedback used in reinforcement learning, and evaluation datasets represent a comparable amount of investment and are frequently less protected than the model weights they produced, since organizations tend to treat the finished model as the crown jewel and the data that shaped it as disposable scaffolding. An adversary who cannot reach a competitor’s model weights directly may still reach the labeling vendors, feedback pipelines, or evaluation sets behind it, a softer target with a comparable payoff.

AI-Enabled Insider Infiltration: Generative tools can now build an entire fabricated employment history end to end, a resume tailored precisely to the job description, a synthesized professional photo, and, more recently, real-time AI coaching or deepfake video during the interview itself. Reporting on North Korean IT worker infiltration describes operatives using exactly this toolkit to pass technical interviews and land legitimate jobs, frequently supported by so-called laptop farms that make it look like the employee is logging in from wherever they are supposed to be. Once hired, the operative has whatever access any other new employee would have, and nothing about the initial hire looks different from a normal one.

Shadow AI Leakage: This is the one vector on this list that does not require an adversary at all. An employee under deadline pressure pastes proprietary source code, a financial model, or a strategy document into a consumer AI tool to get unstuck faster, and the moment that data is submitted, it has left the organization’s control. Samsung’s 2023 disclosure, in which engineers pasted confidential source code and internal meeting notes into a public chatbot, remains the clearest illustration of how this happens, and current breach reporting still identifies source code as one of the largest single categories of data leaving organizations through exactly this channel.

AI Voice Cloning and Synthetic Pretext: The underlying tradecraft here, LinkedIn-driven reconnaissance combined with live vishing against help desks, is most associated with the group tracked as Scattered Spider, and AI voice cloning has become one more tool inside that already-established playbook rather than a separate technique on its own. What generative AI has changed is the texture of the attack: voice phishing used to mean a scripted, pre-recorded message, and now it means a live, adaptive, real-time conversation that can respond to pushback and improvise. The Charter Communications breach, along with reported use of a cloned government official’s voice to pressure business leaders, both show how quickly this moved from a novelty to a working operational tool.

AI SUPPLY CHAIN ESPIONAGE

The six vectors above describe attacks that happen during and after an intrusion. A related pattern deserves its own space because it happens earlier, in the software supply chain AI development itself now depends on.

AI coding assistants have changed how software gets written, and attackers have followed the change. Because these assistants suggest package names based on patterns in their training data, they sometimes recommend packages that do not exist, a behavior researchers call slopsquatting. Attackers register those hallucinated names on public registries in advance, so a developer who accepts a suggestion without checking installs exactly the malicious package the attacker anticipated. This sits alongside older but still active techniques, typosquatting real package names and dependency confusion against internal mirrors, both grouped under MITRE ATLAS’s AI Supply Chain Compromise technique. Researchers have also found malicious models hosted on public model repositories that execute a reverse shell the moment they load, meaning the compromise can arrive inside the AI component itself rather than a conventional dependency.

The espionage angle, in our assessment, follows logically from mechanisms that are already documented, though we have not identified a named case of this exact chain being used for competitive or state espionage specifically; most public reporting on AI supply chain compromise centers on malware distribution rather than confirmed data theft. A poisoned dependency or model pulled into a target’s build pipeline would carry the same proprietary-code access as any other component in that pipeline, and because it arrives through a trusted update or an AI suggestion rather than a phishing email, it would draw far less scrutiny.

AGENT PRIVILEGE ESCALATION AND THE PLUGIN ECOSYSTEM

A related structural risk sits in how much access a single AI agent now accumulates. It is increasingly normal for one agent to hold connected access to source control, ticketing, chat, the CRM, cloud infrastructure, identity systems, calendars, email, and in some deployments, payment approval, each connection added for a legitimate productivity reason, one integration at a time, with few organizations pausing to add up what the agent can reach once all of it exists together. That combined reach is a new kind of attack surface distinct from any single system’s own access controls, because compromising or manipulating the agent once is equivalent to compromising every system it touches.

The plugins, extensions, and connectors providing this access are themselves a trust boundary that gets far less scrutiny than comparable installed software. A connector from an unfamiliar third party can request broad permissions during setup, and because it installs through an AI platform’s marketplace rather than an enterprise approval process, it frequently bypasses the review a traditional software vendor would face.

This connects directly to research CYFIRMA has already published in full. Our earlier report on MCP in agentic AI deployments examined how the Model Context Protocol exposes internal APIs, databases, and ticketing systems to agents, and the same over-permissioning risk applies to the broader plugin and connector ecosystem described here. Readers wanting protocol-level detail should treat that report as the deeper reference.

THE DOORS NO ONE’S WATCHING YET

Everything above has already happened and been reported somewhere. What follows has not, at least not that we’ve found in public threat reporting. These are CYFIRMA’s own forward assessments, built by reasoning ahead from technical building blocks that already exist rather than from an observed campaign. None of this is a technique to execute, and none of it should read as established fact, so each paragraph below says plainly how much is documented mechanism versus our own extension to espionage.

The first gap is in who security awareness training assumes is on the other end of a manipulation attempt: a person. In our assessment, that’s increasingly not going to hold. As organizations deploy their own AI agents for procurement, vendor negotiation, and help desk work, we think it’s only a matter of time before an adversary builds a counterpart agent whose sole purpose is to hold a conversation with the target’s agent and extract information through what looks like ordinary business dialogue. This hasn’t been publicly reported yet, but nobody trains an AI agent to recognize manipulation the way they train an employee to, which is exactly the kind of gap that tends to get found eventually. Worth checking regardless: can any AI agent with tool access be reached by an external, unauthenticated counterpart, and are its outputs logged with anything like the scrutiny a human employee’s decisions would get?

A second gap, in our view, sits inside most vendor risk programs, which tend to treat “we use a reputable AI vendor” as equivalent to “our data stays ours.” We’re not confident that holds. Enterprises that fine-tune commercial models, or route proprietary queries through a third-party AI vendor, could plausibly see that data resurface in another customer’s outputs or a future model release, without any adversary needing to do anything at all. We haven’t seen this documented as an actual incident, but a sufficiently patient rival could, in theory, target organizations known to have loosely configured AI deployments that feed into shared infrastructure rather than attacking them directly. The data retention and training-use terms of every AI vendor with proprietary access are worth reviewing either way.

A third gap, and here again this is our assessment rather than something we’ve seen reported, sits in plain view inside an organization’s own public-facing AI product. We’d expect that asking a customer support chatbot or pricing assistant enough carefully constructed questions could let someone infer the proprietary business logic behind it from patterns in its refusals, hedges, and numeric answers, pricing curves, credit thresholds, and internal policy rules. The mechanism is proven; this is really an extension of model extraction research that has existed for years, just aimed at business logic instead of model weights, even though we don’t have a named case of it being used this way yet. Whether customer-facing AI systems are rate-limited and monitored for this kind of systematic, high-volume probing, rather than just screened for abuse or toxic language, seems worth checking regardless.

A fourth gap we consider a fairly short step from what’s already happened rather than a stretch, and it involves how much trust gets extended to anyone without a badge or a desk. The North Korean IT worker cases required getting hired, and those are real, documented cases. We think the next version of this doesn’t require hiring at all, though we don’t have a confirmed case of it yet: a sustained deepfake presence across recurring video calls and AI-generated work product, maintained for months under a consultant relationship, could secure standing access, shared drives, review rights, meeting invitations, without the person ever becoming a headcount anyone tracks closely. Contractor and vendor access reviews are worth comparing against full-time hiring’s identity verification rigor either way, since that rigor tends to quietly drop off for anyone classified as temporary.

A fifth gap, and this one is genuinely speculative since we have no case to point to at all, is less a single technique than a change in scale. Job postings, patent filings, conference talks, GitHub commit activity, shipping data: each one is individually harmless, which is exactly why none of them are individually protected. We think AI can now fuse all of them into a continuously updated, real-time picture of a competitor’s undisclosed roadmap, faster than any human analyst team, though this is our inference from what aggregation tools are technically capable of, not a documented instance of it happening. Worth periodically asking what an organization’s combined public footprint would reveal if someone deliberately correlated all of it at once.

A sixth gap is about how long an exposure lasts, and here we’re extending a documented technique rather than inventing a new one. Most defenses treat a cloned-voice call as a single incident, something to catch in the moment and then move past. We think the sharper risk, one we haven’t seen described this way in public reporting, is that an adversary builds and continuously refreshes a voice model of a key executive using newly published audio and holds it in reserve as a standing asset, the same way a leaked credential is treated as a persistent exposure rather than a one-time event. Executive protection programs are worth measuring against that standard regardless of whether this specific pattern has been caught yet.

A seventh gap sits inside systems most organizations already trust by default, and this is the item in this section with the most independent research behind it, even though we still don’t have a named espionage case. Retrieval indexes, embedding stores, and an agent’s long-term memory tend to get treated as an extension of the organization’s own systems. But these stores are built continuously from documents, tickets, and chat logs that often originate outside any tightly controlled pipeline, and red-team research has already shown, in controlled settings, that a handful of carefully crafted entries can poison a retrieval index or an agent’s memory so it quietly returns manipulated answers going forward, without touching the underlying model at all. MITRE’s ATLAS framework added a dedicated technique for this, RAG poisoning, in its most recent expansion, which tells us the security community treats the mechanism as credible, not that anyone has caught it being used for espionage specifically; that leap is ours. Whatever feeds an organization’s retrieval indexes or agent memory is worth checking against the same scrutiny applied to source code, regardless of whether this has been caught happening yet.

WHEN THE DOTS CONNECT

The following is an illustrative composite scenario:

A mid-sized chemicals manufacturer hires a remote contract developer after a smooth, well-prepared technical interview. The candidate’s resume and portfolio were AI-assisted, as most candidates are now, and nothing about the interview raises concern. Three months later, a different employee, under deadline pressure, pastes a chunk of proprietary formulation code into a consumer AI assistant to get unstuck on a bug. Neither event is noticed as unusual, because neither one is, on its own.

Separately, a state-linked group has been running low-cost, automated reconnaissance against the chemicals sector for months, the kind of broad AI-driven scanning that touches thousands of organizations and escalates only where something interesting turns up. The group’s tooling picks up fragments of the leaked formulation code indexed by the AI vendor’s infrastructure and flags the company as a target worth deeper attention.

A few weeks later, the company’s IT help desk receives a call from someone who sounds exactly like the VP of Engineering, requesting an urgent password reset ahead of a board presentation. The voice is a clone, built from a conference talk posted online eighteen months earlier. The reset succeeds. From there, the same autonomous tooling seen in state-sponsored campaigns elsewhere handles the rest with minimal further human direction: identifying which systems hold the formulation data, exfiltrating it, and covering its tracks.

No single stage of this chain would have triggered an incident response on its own. A contract hire, a pasted code snippet, a broad scan against an entire sector, one help desk call. It is only in combination that they add up to a full compromise, and it is that compounding effect, not any individual technique, that makes AAIE difficult to defend against using controls built for one vector at a time.

CONCLUSION AND OUTLOOK

AI did not invent industrial espionage, and it is worth saying plainly that the older, human-driven version of this crime has not gone anywhere. The Rippling v. Deel litigation illustrates that especially well, because the espionage allegations run in both directions. Rippling’s original 2025 suit alleges that Deel recruited and paid a Rippling employee who spent months extracting sales data, product roadmaps, and customer information, allegations that have since been reported to have drawn a US Department of Justice criminal inquiry into Deel. Deel denies the claims and has countersued, alleging that Rippling ran its own infiltration operation against Deel, soliciting Deel employees for confidential information and placing an insider who impersonated a Deel customer to gain access to Deel’s internal systems. Neither company’s allegations against the other have been proven in court as of this writing. Taken together, however, they illustrate a broader point: AI is expanding the speed and scale of industrial espionage, not replacing the human-directed methods that have long defined it. Increasingly, the challenge will be managing the convergence of both.

The legal and regulatory response will likely lag behind the technical reality for some time yet. Existing trade secret and economic espionage laws were not written with autonomous AI agents or synthetic employees in mind, and adapting those frameworks will inevitably take time.

CYFIRMA assesses that the clearest trajectory is convergence: the six vectors described in this report will increasingly be combined rather than deployed in isolation. Organizations that continue to defend against them as separate problems will be structurally disadvantaged compared with those that recognize and address them as a single, compounding threat.

The choice facing security leaders now is not whether to respond to AAIE, but how quickly. Waiting for a named, public incident within one’s own sector before acting simply hands the attacker an additional advantage. Over the next twelve months, CYFIRMA recommends organizations focus on four highest-leverage priorities: eliminate voice-only identity verification from every help desk and finance workflow; place AI systems, whether internally developed or vendor supplied, under a named risk owner held to the same governance standard as any other critical asset class; extend insider-threat and vendor-access programs to treat synthetic identity as a default risk rather than an edge case; and monitor AI tool egress with the same rigor historically reserved for the network perimeter.

RECOMMENDATIONS

Strategic Recommendations

  • Treat AI systems, both internally built and vendor-supplied, as a defended asset class with a named risk owner, not a productivity tool under general IT policy.
  • Extend insider threat programs to explicitly cover synthetic and AI-assisted identity fraud in hiring.
  • Build executive protection programs that treat public audio and video as a standing, persistent exposure, not a one-time risk.

Operational Recommendations

  • Ensure that high-risk requests, credential resets, wire approvals, and access changes cannot be satisfied by voice alone, and route them through a pre-agreed callback number or separate channel.
  • Review AI vendor contracts and data retention terms with the same rigor applied to any other vendor holding proprietary data.
  • Extend data loss prevention tooling to cover AI tool egress specifically, not just file transfer and email.

Tactical Recommendations

  • Deploy phishing-resistant multi-factor authentication and eliminate voice-only identity verification at help desks.
  • Rate-limit and monitor customer-facing AI products for high-volume query patterns consistent with model or logic extraction.
  • Build AI-specific scenarios, voice cloning, synthetic candidates, and agent-to-agent manipulation into red team exercises and tabletop drills.

MITRE Framework

Tactic Technique ID Technique Name
Reconnaissance T1598.004 Phishing for Information: Spear phishing Voice
Reconnaissance T1595 Active Scanning
Resource Development T1588.007 Obtain Capabilities: Artificial Intelligence
Resource Development (ATLAS) AML.T0020 Poison Training Data
Initial Access T1566.004 Phishing: Spear phishing Voice
Initial Access T1199 Trusted Relationship
Initial Access (ATLAS) AML.T0010 AI Supply Chain Compromise
Initial Access (ATLAS) AML.T0010.001 AI Supply Chain Compromise: AI Software
Initial Access (ATLAS) AML.T0051 LLM Prompt Injection
Persistence T1078 Valid Accounts
Defense Evasion T1027 Obfuscated Files or Information
ML Attack Staging (ATLAS) AML.T0070 RAG Poisoning
Exfiltration T1567 Exfiltration Over Web Service
Exfiltration (ATLAS) AML.T0086 Exfiltration via AI Agent Tool Invocation
Exfiltration (ATLAS) AML.T0024 Exfiltration via AI Inference API

Two different MITRE frameworks apply here. ATT&CK covers conventional enterprise techniques. ATLAS is MITRE’s separate framework specifically for attacks against AI and ML systems.