Top AI Attack Vectors You Should Know

ShakShak
3 min read

This is a quickly evolving threat landscape and requires continuous monitoring as things change especially as we see shadow AI creep into many areas.

How to read the ranking

  • Prevalence signal = the strongest public metric we could find (incident share, growth %, case counts or monetary loss).

  • Lower-ranked vectors are either new but growing (agentic attacks, poisoning) or still mostly academic (model inversion, T-shirt patches) worth monitoring but not yet as common in real IR caseloads.

RankVectorWhy it tops the chart (prevalence signal)
1Generative social-engineering (deep-fake BEC, vishing, “synthetic insiders”)Still the #1 initial-access route: 36 % of Unit 42 IR cases began with social-engineering between May ʼ24-May ʼ25
2Malware posing as AI tools115 % YoY jump in malicious files that mimic ChatGPT (177 unique binaries in Jan-Apr ʼ25)
3Prompt-injection / LLM hijackingMicrosoft calls indirect prompt injection “one of the most widely-used AI vuln classes” and the top issue in OWASP LLM Top 10 2025
4AI-generated homograph & typosquat domainsUnit 42 shows automated Unicode look-alike domain generation accelerating phishing throughput (July ʼ25 report)
5Malicious AI-coding-tool extensions & IDE supply-chain abuseDev environments are an attractive, low-friction target; first major campaign netted $500 k (Cursor, Jul ʼ25)
6QR-/image- based multi-modal injection (“quishing”)784 UK cases, £3.5 M lost to rogue parking-lot QR codes Apr ʼ24-Apr ʼ25; 26 % of phishing links now QR-borne
7“Vibe-coding” vulnerabilities (AI-written code by non-devs)45 % of GenAI-written snippets introduce OWASP-Top-10 flaws (Veracode GenAI Code Security Report, Aug ʼ25)
8Employment-fraud / synthetic-insider infiltrationCrowdStrike tallied 320 hires secured with AI-generated identities in 12 months (funding DPRK missile program)
9Autonomous attack agents & AI-assisted malwareCMU & Anthropic reproduced the Equifax 2017 breach end-to-end with an LLM planning its own kill-chain (Jul ʼ25)
10Model / dataset poisoning (“sleeper agents”)“Sleeper Agents” study proved back-doors survive standard RLHF; widely cited (> 200 citations)
11Model inversion & membership inferenceBlack-box attack on Llama-3.2 reconstructed PII from a medical fine-tune (Jul ʼ25)
12Adversarial patches / physical evasionDiffusion-generated T-shirt patches keep wearers invisible to CCTV YOLO-v5 with ~65 % success (May ʼ25 AdvReal paper)

Key takeaways

  • MITRE ATLAS is the de-facto source for real attack technique mapping; treat it like ATT&CK for anything model-centric.

  • OWASP lists give you the quickest “what can go wrong” checklist for both classic ML pipelines and chat-GPT-style apps.

  • NIST RMF + ISO 42001 provide governance scaffolding that partners and auditors increasingly expect.

  • SAIF & CSA AICM convert high-level risk goals into concrete, cloud-ready controls.

  • The EU AI Act is now the enforcement tail-wind—if you sell or deploy AI in Europe, map obligations early.

Use these frameworks together: start threat modelling with OWASP & ATLAS, build controls with SAIF/AICM, and prove compliance with NIST RMF, ISO 42001 and the AI Act.

0
Subscribe to my newsletter

Read articles from Shak directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Shak
Shak