When Data Means Conversations and Code: How AI-Powered Adversaries Are Rewriting the Rules of Targeted Attacks

For years, the security industry drew a fairly clear line around what "sensitive data" meant. Personal information, financial records, health data: the structured, regulated categories that compliance frameworks were built to protect. Encrypt it, tokenize it, and restrict access to it. The threat model was straightforward: if you protect the database, you protect the business.

Now picture the old farming wisdom about not putting all your eggs in one basket. The moment organizations began consolidating every conversation, every code repository, every AI-generated output, and every behavioral signal into centralized cloud platforms, they did exactly that. They assembled a single, continuously updated intelligence dossier on their people, their processes, and their competitive position, and stored it in one place. For AI-powered adversaries, that centralized basket is extraordinarily attractive.

The Data Set Has Gotten Bigger

The data adversaries find valuable today extends well beyond the regulated categories organizations have spent decades locking down. Conversations, code, andAI copilot interactions are all data. Behavioral signals are data too: the patterns in how your team communicates, how your developers commit code, how your executives present publicly.

Every collaboration tool, code repository, customer service transcript, and internal knowledge base represents a potential intelligence source. The combination of these sources is what makes them dangerous. A single leaked Slack export paired with a public LinkedIn profile and a dark web credential dump creates a profile detailed enough to make a targeted attack nearly undetectable.ZeroFox Intelligence has documented exactly how adversaries assemble these profiles: six in ten executives already have PII for sale on underground marketplaces, and 75% have experienced credential exposure. The reconnaissance that precedes a targeted attack is thorough, patient, and happening entirely outside your environment.

The Centralized Cloud Problem: What AI Platforms Are Actually Ingesting

Centralizing data in cloud AI platforms delivers real operational value. Teams collaborate faster, institutional knowledge compounds, and productivity scales. The risk that rarely appears on the benefits slide is what consolidation looks like from an adversary's perspective.

Most organizations classify sensitive data in familiar buckets: PII, PHI, financial records, intellectual property, source code, and access credentials. Those categories were built for structured databases and file systems. They were not built for the data that AI platforms are now ingesting, storing, and correlating continuously on behalf of your organization.

Think about what a modern AI platform actually touches in the course of a single workday.

Conversational data and audio records. Every voice chat, meeting transcript, and threaded conversation captured inside collaboration and AI platforms creates an ongoing record of your organization's decisions, disputes, strategies, and relationships. It is a searchable, indexable archive of intent that did not exist in traditional data inventories.

Intellectual property and proprietary outputs. The artifacts, documents, and generated outputs your teams produce using AI tools carry the same competitive sensitivity as any formally classified asset. The difference is that they move faster, often without the governance controls applied to traditional IP.

API supply chain and third-party data flows. Connectors, integrations, and model context protocol (MCP) configurations route data between your internal systems and external platforms continuously. Each integration point is a potential exposure channel. In August 2025, that channel had a name: Salesloft Drift.

Threat actor UNC6395 compromised Salesloft's GitHub environment, pivoted to Drift's AWS infrastructure, and stole the OAuth tokens that Drift used to connect with customer systems. With those tokens, the attacker bypassed authentication entirely and ran bulk queries against Salesforce instances acrossmore than 700 organizations simultaneously, including Cloudflare, Zscaler, Palo Alto Networks, and Workday.Google's Threat Intelligence Group confirmed the primary objective was credential harvesting: AWS access keys, Snowflake tokens, and passwords extracted from the exfiltrated data to fuel the next wave of targeted attacks. The entry point was not a zero-day in a core platform. Rather, it was a trusted third-party integration that hundreds of organizations had authorized and then stopped watching.

That is the supply chain risk that AI-dependent architectures now carry. The more integrations, connectors, and data flows an organization authorizes, the larger the target surface becomes for adversaries who understand that the trust between platforms is often easier to exploit than the platforms themselves.

Behavioral metadata and session intelligence. The context AI platforms inject at runtime—preferences, role definitions, workflow patterns, task histories, and custom skills—amounts to a detailed behavioral profile of every user the platform serves. An adversary with access to that layer does not need to observe your organization because they already understand how it operates.

Identity and behavioral profiles. Persistent memory, saved context, and interaction histories create longitudinal profiles tied to real individuals. They map specific people to specific behaviors, decisions, and relationships over time.

Source code and trade secrets. Code reviewed, generated, or committed through AI-assisted development tools represents some of the most sensitive intellectual property an organization holds. When that code lives in a centralized AI platform's context window or history, it is no longer protected solely by your repository's access controls.

Then there is the category that does not appear in any approved data inventory at all: shadow AI.IBM's 2025 Cost of a Data Breach Report found that 38% of employees share sensitive work information with AI tools without their employer's knowledge.Reco's 2025 State of Shadow AI Report found that 86% of organizations have no visibility into how their data flows to and from those tools. 

And this spans across departments. Developers paste proprietary source code into public chatbots to debug it. Finance analysts upload internal forecasts for summarization. Support managers deploy AI chatbots that handle customer data without any review from IT or compliance. Every one of those interactions represents data that left the organization without an audit trail, processed on infrastructure your security team cannot see, governed by terms of service no one reviewed.

Shadow AI incidents cost organizations an average of$650,000 more than standard breaches, and one in five organizations has already experienced a breach tied to unauthorized AI use. The employees responsible are not acting maliciously, they are simply trying to work faster. The risk has moved past intent to invisibility.

Individually, each of these six categories carries real risk. Together, they form a complete intelligence package on your organization, your people, and your competitive position, assembled across platforms your governance program may never have mapped. When a single credential surfaces in a dark web stealer log, when a third-party OAuth token is quietly stolen, or when a debugging session lives on an unmanaged server, the adversary does not get a fragment of your organization. They get a starting point. For an AI-enabled attacker, a starting point is enough.

How AI Has Shifted the Adversarial Advantage

For a long time, there was an inherent trade-off in attack design. Mass campaigns were scalable but unconvincing. Targeted attacks were convincing but labor-intensive. AI collapses that trade-off entirely.

According to ZeroFox Intelligence's 2026 threat predictions, the experimentation phase is over. Threat actors are now embedding generative AI across their services and techniques. Throughout 2025, ZeroFox tracked convincing AI-generated phishing and impersonation attempts, faster automated reconnaissance powered by GenAI tools, and fraud schemes enhanced by synthetic media and long-running impersonation campaigns. The barrier to entry has dropped. An adversary no longer needs English fluency, technical depth, or a large team to run professional-grade campaigns. 82.6% of phishing emails are now AI-generated, making them considerably harder for trained employees to identify.

Picture a realistic attack scenario. A developer's GitHub activity is public, their LinkedIn confirms their employer and current project, and a dark web stealer log includes their corporate credentials. An AI model ingests all of it and generates a message appearing to come from their manager, referencing their active pull request and linking to a convincing replica of an internal code review tool. There’s no generic subject line or mismatched sender domain obvious enough to flag. The developer clicks, and the attacker is in.

Deepfakes and synthetic identity amplify the problem further. The Arup engineering firm incident put this in financial terms: cybercriminals harvested publicly available earnings calls and LinkedIn videos, fed them into an AI model, and created a digital clone of the CFO indistinguishable from the real person. The result was a $25 million transfer. The attack succeeded because it exploited something security teams rarely account for: the psychological foundations of workplace trust.

ZeroFox's intelligence on executive protection confirms that AI has become the accelerant. Personal information about senior leaders such as full names, professional roles, residential details, contact data, is widely accessible through public sources and data aggregators, providing rich reconnaissance material for adversaries building phishing and impersonation campaigns at scale.

Why Traditional Controls Don't See AI-Powered Adversaries Coming

The reconnaissance, data harvesting, and campaign infrastructure for these attacks are built entirely outside the organizational perimeter. Adversaries map your organization, profile your people, and assemble their attack intelligence on dark web forums, public code repositories, social media platforms, domain registrars, and credential marketplaces. Firewalls, endpoint detection tools, and SIEM platforms have no sight lines into those channels.

By the time a targeted attack reaches your environment, the work is already done. The detection window is measured in minutes, if it exists at all. ZeroFox monitors 12B+ signals daily across 180+ platforms, 21,000 dark web forums, and six billion domains to find the pre-attack indicators that internal tools cannot reach. When developer credentials surface in a stealer log, when an impersonation account for your CEO appears on a social platform, or when a lookalike domain is registered before a phishing campaign launches, those signals close the detection gap. Catching them in the discovery phase before weaponization is what converts intelligence into prevention.

The Discover, Validate, Disrupt Cycle in Practice

External visibility without action is just monitoring. What CISOs need is a continuous cycle that moves from signal to resolution.

Discover maps the external footprint: exposed assets, credentials, impersonation accounts, malicious infrastructure, and data leakage across the open web, deep web, and dark web.

Validate filters the volume: analysts and AI working together across a 12B+ signal data graph to confirm real risk, eliminate false positives, and prioritize what requires immediate action.

Disrupt removes the threat through active takedowns executed across ZeroFox's Global Disruption Network of 80+ ISP, hosting, registrar, and platform partners, with a 95% takedown acceptance rate and ongoing monitoring to prevent rebounds.

The adversary's reconnaissance doesn’t pause, and neither does this cycle. The value of this model is that it matches the attacker's operational tempo rather than reacting to the end stage of it.

What to Be Asking About AI-Powered Adversaries Right Now

For CISOs and security directors evaluating their posture against AI-driven, data-informed targeting, the priority questions are about visibility:

• Have you inventoried what your AI platforms are ingesting across all six data categories: conversational records, proprietary outputs, API data flows, behavioral metadata, identity profiles, and source code?
• Do you have a current map of every third-party integration authorized to access your core platforms, and do you know what data each one can reach?
• If a single exposed OAuth token or API credential opened a trusted integration, what is the full downstream blast radius across those categories?
• How much of your organization's sensitive data is currently moving through unsanctioned AI tools your security team has no visibility into?
• If adversaries were actively profiling your executives or developers using dark web data and public sources right now, how long would it take your team to find out?

The organizations managing this risk well are not necessarily those with the largest security teams. They are the ones that extended their visibility to match the adversary's reconnaissance range, mapped every integration point before an attacker did, and built the operational process to act on what they find.