Cloudflare flags AI-fuelled identity & SaaS attacks

Cloudflare has published its first Threat Intelligence Report, describing a shift in cyberattacks from exploiting technical weaknesses to abusing legitimate identities and trusted cloud services.

The report draws on Cloudflare's global network telemetry and its Cloudforce One threat research team. It examines how cybercriminal groups and nation-state actors have changed tactics as organisations move more systems into cloud services and rely more on remote work and software integrations.

Cloudflare also placed the findings in a broader economic context, citing estimates that global cybercrime costs have reached USD $10.5 trillion-enough to rank as the world's third-largest economy after the US and China.

Logging in

A central theme is that attackers increasingly seek valid access rather than forcing entry. This shift puts more weight on identity checks, authentication controls, and continuous monitoring of user activity across email, software-as-a-service (SaaS) platforms, and application programming interfaces (APIs).

Email remains a frequent starting point. Cloudflare found that 46% of observed emails failed DMARC checks, which validate sender domains and reduce spoofing. The figure points to gaps in basic authentication practices that still give attackers a foothold, particularly for phishing and account takeover attempts.

Business email compromise also remains a persistent source of financial risk. Cloudflare analysts identified more than USD $123 million in attempted theft, with average payment requests nearing USD $49,000 per incident.

AI at scale

The report argues that generative AI is reducing the skill required to run convincing campaigns. Lower-skilled actors can now produce persuasive phishing messages and social engineering lures quickly and at scale. It also flags the use of deepfakes and AI-generated identities in fraud and infiltration efforts.

Cloudforce One tracked cases in which threat actors used large language models to map networks in real time and assist with exploit development. One case involved an AI-assisted exploit in a SaaS integration, which Cloudflare said caused widespread downstream impact across multiple tenants.

North Korean-linked operations feature prominently in the report's discussion of insider threats. Cloudflare said these actors used AI-generated identities and deepfakes to pass hiring checks and secure remote IT roles at Western companies. The report also references US-based "laptop farms" used to mask a worker's true location while appearing to operate from within the country.

SaaS abuse

Attackers are increasingly abusing enterprise SaaS platforms, including cloud storage and collaboration tools. Cloudflare described tactics that hide command-and-control traffic inside trusted services and move laterally through integrations. The pattern reflects how many organisations now connect business systems through third-party applications and automated workflows.

The report also points to supply chain risks tied to these integrations. A compromise in a single service or connector can affect multiple organisations, and multi-tenant platforms increase the potential blast radius when attackers gain access to a shared layer.

DDoS baseline

Cloudflare reported record levels of distributed denial-of-service (DDoS) traffic, with attacks reaching 31.4 Tbps and peaking within seconds. This reduces the window for manual intervention and pushes organisations towards automated detection and mitigation.

The report cites large-scale botnets such as Aisuru, which Cloudflare said now pose threats comparable in impact to nation-state operations. It also describes scenarios in which attacks could disrupt networks at country scale.

State activity

Alongside criminal campaigns, the report describes changing patterns among state-backed groups. Cloudflare said Chinese actors, including Salt Typhoon and Linen Typhoon, have shifted from broad activity to more targeted operations against North American telecommunications, government entities, and IT services.

It also said these groups have moved from espionage towards "persistent pre-positioning", defined as installing code within rival systems for possible future use, particularly in US critical infrastructure.

Australian context

The findings have implications for Australian organisations as they move towards cloud-first and API-driven architectures. Cloudflare argued that Australia faces the same identity-led and cloud-native threats seen in larger markets, despite established regulatory frameworks and critical infrastructure requirements.

For local security teams, the report's emphasis on authentication hygiene, email controls, and monitoring SaaS integrations aligns with an environment where staff access business systems from multiple locations and devices. It also raises governance questions for procurement and IT operations around third-party applications, connectors, and delegated permissions.

Cloudflare said its network blocks an average of 230 billion threats each day and protects about 20% of the web, a scale it cites as providing broad visibility into attack trends.

"Hackers thrive on the gaps left by fragmented, stale threat intelligence. At Cloudflare, we've built the largest and most comprehensive global sensor network that gives us a front-row seat to threats invisible to everyone else," said Matthew Prince, Co-Founder and CEO, Cloudflare. "By sharing this intelligence with the world, we're plugging the gaps and shifting the advantage back to the defenders. The result is a safer, more reliable Internet, where it is fundamentally more difficult and expensive for hackers to operate."

Blake Darché described the report as a call for faster, more current threat analysis inside organisations.

"Threat actors are constantly changing tactics, finding new vulnerabilities to exploit and ways to overwhelm their victims. To avoid being caught off guard, organisations must shift from a reactive posture to one fueled by real-time, actionable intelligence," said Blake Darché, Head of Threat Intelligence, Cloudforce One at Cloudflare. "This report is a North Star for understanding the scale of attacks, and how threat actor aggression and techniques are shifting. The message to defenders is simple: lead with intelligence or risk falling behind in a race where the stakes have never been higher."