Please visit our Oktane 2025 page for complete coverage of the event.LAS VEGAS — The use of artificial intelligence by threat actors is supercharging traditional attacks like
phishing and identity theft, Okta's head of threat intelligence told us in an interview at the Oktane conference here Wednesday (Sept. 24).
And that's the good news. The worse news is that
AI is also enabling a new form of attack as adversaries compromise their targets' own AI instances to exfiltrate sensitive data and subvert defenses.
"We're building a picture of the modern-day attacker really being able to speed up by factors of 10, their ability to perform attacks, particularly in the reconnaissance and discovery phases of attacks," said VP of Okta Threat Intelligence Brett Winterford. "In some cases, using the
generative AI tools on the target's endpoint against them. Kind of like a new living-off-the-land technique."
To thwart such "inside man" attacks, organizations need to implement strict access controls on their AI agents so that the agents can't be turned against them.
Winterford said that kind of control is now available in the form of
Cross App Access, a draft addition to the open-standard OAuth protocol that extends the constraints imposed on human users to AI agents.
"The realization from Okta's perspective is we need an industry standard way to do things," Winterford explained. "We need to have a better way of managing authorization for an agentic client."
Adding some nitro to the tank
The most immediate effect of AI on cybercrime is to drastically accelerate the pace of attacks, Winterford told us. When combined with the underground service economy that licenses
malware, offers training and lets anyone become a cybercriminal, it creates a perfect storm.
"Attacks that you already know about, credential stuffing, phishing, fraudulent registration, synthetic identities, identity theft, they are being supercharged for two reasons," he said.
"One is that the cybercrime-as-a-service ecosystem has really expanded dramatically," Winterford added. "The volume of services that we see available for the democratized access to capabilities for every attacker is expanding faster than law enforcement can take them down."
The other reason is the addition of generative AI to the cybercrime tool set, letting online crooks automate entire phishing or malware campaigns, from targeting to distribution to harvesting of data or bots.
"Some of our research has uncovered the use of specific AI tools that are very, very capable and basically not just being used to create the lure, but the entire phishing front end is developed in seconds," Winterford said. "Not hours or minutes, but seconds."
The defenses against these threats remain the same, but the volume and speed of the attacks can be overwhelming, even for practitioners using the most highly automated tools.
"We've got this interesting fight now between the AI-enhanced tools being used by attackers and the machine learning-based tools used for bot detection," said Winterford. "It's a constant arm wrestle that's very, very interesting."
AI double agents
But it's a lot harder to defend against an internal AI agent that's been turned against its masters. Winterford said we saw that happen in the recent
Nx supply chain attack, in which miscreants inserted poisoned updates into the NPM online repositories of the open-source Nx software-building platform.
Developers who installed and used the corrupted code saw their NPM and GitHub credentials and tokens stolen, as you might expect.
But the poisoned Nx code also checked to see if there were Google Gemini or Anthropic Claude AI instances running on the infected endpoints. If so, it instructed the AIs to look for other secrets, such as cryptocurrency wallets, session tokens, SSH keys and more.
Finally, the attackers exploited the stolen GitHub credentials to make private GitHub repositories suddenly public, exposing yet more secrets.
"It's not something we would naturally think about when we hook up our applications to large language models, that an attacker could then abuse them," Winterford said.
But that's the nature of AI. It's powerful, unpredictable, clever and a bit naive.
As Okta Co-Founder and CEO
Todd McKinnon said in his Oktane keynote address on Thursday (Sept. 25), AI agents are "kind of like a piece of software, kind of like a system account, kind of like a person — somewhere in between."
McKinnon also repeated something a friend told him about AI agents that might apply to the Nx attack: "It's like you take an insider threat and you just put it in your company and give it all the access it needs."
Pumping the brakes on AI
So how can you control that insider threat? Okta thinks the answer is Cross App Access, which is being reviewed by the Internet Engineering Task Force (IETF) for formal inclusion in OAuth. It places limits on what AI agents can access or do and also controls which other users can interact with the agents.
Perhaps almost as significantly, Cross App Access changes the consent model for AI agents. The default permission model is for the agent to ask permission of its human supervisor for almost every action it takes, which sounds very prudent but which can often drown the supervisor in too many request notifications.
After some time, the human instinct is to just agree to everything the AI agent asks for, undermining the entire purpose of the consent model.
Cross App Access shifts the burden of controlling the AI agent's actions from the individual human supervisor to the organization's security policy, imposing a uniform set of constraints across all AI agents, no matter who is using them.
"That's the whole idea of Cross App Access," said Winterford. "Instead of the user having to just get a million consent prompts all day, particularly as the world becomes more agentic, take that away from them. Don't make it a problem for them anymore. Decide what's permissible."
He worries about what might happen if constraints like Cross App Access are not implemented to control AI agents. The number of AI agents is growing rapidly, but it seems like not many of them are being kept within guardrails.
"If we don't get this piece right before this agentic AI revolution really hits its peak," Winterford said, "I think we could be cleaning up the mess for the next five or 10 years."
