AI Supercharges Low-Effort Attacks—Why Midmarket IT Should Treat Them as High Risk
HP Wolf Security’s latest report shows how AI‑assisted attacks are reusing old tactics.
Threat attacks are becoming easier for newbie criminals with the help of AI.
For midmarket IT leaders, that means more attacks, albeit not necessarily smarter ones, are slipping past gateway security and other traditional defenses.
Attackers are using time-tested tactics like redirects from fake websites and PDF lures for successful attack campaigns. Email threats are still bypassing perimeter defenses. These attacks are being facilitated and supercharged by AI. But just because these may be low-effort attacks by rookie hackers, does not mean they are not high risk.
These were some of the findings in HP Wolf Security’s Threat Insights report for March 2026, released this week.
[RELATED: Cybersecurity Predictions: 5 That Came True In 2025, And 5 More For 2026]
The report data comes from customers who opt in to share their threat telemetry with HP. The data is then analyzed for threat trends and significant malware campaigns by HP researchers.
From HP Wolf Security’s latest threat insights report, here are five takeaways for midmarket IT.
5 Midmarket IT Takeaways From HP Wolf Security’s Threat Insights Report
Today’s Threat Actors Are Unsophisticated But Pose Risk
The report shows that threat actors are purchasing “off-the-shelf” malware components to carry out attack campaigns.
These aren’t high-level hacking geniuses. These are individuals buying components off of hacking forums and making minor code changes to launch attacks. The attacks are also not very exotic or high-level— they mostly reuse intermediate scripts and loaders across different lures and payloads.
“Attackers used PDF lures relying on a simple but effective technique of directing victims to a compromised website that delivers a malicious download, before immediately redirecting them to a legitimate website to create the impression that the trusted platform initiated the download,” the report notes.
HP’s researchers also report that AI coding tools are accelerating “low effort” threats.
Midmarket IT takeaway: Do not assume “low effort” attacks mean low risk.
Threat Actors Are Manipulating User Trust, Not Just Vulnerabilities
In Q4 2025, HP researchers saw attackers using PDF lures in an interesting way: clicking the PDF directs the user to a malicious site, but then redirects the user to a legitimate, trusted site.
[RELATED: How IT Leaders Are Preparing For Rising AI-Fueled Risk In 2026]
“This credibility boost helped mask the delivery of scripts and loaders that ultimately deployed Formbook and XWorm.4,” the report read.
Midmarket IT takeaway: Recognize that even credible redirects and trusted brands are part of the threat landscape.
Take Stronger Control Of Downloads
More threat actors are deploying fake sites that imitate credible software applications like Microsoft Teams.
Once the user is on the fake Teams site, a malicious installer is downloaded. Those installers deliver malware alongside the legitimate Teams application, according to the report.
“The installer used dynamic link library (DLL) sideloading through a signed CapCut executable to load a malicious DLL that installs the OysterLoader backdoor, enabling additional malware to be deployed, such as ransomware,” the report notes.
Midmarket IT takeaway: Take stronger control of how and where software is downloaded.
Secure Beyond The Perimeter
The report also focused on threats that bypassed gateway security. Of endpoint threats caught by HP Sure Click in Q4 2025, email remained the top vector for delivering threats at 58 percent (although accounted for a 9 percent decrease since Q3 2025).
Moreover, among the malicious emails Sure Click caught, 14 percent had bypassed email gateway scanners (a 3 percent increase from Q3 2025).
Midmarket IT takeaway: Your perimeter defense is only as good as your endpoint detection.
Cybercriminals Value Efficiency Over Precision, Look At Patterns
In Q4, threat actors engaged in: “multiple campaigns, combining obfuscated scripts, archive.org hosted images carrying embedded code, and a .NET loader to deliver different payloads,” the report states, suggesting that multiple threat groups are using the same malware “building blocks” available for purchase to carry out expedient, efficient attacks.
Takeaway for midmarket IT: Instead of focusing on hackers’ names, take note of repeatable attacks patterns across your industry.
Access HP Wolf Security’s full report here.