USB-borne malware has moved from nuisance to vector of choice for attackers who want persistence and stealth. In Honeywell’s 2024 USB Threat Report a striking finding is that 51 percent of malware observed was designed to spread via USB, up from 9 percent in 2019. That shift comes with more content-based payloads and modular toolkits able to live undetected in industrial environments and air-gapped systems.

For defenders this is a clear early warning: adversaries are returning to physical media because it works. USB attacks bypass many perimeter controls, they exploit expected human workflows and they give attackers time to “live off the land” inside operational technology and critical infrastructure. Honeywell found an increase in content-based attacks that misuse legitimate document and scripting capabilities to escalate impact and avoid signature detection.

Where AI enters the picture is twofold. First, defenders need scale. Modern security telemetry is vast, and cloud and endpoint providers have already folded AI into detection pipelines to surface anomalous signals and reduce time to triage. Microsoft’s Cyber Signals notes that billions of cloud AI driven detections are already protecting customers and that AI and ML models are essential to spot subtle behavioral anomalies that rule-based systems miss. AI cannot be the only line of defense, but it is the only practical way to analyze the volume and diversity of signals needed to spot USB-related campaigns early.

Second, AI augments human triage. Anomaly detection models can flag unusual removable media insertions, unexpected file writes to system folders, or the execution of living off the land tooling like obfuscated PowerShell or WMI calls. When those model outputs are combined with contextual telemetry from an XDR or SIEM and presented to analysts in prioritized workflows, teams can investigate faster and with better precision. Microsoft’s public guidance and product direction show how generative and ML tooling can speed investigation and reduce analyst workload while still requiring human-in-the-loop validation.

Practical, layered controls remain the baseline. National guidance for secure deployments already recommends disabling unnecessary interfaces, including USB ports, and restricting the connection of unauthorised equipment. Hardening devices, enforcing asset inventories for removable media, and scanning any media before it touches critical hosts are simple, high-impact measures. Logging USB activity and feeding that telemetry into detection models and SIEM/XDR pipelines is where AI delivers the most value.

A pragmatic playbook I recommend to teams building an AI-enabled early warning posture for USB threats:

  • Treat USB events as high fidelity signals. Log insertions, file system changes, process launches triggered by removable media, and any elevation of privilege events. Route those logs into your SIEM and XDR so models can learn baseline behavior.

  • Deploy gateway scanning or secure media exchange. Tools that quarantine and detonate suspicious payloads at the media boundary reduce blast radius. Honeywell’s reporting is built on telemetry from their Secure Media Exchange product, which illustrates the value of centralized media controls.

  • Use behavior and anomaly detection, not just signatures. Train models to detect lateral steps following a USB insertion, odd file types in OT directories, or previously unseen scripting inside common documents. Correlate those anomalies with asset risk and operational context to avoid alert fatigue.

  • Harden and limit human workflows that require removable media. Where possible replace USB transfers with secured file services, require issued and tracked media only, and disable autorun and macro execution by default. National guidance and sector playbooks emphasize minimizing removable media use and sanitizing media assets.

  • Keep humans central. AI will surface patterns and reduce triage time but will also generate false positives. Maintain analyst review, iterate detection rules based on analyst feedback, and use AI to prioritize work instead of fully automating risky remediation steps without oversight. Microsoft and other vendors explicitly recommend human-led AI controls to balance scale and safety.

Finally, assume attackers will adapt. The surge in USB-targeted campaigns is not a passing blip. It is a signal that adversaries value persistence, offline bridging and low-noise footholds. That makes USB controls a strategic priority for organizations that operate OT, critical infrastructure or any environment where air gaps are assumed to be protective. Combine basic hardening, asset and policy controls, centralized media scanning, and AI-powered anomaly detection to convert that early warning into actionable defense. In practice the fastest wins come from pairing low-cost hygiene fixes with investment in telemetry and model-driven triage. Do the basics first, add AI where it accelerates detection and decision making, and keep humans in the loop to validate and refine what the models find.