Threat actors often reuse infrastructure when launching cyberattacks, leaving behind traces that can be leveraged by defenders. By automating the discovery of malicious infrastructure using graph neural networks (GNNs), defenders can proactively uncover new indicators and block associated infrastructure before it is weaponized. This approach, demonstrated through case studies of phishing campaigns targeting postal services, credit card skimmers, and financial institutions, highlights the effectiveness of continuous monitoring and correlation of threat actor indicators.