Apr 22
/
Latest News
Phishing Surges Back as Top Initial Access Vector in Early 2026
Phishing returned as the most common method attackers used to compromise organizations in the first quarter of 2026, accounting for more than a third of incidents where initial access was identified.
It is the first time phishing has led since mid‑2025, when exploitation of public‑facing applications spiked following widespread attacks on on‑premises Microsoft SharePoint servers. That exploitation wave, tracked as ToolShell, had driven application‑layer attacks to 62 percent of engagements before dropping sharply to 18 percent this quarter due to emergency patches and improved detection.
Investigators also observed a notable shift in attacker tradecraft with the first confirmed use of a specific AI platform to build a phishing infrastructure. In one case, adversaries targeting a public administration organization used Softr, an AI‑driven web application builder, to generate a credential harvesting page that replicated Microsoft Exchange and Outlook Web Access login screens. The page was assembled using templates and Softr’s automated “vibe coding” feature, requiring no custom code. Telemetry suggests malicious actors have been abusing the platform for similar activity since at least 2023, with usage rising over time.
Public administration and healthcare were the most targeted sectors, each representing 24 percent of engagements. Public administration has remained the top target for three consecutive quarters, driven by legacy systems, limited security budgets, sensitive data, and low tolerance for downtime — conditions that appeal to both financially motivated attackers and espionage‑focused groups.
The quarter also included the first incident attributed to Crimson Collective, a cyber‑extortion group that emerged in late 2025. The intrusion began when a GitHub Personal Access Token was inadvertently exposed on a public website, giving the attacker months of access. Using the legitimate secrets‑scanning tool TruffleHog, the actor searched thousands of repositories for credentials, ultimately accessing Azure cloud storage and attempting to inject malicious code into multiple GitHub repositories. Expired credentials and existing controls limited the impact.
Weaknesses in multi‑factor authentication remained the most common security gap, appearing in 35 percent of engagements. Attackers bypassed MFA by registering new devices to compromised accounts and, in one case, configuring an Outlook client to connect directly to an Exchange server, avoiding Duo MFA entirely. Vulnerable or exposed infrastructure appeared in 25 percent of cases, including exploitation of CVE‑2025‑20393 in Cisco Secure Email Gateway, CVE‑2023‑20198 in Cisco IOS XE, and exposed WinRM ports. Insufficient logging affected 18 percent of engagements, hindering forensic reconstruction. Pre‑ransomware activity also accounted for 18 percent of cases, though no ransomware was deployed due to early containment. Analysts assess with moderate confidence that Rhysida and MoneyMessage ransomware operators were involved in two of those incidents.
It is the first time phishing has led since mid‑2025, when exploitation of public‑facing applications spiked following widespread attacks on on‑premises Microsoft SharePoint servers. That exploitation wave, tracked as ToolShell, had driven application‑layer attacks to 62 percent of engagements before dropping sharply to 18 percent this quarter due to emergency patches and improved detection.
Investigators also observed a notable shift in attacker tradecraft with the first confirmed use of a specific AI platform to build a phishing infrastructure. In one case, adversaries targeting a public administration organization used Softr, an AI‑driven web application builder, to generate a credential harvesting page that replicated Microsoft Exchange and Outlook Web Access login screens. The page was assembled using templates and Softr’s automated “vibe coding” feature, requiring no custom code. Telemetry suggests malicious actors have been abusing the platform for similar activity since at least 2023, with usage rising over time.
Public administration and healthcare were the most targeted sectors, each representing 24 percent of engagements. Public administration has remained the top target for three consecutive quarters, driven by legacy systems, limited security budgets, sensitive data, and low tolerance for downtime — conditions that appeal to both financially motivated attackers and espionage‑focused groups.
The quarter also included the first incident attributed to Crimson Collective, a cyber‑extortion group that emerged in late 2025. The intrusion began when a GitHub Personal Access Token was inadvertently exposed on a public website, giving the attacker months of access. Using the legitimate secrets‑scanning tool TruffleHog, the actor searched thousands of repositories for credentials, ultimately accessing Azure cloud storage and attempting to inject malicious code into multiple GitHub repositories. Expired credentials and existing controls limited the impact.
Weaknesses in multi‑factor authentication remained the most common security gap, appearing in 35 percent of engagements. Attackers bypassed MFA by registering new devices to compromised accounts and, in one case, configuring an Outlook client to connect directly to an Exchange server, avoiding Duo MFA entirely. Vulnerable or exposed infrastructure appeared in 25 percent of cases, including exploitation of CVE‑2025‑20393 in Cisco Secure Email Gateway, CVE‑2023‑20198 in Cisco IOS XE, and exposed WinRM ports. Insufficient logging affected 18 percent of engagements, hindering forensic reconstruction. Pre‑ransomware activity also accounted for 18 percent of cases, though no ransomware was deployed due to early containment. Analysts assess with moderate confidence that Rhysida and MoneyMessage ransomware operators were involved in two of those incidents.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.