Phishing returned as the leading method attackers used to break into organizations in the first quarter of 2026, accounting for over a third of engagements where initial access could be determined, according to Cisco Talos. It is the first quarter phishing has led the category since Q2 2025, when exploitation of public-facing applications took over following widespread attacks against on-premises Microsoft SharePoint servers.
That SharePoint exploitation wave, collectively tracked as ToolShell, drove public-facing application exploitation to a peak of 62 percent of engagements. The rate dropped to 18 percent in Q1 2026, a decline Talos attributes to the broad availability of emergency patches and improved detection coverage.
AI tool used to build credential harvesting page
One phishing incident this quarter involved a technique Talos had not previously documented in its casework. Attackers targeting a public administration organization used Softr, an AI-powered web application development platform, to build a credential harvesting page that mimicked Microsoft Exchange and Outlook Web Access login screens. The page was built using a form template and a vibe coding feature, requiring no custom code.
Softr pages can send captured data to external storage such as Google Sheets and trigger email alerts for new entries, also without code. Talos has moderate confidence that malicious actors have used Softr’s platform for similar purposes since at least May 2023, based on Cisco Umbrella data and other telemetry, with usage increasing over time.
State-sponsored and criminal groups have been observed using large language models to develop phishing lures and malicious scripts. DDoS-as-a-service operators have adopted AI algorithms for attack orchestration. The Softr incident is the first time Talos documented a specific AI tool being used in a confirmed phishing engagement.
Public administration targeted for third consecutive quarter
Public administration and healthcare each accounted for 24 percent of all engagements, tying as the most targeted sectors. Public administration has held the top position since Q3 2025. Organizations in that sector frequently run legacy systems, operate with limited security budgets, handle sensitive data, and have low tolerance for downtime, making them attractive to both financially motivated attackers and espionage-focused groups.
Crimson Collective makes its first appearance in Talos casework
Talos responded to its first engagement involving Crimson Collective, a cyber extortion group that emerged in September 2025. The incident began when a GitHub Personal Access Token was accidentally published on a public-facing website, exposing the organization for several months.
After gaining access, the attacker used TruffleHog, a legitimate open-source secrets scanning tool, to search thousands of GitHub repositories for credentials and sensitive data. The discovered client secrets enabled access to the victim’s Azure cloud storage, where the attacker used Microsoft Graph API calls to authenticate, enumerate, and exfiltrate data. The attacker also attempted to inject malicious code into multiple GitHub repositories designed to harvest any secrets committed in the future. Expired secrets and existing security controls limited the damage.
Talos attributes the activity to Crimson Collective based on IP addresses associated with the group that were used to scan the victim’s ASA firewalls, along with overlap with publicly reported Crimson Collective tactics and techniques.
MFA weaknesses remained the top security gap
MFA weaknesses appeared in 35 percent of engagements this quarter, up from the prior quarter. Attackers bypassed MFA by registering new devices to compromised accounts and, in one case, configuring an Outlook client to connect directly to an Exchange server, sidestepping Duo MFA requirements entirely.
Vulnerable or exposed infrastructure appeared in 25 percent of engagements. Exploited weaknesses included CVE-2025-20393 in Cisco Secure Email Gateway and CVE-2023-20198 in Cisco IOS XE, along with exposed WinRM management ports accessible from the internet.
Insufficient logging affected 18 percent of engagements, limiting investigators’ ability to reconstruct attacker activity. Talos recommends deploying a SIEM for centralized log storage so that logs deleted or modified on individual hosts remain available for forensic review.
Pre-ransomware activity made up 18 percent of engagements. No ransomware encryption occurred this quarter due to early containment. Talos assesses with moderate confidence that Rhysida and MoneyMessage ransomware were involved in two of those engagements.
Webinar: The True State of Security 2026
