▼ Summary
– Phishing was the leading initial access method in Q1 2026, accounting for over a third of engagements, overtaking public-facing application exploitation which had peaked in Q2 2025.
– Attackers used the AI-powered platform Softr to build a credential harvesting page mimicking Microsoft login screens, marking the first time Talos documented a specific AI tool in a confirmed phishing engagement.
– Public administration and healthcare each made up 24% of engagements, tying as the most targeted sectors, with public administration holding the top spot since Q3 2025.
– The cyber extortion group Crimson Collective was first observed in Talos casework, gaining access via an exposed GitHub token and using the open-source tool TruffleHog to search for credentials.
– MFA weaknesses remained the top security gap, appearing in 35% of engagements, with attackers bypassing protections by registering new devices or configuring clients to bypass requirements.
Phishing has reclaimed its position as the primary method attackers use to breach organizations, according to Cisco Talos data from the first quarter of 2026. It accounted for more than a third of all engagements where initial access could be identified. This marks the first time phishing has led this category since Q2 2025, when exploitation of public-facing applications surged following widespread attacks on on-premises Microsoft SharePoint servers.
That wave of SharePoint exploitation, collectively tracked as ToolShell, pushed public-facing application attacks to a peak of 62 percent of all engagements. By Q1 2026, that rate had fallen to 18 percent. Talos credits the decline to the broad availability of emergency patches and improved detection coverage.
AI-powered phishing emerged as a notable trend this quarter. In one case, attackers targeting a public administration organization used Softr, an AI-powered web application development platform, to build a credential harvesting page that mimicked Microsoft Exchange and Outlook Web Access login screens. The page was created using a form template and a vibe coding feature, requiring no custom code. Softr pages can automatically send captured data to external storage like Google Sheets and trigger email alerts for new entries, again without any coding required. Talos has moderate confidence that malicious actors have used Softr’s platform for similar purposes since at least May 2023, based on Cisco Umbrella data and other telemetry, with usage increasing over time.
While state-sponsored and criminal groups have been observed using large language models to develop phishing lures and malicious scripts, and DDoS-as-a-service operators have adopted AI algorithms for attack orchestration, this Softr incident is the first time Talos has documented a specific AI tool being used in a confirmed phishing engagement.
Public administration and healthcare each accounted for 24 percent of all engagements, tying as the most targeted sectors. Public administration has held the top position since Q3 2025. Organizations in this sector frequently run legacy systems, operate with limited security budgets, handle sensitive data, and have low tolerance for downtime, making them attractive to both financially motivated attackers and espionage-focused groups.
Crimson Collective, a cyber extortion group that emerged in September 2025, made its first appearance in Talos casework this quarter. The incident began when a GitHub Personal Access Token was accidentally published on a public-facing website, exposing the organization for several months. After gaining access, the attacker used TruffleHog, a legitimate open-source secrets scanning tool, to search thousands of GitHub repositories for credentials and sensitive data. The discovered client secrets enabled access to the victim’s Azure cloud storage, where the attacker used Microsoft Graph API calls to authenticate, enumerate, and exfiltrate data. The attacker also attempted to inject malicious code into multiple GitHub repositories designed to harvest any secrets committed in the future. Expired secrets and existing security controls limited the damage. Talos attributes the activity to Crimson Collective based on IP addresses associated with the group that were used to scan the victim’s ASA firewalls, along with overlap with publicly reported Crimson Collective tactics and techniques.
MFA weaknesses remained the top security gap, appearing in 35 percent of engagements this quarter, up from the prior quarter. Attackers bypassed MFA by registering new devices to compromised accounts. In one case, an attacker configured an Outlook client to connect directly to an Exchange server, sidestepping Duo MFA requirements entirely.
Vulnerable or exposed infrastructure appeared in 25 percent of engagements. Exploited weaknesses included CVE-2025-20393 in Cisco Secure Email Gateway and CVE-2023-20198 in Cisco IOS XE, along with exposed WinRM management ports accessible from the internet.
Insufficient logging affected 18 percent of engagements, limiting investigators’ ability to reconstruct attacker activity. Talos recommends deploying a SIEM for centralized log storage so that logs deleted or modified on individual hosts remain available for forensic review.
Pre-ransomware activity made up 18 percent of engagements. No ransomware encryption occurred this quarter due to early containment. Talos assesses with moderate confidence that Rhysida and MoneyMessage ransomware were involved in two of those engagements.
(Source: Help Net Security)
