In the first quarter of 2026, phishing emerged as the primary method used by attackers to gain access to organizations, accounting for more than a third of cases where the entry method was known, as reported by Cisco Talos. This marks the first time since Q2 2025 that phishing has taken the lead, a period during which attacks exploiting public-facing applications surged, particularly against on-premises Microsoft SharePoint servers.
The exploitation wave of SharePoint, collectively identified as ToolShell, propelled public-facing application exploitation to a high of 62 percent of engagements. However, this rate dropped to 18 percent in Q1 2026. Talos attributes this decline to the widespread availability of emergency patches and enhanced detection capabilities.
AI Tool Utilized to Create Credential Harvesting Page
This quarter, one phishing incident showcased a technique not previously documented by Talos. Attackers targeting a public administration organization employed Softr, an AI-driven web application development platform, to create a credential harvesting page that closely resembled Microsoft Exchange and Outlook Web Access login forms. Utilizing a form template and a vibe coding feature, no custom coding was necessary.
Softr allows created pages to send captured information to external storage, such as Google Sheets, and to trigger email alerts for new entries—again, with no coding required. Talos has moderate confidence that malicious actors have exploited Softr’s platform in similar ways since at least May 2023, based on Cisco Umbrella data and additional telemetry, with usage trends indicating an upward trajectory.
Both state-sponsored and criminal organizations have been seen leveraging large language models to develop phishing lures and malicious scripts. Additionally, DDoS-as-a-service operators are adopting AI algorithms for orchestrating attacks. This incident marks the first time Talos has documented the use of a specific AI tool in a confirmed phishing engagement.
Public Administration Targeted for the Third Consecutive Quarter
Public administration and healthcare sectors each comprised 24 percent of total engagements, making them the most targeted industries. Public administration has maintained its leading position since Q3 2025. Organizations in this sector often operate outdated systems, work with limited security budgets, handle sensitive information, and generally have low tolerance for downtime. These characteristics make them appealing targets for both financially driven attackers and espionage-focused actors.
Crimson Collective Makes Its Debut in Talos Casework
This quarter, Talos encountered its first case involving Crimson Collective, a cyber extortion group that emerged in September 2025. The incident began when a GitHub Personal Access Token was inadvertently published on a public website, exposing the organization for several months.
Once access was gained, the attacker utilized TruffleHog, a legitimate open-source tool for scanning secrets, to comb through thousands of GitHub repositories for credentials and sensitive data. The retrieved client secrets allowed the attacker to access the victim’s Azure cloud storage, employing Microsoft Graph API calls to authenticate, enumerate, and exfiltrate data. The attacker also attempted to inject malicious code into various GitHub repositories aimed at harvesting future secrets. Fortunately, expired secrets and pre-existing security controls mitigated the impact of this breach.
Talos links this activity to Crimson Collective based on IP addresses associated with the group that were used to scan the victim’s ASA firewalls, as well as similarities to publicly reported tactics and techniques of Crimson Collective.
MFA Weaknesses Continues to Be a Significant Security Gap
Weaknesses in multi-factor authentication (MFA) emerged in 35 percent of engagements this quarter, an increase from the previous quarter. Attackers bypassed MFA by registering new devices on compromised accounts, and in one instance, they configured an Outlook client to directly connect to an Exchange server, completely evading Duo MFA requirements.
Vulnerabilities in infrastructure were noted in 25 percent of engagements, with weaknesses including CVE-2025-20393 in Cisco Secure Email Gateway and CVE-2023-20198 in Cisco IOS XE, along with exposed WinRM management ports accessible from the internet.
Insufficient logging impacted 18 percent of engagements, hindering investigators from reconstructing the actions of attackers. Talos recommends the deployment of a SIEM for centralized storage of logs, ensuring that logs deleted or modified on individual hosts remain available for forensic examination.
Pre-ransomware activity accounted for 18 percent of engagements. Fortunately, ransomware encryption did not occur this quarter due to timely containment. Talos assesses, with moderate confidence, that Rhysida and MoneyMessage ransomware were involved in two of these incidents.
Webinar: The True State of Security 2026
As we look ahead, it’s evident that cybersecurity threats, particularly from phishing attacks, continue to escalate in sophistication. Organizations must remain vigilant, implement robust security measures, and prioritize updating their systems to mitigate these risks effectively.
In conclusion, the data from Q1 2026 underscores the urgent need for enhanced security protocols, particularly concerning MFA and public-facing applications. Organizations must proactively address vulnerabilities and refine their defenses against evolving threats to protect sensitive information.
