IR Trends Q1 2026: Phishing reemerges as top initial access vector, as attacks targeting public administration persist

Phishing reemerged as the most observed means of gaining initial access, accounting for over a third of the engagements where initial access could be determined. Phishing has not been the top vertical for initial access since Q2 2025.

Phishing reemerged as the most observed means of gaining initial access, accounting for over a third of the engagements where initial access could be determined.  Phishing has not been the top vector for initial access since Q2 2025. Public administration and health care tied as the most targeted industry verticals, each accounting for 24 percent of all engagements. This is the third consecutive quarter where public administration has been the most targeted industry vertical.

   Pre-ransomware incidents made up just 18 percent of engagements this quarter, and we did not observe any ransomware deployment due to early and swift mitigation from Cisco Talos Incident Response (Talos IR). This is a slight increase from last quarter but overall very low compared to Q1 and Q2 2025, when we observed ransomware in 50 percent of engagements.

AI tool leveraged in phishing campaign  Talos IR responded to a campaign that leveraged phishing, the most common means of initial access this quarter, to compromise the most targeted industry vertical this quarter: public administration. Notably, the actors leveraged the SoftrAI-based web application development service, marking the first time we have documented the use of a specific AI tool by an adversary in a phishing campaign.  Softr was used to generate a credential harvesting page targeting users’ Microsoft Exchange and Outlook Web Access (OWA) accounts.

  State-sponsored and criminal actors have been observed abusing large language models (LLMs) to aid in the development of phishing lures, malicious scripts, and other tasks. DDoS-as-a-service actors have adopted AI algorithms for defense evasion and attack orchestration. While this is the first time we have documented the use of a specific AI tool in a Talos IR incident, we have moderate confidence that malicious actors have used Softr’s AI-powered web application creation platform since at May 2023, based on Cisco Umbrella data and other telemetry, and have done so with increasing frequency to date.

     This incident demonstrates how AI tools can lower the barrier to entry for less sophisticated actors and/or accelerate the speed of phishing and credential-harvesting campaigns. Using a form template and the “vibe coding” feature, a phishing page like the one used in this attack could be quickly created with a few AI prompts and no code. Phishing pages built with Softr can direct data to a disposable external data store, such as Google Sheets, and send alerts for new captures via email — all without code.