Dive Brief:
- Phishing was the most common way hackers breached their targets in the first quarter of 2026, after nearly a year out of the top spot, Cisco’s Talos threat intelligence team said in a report published on Wednesday.
- Nearly 20% of Cisco’s incident-response engagements involved the preliminary stages of a ransomware attack, according to the report — significantly lower than in the first two quarters of 2025, when it was 50%.
- Cisco also said it saw hackers using AI to improve phishing attacks.
Dive Insight:
Cisco described a credential-harvesting scheme in which attackers used the Softr AI platform to build a website that mimicked the Outlook Web Access login page. Cisco said this was “the first time we have documented the use of a specific AI tool by an adversary in a phishing campaign.” The company said it was fairly confident that attackers have been using Softr for credential-harvesting websites since May 2023 “and have done so with increasing frequency to date.”
The hackers could even have connected their fake login page to a third-party service like Google Sheets for automatic collection of stolen credentials, complete with notifications every time someone tried to log in — all without writing a single line of code.
“This incident demonstrates how AI tools can lower the barrier to entry for less sophisticated actors and/or accelerate the speed of phishing and credential-harvesting campaigns,” Cisco researchers wrote.
Government agencies and health-care organizations tied for the most common targets in the first quarter of 2026, according to the report. The government sector first claimed the top spot in Cisco’s data in Q3 2025 and has held it since then. Government agencies, which often are underfunded and full of outdated equipment, “may have access to sensitive data as well as a low downtime tolerance,” Cisco said, “making them attractive to financially motivated and espionage-focused threat groups.”
After the government and health-care sectors, the most common targets were in the professional, scientific and technical-services sector, the report said.
Deficient multifactor authentication was the most common security weakness leading to intrusions in the first quarter, according to Cisco, which said 35% of its engagements involved that problem. Sometimes, MFA wasn’t turned on; other times, it was active but misconfigured.
“Adversaries were able to bypass MFA by registering new devices to previously compromised accounts, and in one instance, by configuring Outlook clients to connect directly to Exchange servers, circumventing MFA requirements,” researchers wrote. “Addressing these weaknesses, especially by restricting self-service MFA enrollment and enforcing strong, centralized authentication policies, is essential to reducing risk and strengthening organizational resilience.”
Other common problems that Cisco saw in Q1 included vulnerable internet-facing infrastructure (25% of engagements) and inadequate logging capabilities (18%).
