By Anamarija Pogorelec
Publication Date: 2026-04-22 10:00:00
Phishing returned as the leading method attackers used to break into organizations in the first quarter of 2026, accounting for over a third of engagements where initial access could be determined, according to Cisco Talos. It is the first quarter phishing has led the category since Q2 2025, when exploitation of public-facing applications took over following widespread attacks against on-premises Microsoft SharePoint servers.
That SharePoint exploitation wave, collectively tracked as ToolShell, drove public-facing application exploitation to a peak of 62 percent of engagements. The rate dropped to 18 percent in Q1 2026, a decline Talos attributes to the broad availability of emergency patches and improved detection coverage.
AI tool used to build credential harvesting page
One phishing incident this quarter involved a technique Talos had not previously documented in its casework. Attackers targeting a public administration organization used Softr, an AI-powered web…