Phishing top entry vector in Q1 2026; public sector targeted

Cisco Talos reported that phishing returned as the leading initial access method in the first quarter of 2026, appearing in more than one-third of incidents where the entry vector could be determined. Public administration and health care each accounted for 24 percent of Talos Incident Response engagements; public administration has been the most targeted sector for three consecutive quarters.

The Talos report covers activity observed in Q1 2026 and shows a shift away from exploitation of public-facing applications that dominated much of 2025. Valid account compromise was the second most common entry method, present in 24 percent of engagements. The report notes exploitation of public-facing applications declined from a high in 2025 to 18 percent in Q1 2026.

Talos IR reported no successful ransomware encryptions in Q1 2026 because incidents were stopped at the pre-ransomware stage through early mitigation. Pre-ransomware events made up 18 percent of engagements, a slight increase from the prior quarter but far lower than the roughly 50 percent of engagements that involved ransomware in the first half of 2025. Talos attributed at least two pre-ransomware incidents to the Rhysida and MoneyMessage families.

In a Rhysida-linked case, initial access used Gootloader and the attackers deployed proxy-related DLLs consistent with the MeowBackConn backdoor. The intrusion exploited environmental weaknesses including exposed WinRM ports, over-privileged service accounts and gaps in logging. Remote Desktop Protocol was used for lateral movement in that engagement.

The report documents the first Talos IR observation of a phishing campaign that used a commercial AI web app builder, Softr, to host a credential-harvesting page targeting Microsoft Exchange and Outlook Web Access users. Adversaries assembled the phishing page using Softr form templates and an AI “vibe coding” feature with minimal coding. Captured credentials could be sent to disposable data stores such as Google Sheets and trigger email alerts. Talos reported moderate confidence that attackers have used Softr’s AI features since May 2023 based on telemetry.

Talos IR also logged its first engagement involving Crimson Collective, a cyber extortion group that emerged in September 2025. That incident began when a GitHub Personal Access Token was exposed on a public website. The attacker ran TruffleHog to scan repositories for additional secrets, then used discovered client secrets to access Azure cloud storage via Microsoft Graph API calls, enabling data access and exfiltration. The adversary attempted to inject code into repositories to capture future secrets, but many attempts were limited by expired credentials and defensive controls.

Across engagements, Talos identified recurring security weaknesses. Multi-factor authentication weaknesses were involved in 35 percent of incidents, including cases where attackers registered new devices to compromised accounts and where Outlook clients were configured to bypass MFA. Exploitation of vulnerable or exposed infrastructure accounted for 25 percent of engagements and included attacks leveraging CVE-2025-20393 in Cisco AsyncOS and CVE-2023-20198 in Cisco IOS XE, as well as exposed management ports. Insufficient centralized logging hindered investigations in 18 percent of cases.

Talos mapped observed techniques to the MITRE ATT&CK framework and reported web-based command-and-control over normal-looking application layer protocols was common. Lateral movement most often relied on SMB and Windows Admin Shares, WMI and RDP. Defense evasion activity frequently focused on disabling or modifying endpoint defenses and deleting logs to reduce forensic visibility.

The report recommended properly configured MFA and tighter controls on self-service MFA enrollment, timely patch management to reduce exposed infrastructure, and implementation of centralized logging and SIEM solutions to preserve forensic data. Talos also offered a Log Architecture Assessment service to help organizations review logging coverage and improve incident response readiness.