Phishing Leads Initial Access; Softr Pages Target Public Admin

Cisco Talos Incident Response reported that phishing reemerged as the most observed initial access method in Q1 2026, accounting for more than one-third of engagements where initial access could be determined. Public administration and health care each represented 24 percent of engagements during the quarter.

Talos reported a phishing campaign that used the AI-powered web app builder Softr to host credential-harvesting pages for Microsoft Exchange and Outlook Web Access accounts. Attackers used Softr templates and its AI-assisted “vibe coding” features to produce login pages without writing code. Phishing forms on Softr were configured to forward captured credentials to disposable external stores such as Google Sheets and to send email alerts when new data arrived. Based on Umbrella telemetry and other data, Talos has moderate confidence that malicious actors have abused Softr’s AI features since May 2023 and that use of the platform for phishing has increased over time.

Talos also described an intrusion it attributed to Crimson Collective, a cyber extortion group first observed in September 2025. That investigation began after a GitHub Personal Access Token was inadvertently posted on a public website. The actor used TruffleHog to scan repositories for additional secrets, then used recovered client secrets to access Azure cloud storage. The actor authenticated with Microsoft Graph API calls to enumerate and exfiltrate files and attempted to inject code into repositories to harvest future secrets. Most injection attempts were blocked when targeted secrets expired or security controls intervened.

Ransomware and pre-ransomware activity remained lower than in 2025. Pre-ransomware incidents comprised 18 percent of engagements in Q1 2026, and Talos did not observe any ransomware encryption during the quarter due to early mitigation. That level is slightly higher than the prior quarter’s combined 13 percent for ransomware and pre-ransomware but well below the roughly 50 percent of engagements that involved ransomware in Q1 and Q2 2025. Talos attributed at least two engagements to Rhysida and MoneyMessage operators. In one Rhysida attempt, analysts observed Gootloader activity and deployment of proxy-related DLLs linked to the MeowBackConn backdoor.

Talos identified recurring security weaknesses across engagements. Multi-factor authentication gaps appeared in 35 percent of cases, including incidents where attackers registered new devices on compromised accounts and where Outlook clients were configured to connect directly to Exchange servers, bypassing MFA. Vulnerable or exposed infrastructure accounted for 25 percent of engagements; examples include exploitation of CVE-2025-20393 in Cisco AsyncOS Spam Quarantine and CVE-2023-20198 in Cisco IOS XE web UI, plus exposed management ports such as WinRM. Insufficient centralized logging affected investigations in 18 percent of cases.

Telemetry and MITRE ATT&CK mapping showed web-based command-and-control using application-layer protocols as the most common C2 pattern. Lateral movement relied on SMB and Windows admin shares, WMI and RDP. Observed defense-evasion techniques included uninstalling endpoint protection, clearing logs and registering malicious MFA devices. Credential theft techniques included SAM and NTDS dumps and man-in-the-middle capture of session tokens.

Talos recommended properly configured multi-factor authentication with restricted self-service enrollment, robust patch management to address tracked CVEs and exposed infrastructure, and centralized logging via a SIEM to preserve forensic data. The team also offers Log Architecture Assessments to help organizations identify logging gaps and improve incident readiness.

Talos noted that public administration organizations were frequent targets in the quarter, citing legacy systems, limited funding and a low tolerance for downtime as factors that attracted both financially motivated and espionage-focused actors.