Talos: AI-built phishing tops Q1 2026 initial access
Cisco Talos found phishing was the top initial access vector in Q1 2026; attackers used Softr to build credential‑harvesting sites and abused developer tools and cloud APIs to collect exposed secrets.
Cisco Talos Incident Response reported in its Q1 2026 incident response trends report that phishing was the top initial access vector during January through March 2026. The team observed adversaries using AI‑powered web builders such as Softr to rapidly create credential‑harvesting pages and using developer tools and cloud provider APIs to locate and exfiltrate exposed secrets.
The report covers incidents handled globally by Talos responders. Actual ransomware deployments in the quarter dropped to zero after rapid mitigation efforts, while pre‑ransomware activity-actions that indicate preparation for encryption, such as credential theft, lateral movement and staging-accounted for 18% of incident response engagements.
Talos documented a rise in living‑off‑the‑land techniques and low‑noise execution methods. Examples include attackers hiding malicious workloads inside QEMU virtual machines to avoid endpoint detection and using native macOS primitives for movement and execution. The report also describes use of tools such as TruffleHog and cloud provider APIs to quietly search code repositories and cloud configurations for exposed secrets.
The report highlights a tracked threat actor group labeled UAT‑4356 that exploited n‑day vulnerabilities in Cisco Firepower devices (CVE‑2025‑20333 and CVE‑2025‑20362) to gain access and deploy a custom backdoor called FIRESTARTER. Other incidents included the use of publicly available proof‑of‑concept exploits against Windows Defender that repurposed security functions, and telemetry showing common commodity malware including coinminers and injectors.
Talos identified several factors that complicate detection and response. Attackers increasingly repurpose legitimate development and cloud tools for reconnaissance and exploitation, producing low network noise. Incomplete centralized logging and inconsistent patch management left gaps in forensic evidence and created blind spots during investigations.
To reduce exposure, the report recommends enforcing properly configured multi‑factor authentication and restricting self‑service device enrollment to block attacker‑registered authentication factors. It also advises consolidating logs into a SIEM to preserve forensic trails and prioritizing robust, centralized patch management so known vulnerabilities are addressed promptly.
The full Q1 2026 Talos Incident Response report contains expanded analysis of adversary tactics, trends in initial access and specific mitigation steps for defenders.
