Phishing reclaims the top initial access spot, attackers experiment with AI tools
Phishing returned to the top initial-access method in Q1 2026, accounting for over a third of engagements where initial access could be determined, according to Cisco Talos. Talos also documented novel abuse of the AI web-builder Softr to host Exchange/OWA credential-harvesting pages, a decline in ToolShell SharePoint exploitation, the first Talos sighting of Crimson Collective using exposed GitHub tokens to access Azure via Microsoft Graph, and persistent MFA and logging gaps enabling attacks. #Softr #CrimsonCollective
Phishing topped initial access methods in Q1 2026, with over a third of engagements. Attackers leveraged AI tool Softr for credential-harvesting pages and exploited MFA gaps. #SoftrAbuse #AzureAccess #USA
