AI Phishing Is No. 1 With a Bullet for Cyberattackers TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsСloud SecurityHackers Use AI for Exploit Development, Attack AutomationHackers Use AI for Exploit Development, Attack AutomationbyAlexander CulafiMay 11, 20264 Min ReadСloud SecurityAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsbyNate NelsonMay 7, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyber RiskCybersecurity OperationsInsider ThreatsVulnerabilities & ThreatsNewsAI Phishing Is No. 1 With a Bullet for CyberattackersIn the past six months, companies have seen a significant influx of AI-powered phishing, as cyberattackers progress from small campaigns to 1-to-1 personalized attacks.Robert Lemos,Contributing WriterApril 24, 20264 Min ReadSleepyellow via AlamyPowered by attackers' AI usage, phishing attacks have surged back to become the top vector for initial access in incident-response engagements during the first quarter of the year, overtaking exploitation of external vulnerabilities as the top method of compromise.That's according to Cisco Talos' "IR Trends Q1 2026" report, published this week, which found that, overall, more than a third of compromises (35%) the team investigated last quarter started as successful phishing attacks. Attackers used valid accounts in 24% of cases and exploited public-facing applications in another 18%, according to data from the report.The data highlights the effectiveness of email lures written, and usually personalized, by AI systems, says Nick Biasini, senior technical leader at Cisco Talos."We gave everyone the ability to write very convincing phishing emails all of a sudden, and not just very convincing emails, but very convincing emails in a wide variety of languages," he explains. "That is really starting to show up in a lot of our data."Related:Research Hub Bridges Cybersecurity Gap for Under-Resourced OrganizationsCisco is not the only company to see the surge in AI-powered phishing attacks. In December 2025, human-risk management platform Hoxhunt saw the AI-generated share of phishing attacks jump from 4% to 56% during the holiday season, dropping only slightly, to 40%, in January, according to a report published by the firm.AI has resulted in more native sounding email lures, greater personalization, and cleaner formatting, making both filtering and human detection more difficult, says Mika Aalto, co-founder and CEO at the Helsinki-based firm."No question, the threat landscape has shifted," he says.More Signs of AI Tooling in Cyberattack Infection FlowsIncident responders have also seen more diversity in phishing lures. A year ago, cyberattackers would send the same email to 10 different people before switching it up and changing the content of the email — and usually, those changes were only slight. Now, that number is down to 1.8 emails per campaign, according to Erich Kron, chief information security officer (CISO) adviser at human-risk management firm KnowBe4. Rapidly changing emails, known as polymorphic phishing, has become turbo-charged as attackers increasingly adopt AI tools, he says."We're attributing this absolutely to AI," he says. "Nobody's sitting back at their keyboard [manually] changing payloads on every single message they're sending out." Microsoft data meanwhile also shows that AI has led to more convincing phishing attacks. The company has seen clickthrough rates for AI-assisted phishing reach 54%, up from an average of 12%.Related:Microsoft Edge Stores Passwords in Process Memory, Posing Enterprise RiskOften, the targets of a phishing attack are the legitimate credentials of privileged users: both Cisco Talos and KnowBe4 have seen an increase in phishing messages that specifically target privileged users, such as system administrators, executives, and accounting teams."Identity is a huge, huge target," Biasini says. "As an adversary, I don't want to use an exploit. I would much rather compromise your email account or compromise your credentials, get into your environment and be able to operate in a much more covert manner, to hopefully inflict some financial gain."Google Mandiant's investigations, for example, found that 83% of initial-access vectors exploited identity in some way, including a third of attacks using phishing techniques.Cyberattacker Crosshairs on Vulnerable InfrastructureThe abuse of legitimate services — from Gmail accounts to Docusign, from Outlook to Salesforce — has also made phishing harder to discern from legitimate email. Usually, phishing emails come from domains that have implemented email authentication technology, such as Domain-based Message Authentication, Reporting and Conformance (DMARC), giving the message a veneer of legitimacy. Thus, attackers bypass the initial defenses, says Hoxhunt's Aalto.Related:Physical Cargo Theft Gets a Boost From Cybercriminals"Hiding malicious links and messages in notifications from legitimate platforms is getting increasingly popular because it's effective and harder to detect," he says. "When phishing links lead to trusted cloud tools, collaboration platforms, or no-code services, the activity looks normal on the surface. That makes detection harder because users are no longer looking for red flags in grammar and mismatched URLs."While multifactor authentication (MFA) is a critical component of protecting workers' online identities and access, companies should not rely on it exclusively. More than a third of attacks (35%) investigated by Cisco Talos involved MFA weaknesses, the company stated in its report.To help improve defenses, companies should experiment with and invest in deploying AI wherever it makes sense, Cisco's Biasini says."If your attackers are going to be leaning heavily on AI, you need to probably do the same," he says. "Start looking for those weaknesses, leverage your own AI capabilities to start fixing the problems that potentially could be there, because if one AI agent can find it, then multiple AI agents theoretically could find it as well."About the AuthorRobert LemosContributing WriterVeteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.See more from Robert LemosWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouHow Well Can You See What's in Your Cloud?Implementing CTEM: Beyond Vulnerability ManagementMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETHow Well Can You See What's in Your Cloud?Thurs, June 4, 2026 at 1:00pm ESTImplementing CTEM: Beyond Vulnerability ManagementThurs, May 21, 2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

AI-powered phishing attacks have surged to become the primary method of initial access for cyberattackers, according to a Cisco Talos report from Q1 2026. Robert Lemos of TechTarget’s Dark Reading highlights that over a third (35%) of the incidents investigated involved successful phishing attacks, surpassing exploitation of external vulnerabilities as the most prevalent entry point. Attackers are leveraging AI to craft highly personalized and convincing emails, incorporating native language and diverse translations, making detection more difficult for both human analysts and filtering systems. Nick Biasini, a senior technical leader at Cisco Talos, emphasizes the significant impact of AI’s ability to rapidly generate and adapt phishing lures, a shift observed across various platforms including Gmail and Docusign. The report details an increase in targeted attacks against privileged users – system administrators, executives and accounting teams – due to the increased value of obtaining credentials for covert operations. Data from KnowBe4, led by Mika Aalto, corroborates this trend, noting a dramatic jump in AI-generated phishing attacks during the 2025 holiday season and subsequent adaptation. Simultaneously, researchers have observed attackers exploiting vulnerabilities in legitimate services like cloud tools and collaboration platforms, further complicating detection efforts. The analysis underscores the escalating challenge for organizations to defend against increasingly sophisticated attacks, advocating for proactive investment in AI-driven defenses and strategies to counter the evolving threat landscape.