Phishing returned to the top initial-access method in Q1 2026, accounting for over a third of engagements where initial access could be determined, according to Cisco Talos. Talos also documented novel abuse of the AI web-builder Softr to host Exchange/OWA credential-harvesting pages, a decline in ToolShell SharePoint exploitation, the first Talos sighting of Crimson Collective using exposed GitHub tokens to access Azure via Microsoft Graph, and persistent MFA and logging gaps enabling attacks. #Softr #CrimsonCollective
Keypoints
- Phishing caused over one-third of initial access engagements in Q1 2026.
- Attackers used Softr to build no-code credential-harvesting pages mimicking Exchange and OWA.
- Public administration and healthcare tied as the most targeted sectors, each at 24% of engagements.
- Crimson Collective exploited an exposed GitHub Personal Access Token, used TruffleHog, and leveraged Microsoft Graph to exfiltrate Azure data.
- MFA weaknesses (35%), exposed infrastructure including CVE-2025-20393 and CVE-2023-20198 (25%), insufficient logging (18%), and pre-ransomware activity involving Rhysida and MoneyMessage were key security gaps.
Read More: https://www.helpnetsecurity.com/2026/04/22/cisco-phishing-initial-access-2026/