.webp)
Phishing Is Back on Top, and AI Made It Worse
For the first time since mid-2025, phishing has reclaimed the number one spot as the most common way attackers break into organizations. According to Cisco Talos's Q1 2026 Incident Response report, phishing accounted for over 35% of all engagements where the initial access method could be determined.
That alone is worth paying attention to. But what makes this quarter different is how attackers are building their phishing campaigns. For the first time in Talos's casework, researchers documented an attacker using an AI-powered platform to build a fully functional credential harvesting page - no code, no developer skills, no technical background needed.
Let's break down what happened, why it matters for businesses with 10 to 200 employees, and what you can actually do to protect your team.
What Cisco Talos Found: AI-Built Phishing Pages
In a Q1 2026 incident targeting a public administration organization, attackers used Softr, an AI-powered web application builder, to create a fake Microsoft Exchange and Outlook Web Access login page. The page looked legitimate enough to fool employees into entering their credentials.
Here is the part that should get your attention: the attacker didn't write a single line of code.
Softr offers a "vibe coding" feature that lets anyone describe what they want in plain English, and the platform builds it. The attacker used a form template, typed a few prompts, and had a working credential harvesting page ready to deploy. The captured usernames and passwords were automatically routed to Google Sheets, with email alerts firing every time someone fell for it.
Cisco Talos noted they have "moderate confidence" that attackers have been using Softr for similar purposes since at least May 2023, with usage increasing over time. But this is the first confirmed, documented case in their incident response work.
Why This Matters for Small and Midsize Businesses
The old model of phishing required some technical skill. An attacker needed to clone a website, set up hosting, write backend code to capture credentials, and configure exfiltration. That skill barrier kept the volume of sophisticated phishing attacks somewhat limited.
AI tools eliminated that barrier. Now, anyone with a laptop and a bad idea can build a convincing fake login page in under 10 minutes. The page will look professional, work on mobile devices, and automatically collect and forward stolen credentials.
For small businesses that rely on Microsoft 365 (and most do), this is a real problem. Your team's Outlook login page is the single most valuable target an attacker can aim at. One set of stolen credentials gives an attacker access to email, SharePoint, OneDrive, Teams, and potentially your entire cloud environment.
The Bigger Picture: Phishing Trends in 2026
The AI-built phishing page wasn't an isolated incident. Phishing has been evolving across the board, and several trends are converging to make it more effective than ever.
Phishing Emails Look Like Normal Business Communication
According to Cisco Talos's 2025 year-in-review data, 60% of blocked phishing emails contained subject lines with words like "request," "invoice," "fwd," and "report." Attackers have moved away from obvious spam. Instead, they're sending emails that look like routine workflow communications - IT tickets, travel requests, expense approvals.
These emails work because they blend into daily operations. Your accounting team gets dozens of invoice emails per week. Your IT staff sees configuration alerts constantly. When a phishing email looks identical to the real thing, the click rate goes up significantly.
Attackers Exploit Internal Email Trust
One particularly clever technique documented in 2025 involved abusing Microsoft 365 Direct Send. This is a legitimate feature that lets networked devices like printers and scanners send documents to users. The messages appear to come from inside the organization - same domain, same formatting.
Attackers figured out they could spoof internal email addresses using Direct Send without even compromising a real account. Because these messages appear internal, they bypass many of the email filters and employee instincts that catch external phishing attempts.
MFA Is Getting Targeted Directly
Multi-factor authentication used to be the safety net. Even if someone fell for a phishing email and entered their password, MFA would stop the attacker from actually logging in. That's no longer a reliable assumption.
Talos reported that nearly one-third of MFA spray attacks in 2025 targeted identity and access management (IAM) platforms directly. Device compromise surged 178%, driven largely by voice phishing (vishing) campaigns that tricked administrators into registering attacker-controlled devices as trusted.
Once an attacker gets a device registered as trusted in your IAM system, MFA becomes irrelevant. They're already inside the perimeter.
VPN Compromise: The Other Entry Point
While phishing grabbed the top spot in Q1 2026, VPN vulnerabilities remain a massive risk. At-Bay's 2025 claims analysis, published the same week as the Talos report, found that 73% of ransomware incidents began with VPN compromise. That number has nearly doubled in just two years.
SonicWall devices were the most targeted VPN for the first time, linked to 27% of all ransomware claims. The Akira ransomware group was the primary driver, responsible for more than 40% of all ransomware claims - the highest concentration At-Bay has ever attributed to a single group.
If your business runs a SonicWall firewall or any legacy VPN appliance, this data should prompt an immediate review of your firmware versions and patch status. Many of the exploited vulnerabilities had patches available for months before they were leveraged in attacks.
5 Things You Can Do Right Now
This isn't just a "be more careful" situation. There are specific, concrete steps that make a measurable difference. Here's what we recommend based on the Q1 2026 data.
1. Deploy Phishing-Resistant MFA
Standard MFA (text message codes, authenticator app push notifications) can be bypassed through session hijacking, SIM swapping, and MFA fatigue attacks. Phishing-resistant MFA uses hardware security keys (like YubiKeys) or passkeys that are cryptographically bound to the legitimate website. An attacker's fake login page simply can't trigger the authentication because the domain doesn't match.
For Microsoft 365 environments, you can enforce FIDO2 security keys or Windows Hello for Business through Conditional Access policies. Start with your admin accounts and high-value targets (finance, HR, executives), then roll it out company-wide.
2. Enable Conditional Access Policies
If you're on Microsoft 365 Business Premium or higher, you have access to Conditional Access. These policies let you require MFA only from untrusted locations, block sign-ins from countries where you don't operate, require compliant devices for access, and flag impossible travel (logging in from California, then Russia 20 minutes later).
Conditional Access turns your login process from a single gate into a layered checkpoint system. Even if an attacker steals credentials, they'll hit multiple barriers before reaching your data.
3. Audit and Patch Your VPN Appliances
If you're running a SonicWall, Fortinet, or Cisco ASA VPN appliance, check your firmware version today. Cross-reference it against known CVEs. The At-Bay data shows that most exploited VPN vulnerabilities had patches available well before the attacks occurred.
Better yet, evaluate whether you still need a traditional VPN at all. Many businesses are moving to Zero Trust Network Access (ZTNA) solutions that authenticate every connection individually rather than granting broad network access through a VPN tunnel. ZTNA eliminates the "one compromised VPN account equals full network access" problem.
4. Run Realistic Phishing Simulations
Generic security awareness training helps, but simulations that mirror real attack patterns help more. Based on the Talos data, your test phishing emails should look like internal workflow communications: fake IT tickets, travel reimbursement forms, invoice approvals, and configuration alerts.
Track who clicks, but don't punish them. Use the data to identify which departments need additional training and which types of lures are most effective against your team. The goal is to build pattern recognition, not fear.
5. Implement Email Authentication (DMARC, DKIM, SPF)
If you haven't configured DMARC, DKIM, and SPF for your email domain, you're leaving the door open for attackers to send emails that appear to come from your organization. A properly configured DMARC policy at enforcement level (p=reject) tells receiving mail servers to block any email that doesn't pass authentication checks.
This protects your employees from receiving spoofed internal emails and protects your partners and customers from receiving phishing emails that appear to come from you. It's a foundational control that's free to implement and takes a few hours to configure correctly.
How to Check If Your Business Is Exposed
Here's a quick self-assessment you can run through in about 30 minutes:
Email security: Log into your Microsoft 365 admin center. Go to Security > Threat Management > Policy. Check whether Safe Links and Safe Attachments are enabled. If you're on Business Basic, these aren't available - that's a gap worth addressing.
MFA status: In the Azure AD (now Entra ID) portal, check your authentication methods. Are all admin accounts on phishing-resistant MFA? Are there any accounts still using SMS-only authentication?
VPN firmware: Log into your firewall's management interface and check the firmware version. Google that version number plus "CVE" and see what comes up. If there are known vulnerabilities, patch immediately.
DMARC record: Open a terminal or command prompt and run: nslookup -type=txt _dmarc.yourdomain.com. If nothing comes back, you don't have a DMARC record. If it says p=none, it's monitoring only and not enforcing.
Conditional Access: In the Entra ID portal, check whether Conditional Access policies are configured and active. If the menu item is grayed out, your license tier doesn't support it.
The Cost of Getting This Wrong
A successful phishing attack on a small business typically plays out in one of three ways:
Business Email Compromise (BEC): The attacker sits in your email for days or weeks, monitoring conversations. When they spot a large payment or wire transfer, they insert themselves into the thread with modified banking details. The FBI's IC3 2024 report shows BEC losses exceeded $2.9 billion - more than any other cybercrime category.
Ransomware deployment: Stolen credentials provide the foothold. The attacker moves laterally through your network, escalates privileges, and deploys ransomware. The Talos Q1 2026 report notes that pre-ransomware activity appeared in 18% of engagements this quarter - meaning the attack was caught before encryption in many cases, but only because those organizations had monitoring in place.
Data exfiltration: The attacker copies your client data, financial records, employee information, or intellectual property and threatens to publish it unless you pay. This is increasingly common even without ransomware encryption.
Any of these outcomes means operational disruption, potential regulatory consequences, and reputational damage. For businesses in regulated industries like healthcare (HIPAA) or automotive (FTC Safeguards Rule), a breach triggered by a phishing email can compound into compliance violations and fines on top of the direct financial damage.
What's Coming Next
The Talos report signals a clear trajectory. AI tools are getting better, more accessible, and harder to distinguish from legitimate development platforms. We're already past the point where phishing required technical skill. The next phase will likely involve AI generating entire phishing campaigns end-to-end: identifying targets, crafting personalized lures, building harvesting infrastructure, and automating follow-up attacks based on what credentials were captured.
Email security vendors are adapting, but there's always a lag between new attack techniques and updated defenses. The most reliable protection remains a combination of technical controls (phishing-resistant MFA, Conditional Access, email authentication) and endpoint detection paired with a team that's been trained on what modern phishing actually looks like.
Frequently Asked Questions
What is AI-powered phishing?
AI-powered phishing refers to attacks where the attacker uses artificial intelligence tools to create phishing pages, write convincing email lures, or automate parts of the attack. In the Cisco Talos Q1 2026 case, the attacker used an AI web builder to create a fake Microsoft login page using plain-English prompts instead of writing code. The resulting page was functional, professional-looking, and automatically captured and forwarded stolen credentials.
Can MFA still protect against phishing in 2026?
Standard MFA (SMS codes, push notifications) provides some protection but can be bypassed through techniques like session hijacking and MFA fatigue attacks. Phishing-resistant MFA using FIDO2 hardware keys or passkeys is significantly more effective because authentication is cryptographically tied to the real website domain. A fake login page can't trigger the key, so the attacker gets nothing even if the user visits the phishing page.
How do I know if my VPN is vulnerable?
Check your VPN appliance's firmware version and cross-reference it against the vendor's security advisories. SonicWall, Fortinet, and Cisco all publish lists of known vulnerabilities (CVEs) and the firmware versions that patch them. If you're running firmware from 2024 or earlier, there's a strong chance unpatched vulnerabilities exist. The At-Bay report found that most exploited VPN vulnerabilities had patches available months before the attacks.
What should small businesses prioritize first?
Start with the three controls that block the most attacks per dollar spent: (1) enable phishing-resistant MFA on all admin and high-value accounts, (2) configure DMARC at enforcement level for your email domain, and (3) patch your VPN or firewall firmware to the latest version. These three steps address the top initial access vectors identified in both the Talos and At-Bay reports.
Does Burgi Technologies help with phishing protection?
Yes. Our managed cybersecurity services include email security configuration, MFA deployment, phishing simulation programs, and ongoing monitoring through our managed SOC. If you want to assess your current exposure or talk through what makes sense for your business, reach out or call us at (949) 381-1010. We're happy to help.
