What the ThreatLabz 2026 Phishing and Initial Access Report Means for the Public Sector | Zscaler
The ThreatLabz 2026 Phishing and Initial Access Report highlights a shift towards highly targeted, AI-enabled phishing campaigns against the public sector. Despite a 20% overall drop in phishing volume, attackers are increasingly utilizing AI site builders, encrypted delivery channels, and AiTM/BiTM techniques to bypass traditional MFA and secure initial access.
Detection / HunterGoogle
What Happened
Phishing attacks are becoming more sophisticated, using artificial intelligence to create highly convincing fake websites and workflows. While the total number of phishing attempts has dropped globally, government agencies saw a massive 50% increase in attacks. These modern attacks often hide inside encrypted web traffic and can bypass standard multi-factor authentication (MFA) to steal passwords and access sensitive data. Organizations should upgrade to phishing-resistant MFA, inspect encrypted web traffic, and hide internal applications from the public internet to reduce their risk.
Key Takeaways
- Overall phishing volume fell 20%, but attacks are more targeted and leverage AI platforms for rapid infrastructure deployment.
- The government sector experienced a 50% surge in phishing attacks, often utilizing AI-generated replicas of official portals.
- 95.2% of all phishing activity is now delivered over encrypted (TLS) channels, bypassing legacy defenses.
- Adversary-in-the-middle (AiTM) and browser-in-the-middle (BiTM) kits are increasingly used to bypass traditional MFA and steal session tokens.
Affected Systems
- Public sector organizations (Government, Healthcare, Education)
- Cloud productivity and collaboration environments
- Legacy Multi-Factor Authentication (MFA) implementations
Attack Chain
Attackers leverage AI platforms to rapidly generate high-fidelity phishing infrastructure and lookalike domains. Lures are delivered to targets, often utilizing SEO poisoning or impersonating trusted government and corporate workflows. Traffic is routed through encrypted TLS channels to evade detection, where AiTM or BiTM kits capture credentials and session tokens in real-time, successfully bypassing legacy MFA to achieve initial access.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article provides strategic intelligence and trends but does not include specific detection rules or queries.
Detection Engineering Assessment
EDR Visibility: Low — Phishing, AiTM, and BiTM attacks primarily occur at the network and identity layers (browser sessions, cloud authentication logs) rather than executing malicious binaries on the endpoint. Network Visibility: High — Network telemetry, specifically SSL/TLS inspection and web proxy logs, is critical for identifying malicious redirects, newly registered domains, and AiTM infrastructure. Detection Difficulty: Hard — Attackers use encrypted channels (TLS) and high-fidelity AI-generated domains, making it difficult to distinguish malicious traffic from legitimate user activity without inline TLS inspection and advanced behavioral analytics.
Required Log Sources
- Web Proxy Logs
- Identity Provider (IdP) Authentication Logs
- DNS Query Logs
- SaaS Application Access Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for successful logins originating from unusual ASNs or IP addresses immediately followed by access to sensitive SaaS applications, which may indicate session hijacking via AiTM. | Identity Provider (IdP) Logs, SaaS Access Logs | Initial Access | Medium |
| If you have visibility into web proxy logs, consider hunting for connections to newly registered domains (NRDs) that utilize free SSL certificates, especially those accessed shortly after email receipt. | Web Proxy Logs, DNS Logs | Delivery | High |
Control Gaps
- Lack of inline SSL/TLS inspection
- Reliance on legacy, non-phishing-resistant MFA (e.g., SMS, push notifications)
- Overly permissive public-facing application exposure
Key Behavioral Indicators
- Rapid sequence of authentication followed by MFA fulfillment from anomalous locations
- MFA token reuse or session cookie anomalies in IdP logs
- High volume of traffic to newly registered lookalike domains
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Evaluate current MFA implementations and identify user cohorts relying on legacy methods (SMS, push) for prioritized upgrade.
Infrastructure Hardening
- Consider implementing inline SSL/TLS inspection for web, SaaS, and cloud application traffic to detect encrypted threats.
- Evaluate Zero Trust Network Access (ZTNA) solutions to minimize the discoverable attack surface and hide applications from the public internet.
User Protection
- Consider transitioning to FIDO2-based, phishing-resistant authentication methods (e.g., security keys, Windows Hello) to mitigate AiTM and BiTM attacks.
- Evaluate browser security controls or enterprise browsers that can detect and block real-time phishing and malicious redirects.
Security Awareness
- Consider updating security awareness training to educate users on the high fidelity of AI-generated phishing portals and the limitations of traditional visual indicators of trust.
MITRE ATT&CK Mapping
- T1566 - Phishing
- T1583.001 - Acquire Infrastructure: Domains
- T1573 - Encrypted Channel
- T1556.006 - Modify Authentication Process: Multi-Factor Authentication
- T1550.004 - Use Alternate Authentication Material: Web Session Cookie
