Zscaler ThreatLabz 2026 Phishing and Initial Access Report
The Zscaler ThreatLabz 2026 Phishing and Initial Access Report highlights a shift from high-volume phishing to highly targeted campaigns leveraging AI site builders and encrypted channels. Attackers are increasingly utilizing AiTM and BiTM techniques to bypass MFA, while conducting massive reconnaissance via cloud infrastructure to identify exposed entry points.
Authors: DIANA SHTIL
Detection / HunterGoogle
What Happened
Cybercriminals are changing how they trick people into giving up their passwords. Instead of sending millions of obvious spam emails, they are using AI to create highly convincing, targeted fake websites that look like normal business requests. This matters because these new attacks can bypass modern security measures like multi-factor authentication (MFA) and hide within encrypted web traffic. Organizations should ensure they are inspecting encrypted traffic and using advanced phishing detection tools to stop these threats before users click on them.
Key Takeaways
- Phishing volume decreased by ~20% year-over-year, but effectiveness increased through highly targeted, personalized lures.
- Threat actors are heavily targeting the services industry, exploiting high-trust workflows like billing and support.
- AI site builders (e.g., Manus AI, Blackbox AI) are being abused to rapidly generate high-fidelity phishing infrastructure.
- 95.2% of phishing activity is delivered over encrypted TLS channels, hiding initial access attempts.
- Attackers are increasingly using AiTM and BiTM techniques to bypass MFA and achieve real-time session compromise.
Affected Systems
- Identity Providers
- Web Browsers
- Cloud Infrastructure
Attack Chain
Attackers begin by conducting large-scale reconnaissance and scanning using disposable cloud infrastructure to identify exposed entry points. They then use AI site builders to rapidly generate high-fidelity phishing pages that mimic legitimate business workflows. These lures are delivered over encrypted TLS channels to evade detection. Upon user interaction, attackers employ AiTM or BiTM techniques to capture credentials and MFA tokens in real-time, resulting in immediate session compromise and initial access.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules or queries are provided in the article.
Detection Engineering Assessment
EDR Visibility: Low — The attacks primarily involve web-based phishing, AiTM/BiTM, and credential theft, which occur at the network and identity layers rather than on the endpoint. Network Visibility: High — Network telemetry, specifically TLS/SSL inspection and web proxy logs, is critical for identifying encrypted phishing traffic and AiTM infrastructure. Detection Difficulty: Hard — Attackers use encrypted channels (TLS), legitimate cloud infrastructure, and AI-generated sites that closely mimic legitimate workflows, making signature-based detection difficult.
Required Log Sources
- Web Proxy Logs
- Identity Provider (IdP) Logs
- DNS Logs
- Firewall Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for anomalous login locations or impossible travel alerts immediately following web traffic to newly registered or uncategorized domains, which may indicate AiTM credential theft. | IdP Logs, Web Proxy Logs | Initial Access | Medium |
| If you have visibility into external-facing infrastructure, consider hunting for high-volume scanning activity originating from commercial cloud provider IP ranges (e.g., AWS). | Firewall Logs, WAF Logs | Reconnaissance | High |
Control Gaps
- Lack of TLS/SSL inspection
- Reliance on traditional MFA without phishing-resistant factors (e.g., FIDO2)
Key Behavioral Indicators
- Rapid rotation of source IPs during scanning
- Connections to newly observed domains hosting AI-generated content
- MFA prompts originating from unexpected infrastructure
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Evaluate whether TLS/SSL inspection is enabled for web traffic to detect encrypted phishing payloads.
Infrastructure Hardening
- Consider implementing phishing-resistant MFA (e.g., FIDO2/WebAuthn) to mitigate AiTM and BiTM attacks.
- Evaluate the use of deception technology to identify early-stage reconnaissance and scanning against external infrastructure.
User Protection
- If supported by your tooling, consider deploying browser isolation or zero-trust browser solutions for high-risk web activity.
- Evaluate access policies to ensure least-privilege enforcement and continuous verification for all applications.
Security Awareness
- Consider updating security awareness training to educate users on highly targeted, business-workflow phishing lures.
- Train users to verify the authenticity of login portals, even if they appear visually identical to legitimate sites.
MITRE ATT&CK Mapping
- T1566 - Phishing
- T1557 - Adversary-in-the-Middle
- T1595 - Active Scanning
- T1583.006 - Acquire Infrastructure: Web Services
- T1111 - Two-Factor Authentication Interception
