Zscaler’s ThreatLabz 2026 Phishing and Initial Access Report says overall phishing volume fell by about 20% year on year for a second consecutive year, but the decline masks a shift towards campaigns built for speed, credibility and credential theft. The findings point to a cybercrime market moving away from broad “spray and pray” emails and towards polished lures that imitate routine business processes, exploit trusted brands and bypass traditional filters.
The report, released at Zenith Live in Las Vegas on June 10, draws on telemetry from the Zscaler Zero Trust Exchange covering 2025, supplemented by deception data gathered between October 2025 and March 2026. It identifies 413,524 AI-generated site instances, with 37,447 flagged as malicious. That figure, just over 9% of the total, shows how AI site builders are being used to produce fake portals, lookalike applications and malicious download pages at low cost.
Services businesses emerged as a major target, with phishing hits rising 65.5% from 330.9 million to 547.7 million. The sector’s exposure reflects customer support, billing, renewals, onboarding and document exchange, where urgent requests and external interactions can appear legitimate. Manufacturing and government also remained high-value targets, while Microsoft and Google continued to be among the most impersonated brands because enterprise identity systems offer a direct route into corporate networks.
Encryption has become central to this model. Zscaler found that 95.2% of phishing activity was delivered through encrypted channels, while 87% of malicious activity used HTTPS. That creates a blind spot for organisations that inspect email but lack deep visibility into web traffic. Attackers are using certificates, redirects and hosting infrastructure to make fraudulent sessions appear indistinguishable from ordinary browsing.
The more consequential shift is real-time compromise. Modern phishing kits, including adversary-in-the-middle and browser-in-the-middle tools, are designed not merely to collect passwords but to capture session cookies, authentication tokens and one-time codes during the login flow. That weakens conventional multi-factor authentication when users are tricked into entering credentials through an attacker-controlled proxy. Once a valid session is captured, criminals can move quickly before alerts or password resets take effect.
The report also highlights the reconnaissance stage that precedes many attacks. Deception telemetry recorded 89.9 million hostile interactions from 1.37 million unique attacker IP addresses over six months. More than 121,000 distinct AWS-hosted IPs were observed probing customer environments, illustrating how cloud infrastructure gives attackers scale and disposable resources.
The trend fits a broader pattern across the threat landscape. The 2026 Verizon Data Breach Investigations Report found that generative AI is bolstering attacks at multiple stages and that mobile threats are producing higher click rates than traditional email. The Anti-Phishing Working Group recorded more than 1 million phishing attacks in the first quarter of 2025, the highest quarterly level since late 2023. Academic research published in May 2026 showed that generative AI can automate personalised spear-phishing messages using public social media data.
The commercialisation of phishing kits is adding to the problem. Kits now bundle landing-page templates, evasion tools, bot filtering, brand impersonation and dashboards that track credential capture. Google this week filed a lawsuit in New York targeting the operators of the Outsider phishing kit, alleging that the service used AI tools to help create fraudulent sites and generated more than 1.5 million associated URLs between November and April. The action reflects pressure on technology companies to police misuse of cloud platforms and generative AI systems.
For security teams, the economics are changing. A lower number of phishing attempts no longer signals reduced risk if each campaign is better researched, better hosted and better timed. Defences built around inbox filtering and user awareness training remain useful but are no longer sufficient. Enterprises are being pushed towards phishing-resistant authentication, continuous session monitoring, encrypted traffic inspection, tighter identity controls and controls that limit lateral movement after a compromised account is used.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
