What the ThreatLabz 2026 Phishing and Initial Access Report Means for the Public Sector

It only takes one click. One convincing credential page, one well-timed lure impersonating a trusted agency workflow, and an attacker gains the initial access needed to move from inbox to identity to impact. 

That reality sits at the center of the ThreatLabz 2026 Phishing and Initial Access Report. While overall phishing volume in the Zscaler cloud fell 20% year over year, the campaigns that remain are more targeted, more AI-powered, and harder to distinguish from legitimate activity. ThreatLabz identified 413,524 AI-generated site instances across the analysis period, flagging 9% as malicious. These were produced by platforms like Manus AI, BlackBox AI, and Anything AI that allow attackers to spin up high-fidelity phishing infrastructure in minutes rather than days.

For public sector defenders, the implications are direct. Government services, healthcare operations, and education environments all depend on digital trust, and attackers are exploiting that trust at every layer: AI-generated content, brand impersonation, credential theft, encrypted delivery channels, and real-time session hijacking that defeats traditional MFA. A single successful lure can still lead to account takeover, data exposure, service disruption, and loss of public trust. 

The data tells three distinct stories across government, healthcare, and education, but the underlying shift toward targeted, high-conversion initial access is consistent across all three.

This blog post summarizes the key ThreatLabz report takeaways for the teams protecting government services, healthcare operations, and education environments.

Government saw a 50% surge in phishing attacks

Phishing attack attempts against the government sector jumped 50% year over year, one of the largest sector increases reported. With 138.5 million phishing hits in 2025, government ranked as the third-most targeted industry overall in the Zscaler cloud.

That increase reflects how threat actors are turning public trust into an initial access opportunity. Citizens expect to interact with government agencies online, whether they are paying taxes, accessing benefits, renewing licenses, or resolving administrative issues. Attackers exploit that expectation by impersonating official services and creating workflows that feel legitimate.

ThreatLabz researchers saw this play out in a campaign impersonating Brazilian government services. Attackers used AI-powered site builders, including DeepSite AI and BlackBox AI, to create convincing replicas of official portals. They paired those sites with SEO poisoning and guided users through a process that mirrored a real public service interaction before requesting payment through a trusted instant payment system. This is the new template for government-targeted phishing: AI-generated, workflow-aware, and designed to pass every human trust test.

The IRS has similarly warned about impersonation scams that use email, SMS, and QR codes to mimic official communications and direct users to fraudulent portals designed to steal credentials and financial data.

Government agencies need to protect the full citizen-facing experience, not only the inbox. That means detecting lookalike domains and fake portals, inspecting web and encrypted traffic, reducing exposure across public-facing services and applications, and applying identity controls that can stop credential theft from becoming account takeover.

Healthcare recorded lower phishing volume, but consequences remain high

Among tracked sectors, the healthcare industry saw comparatively lower phishing hit counts in the Zscaler cloud in 2025, along with 1.58 million encrypted attack hits. By volume alone, the sector may look less exposed than higher-ranking industries.

But for healthcare security teams, a convincing login page or trusted brand impersonation can turn a lower-volume campaign into a direct path to credentials, sessions, and application access that puts patient care at risk. With 95.2% of all phishing activity now delivered over encrypted channels, campaigns that reach healthcare users are already bypassing legacy defenses that don't inspect TLS traffic.

These stakes make brand impersonation especially relevant. Microsoft and Google remained the top two most-imitated brands in the report, and both are common entry points into the cloud productivity and collaboration environments healthcare users rely on every day. 

As highlighted in the report, adversary-in-the-middle (AiTM) and browser-in-the-middle (BiTM) phishing kits are also designed to capture credentials and MFA tokens during the active login flow, turning a single click into session-level compromise regardless of whether MFA is enabled.

For healthcare organizations, lower phishing volume changes the scale of the problem, not the stakes. The priority is stopping credential capture, session theft, and malicious redirects before a single successful lure becomes access to patient data and clinical operations.

Education phishing fell sharply, but encrypted attacks kept risk in view

Phishing attempts against education organizations dropped 65.6% year over year. The sector lost more absolute phishing volume than any other tracked industry in the Zscaler cloud.

The risk, however, has not disappeared. Education experienced roughly 1.6 billion encrypted attack hits in the past year, representing 6% of encrypted attack activity in the Zscaler cloud. For schools and universities, that contrast matters. Lower phishing volume in the inbox can coexist with significant malicious activity moving through TLS sessions, web traffic, cloud applications, and authentication flows, all channels where traditional email security has no visibility.

The report also analyzes how attackers probe exposed entry points outside the inbox. ThreatLabz recorded 89.9 million hostile interactions with external decoys in just six months, underscoring the scale of reconnaissance against internet-facing assets. Education environments with broad public-facing infrastructure (portals, LMS platforms, federated authentication systems) present a large reconnaissance target.

A drop in phishing volume should be treated as a positive signal, not proof that initial access risk is declining. Education teams need visibility across the activity that follows or bypasses the phish, including encrypted traffic, authentication flows, SaaS usage, browser behavior, and compromised credential use.

What public sector security teams should do now

Across government, healthcare, and education, the report's findings point to a consistent set of priorities for reducing initial access risk:

1. Inspect encrypted traffic consistently. With 95.2% of phishing delivered over TLS, any gap in SSL/TLS inspection is a blind spot attackers will exploit. Inline inspection must cover web, SaaS, and cloud application traffic, not just email.
    
2. Deploy phishing-resistant authentication. AiTM and BiTM kits defeat legacy MFA in real time. Transitioning to FIDO2-based, phishing-resistant credentials removes the most reliable path from click to session compromise.
    
3. Reduce application exposure. Before the first lure is sent, attackers are already mapping your environment. Minimize discoverable attack surface by making applications invisible to the internet and enforcing identity-based access only after verification.
    
4. Monitor for AI-generated phishing infrastructure. AI site builders are compressing the time from campaign ideation to live phishing page to minutes. Detection must account for rapidly rotating, high-fidelity lookalike domains and portals, not just known-bad indicators.
    
5. Extend visibility beyond the inbox. Phishing is the entry point, but initial access is won in browsers, authentication flows, SaaS sessions, and encrypted channels. Security teams need visibility and control across the full path from lure to compromise.

A Zero Trust architecture that verifies every connection, inspects encrypted traffic inline, minimizes exposed attack surface, and enforces least-privilege access provides the most effective foundation for disrupting the attacker's path at every stage, from reconnaissance through credential theft to lateral movement.

Learn more: ThreatLabz 2026 Phishing and Initial Access Report

These public sector findings are part of the broader ThreatLabz analysis of how phishing and initial access tactics are evolving in the AI era. Download the full report for the complete dataset, real-world attack chain walkthroughs, and actionable guidance for reducing initial access risk across government, healthcare, and education environments.