One Click to Compromise: ThreatLabz 2026 Phishing and Initial Access Report

AI is accelerating the enterprise, but it is also raising the cost of a single user mistake. Phishing remains one of the easiest on-ramps for attackers, with campaigns that look routine, move fast, and convert clicks into access.

Identity has also become the real perimeter, and attackers are looking for the fastest path through it. That means more reconnaissance to find exposed entry points, more credential validation to test what will work, and more abuse of encrypted channels to blend into normal traffic.

The Zscaler ThreatLabz 2026 Phishing and Initial Access Report traces this modern path to initial access, from reconnaissance and credential validation to phishing infrastructure and session compromise, based on large-scale telemetry from the Zscaler cloud. The findings reinforce what many security teams are experiencing firsthand: phishing is not going away. It is becoming more operational, targeted, and difficult to spot.

This blog highlights some of the report's most significant findings and what they mean for security teams. The full report provides deeper analysis of the trends driving phishing and initial compromise, along with practical guidance for reducing exposure, improving detection, and disrupting the attacker’s path to access earlier in the chain.

7 key takeaways for security teams

1. Phishing volume is down, but effectiveness is up
   Threat actors aren’t retreating, they are recalibrating. ThreatLabz observed phishing activity decline by ~20% year-over-year in both 2024 and 2025, as stronger email controls and identity defenses disrupt “spray and pray” delivery. As a result, attackers have shifted their tactics to targeted, personalized lures that look like routine work.
    
2. Attackers are cashing in on high trust workflows
   As phishing shifts from high-volume blasts to fewer, higher conversion campaigns, threat actors are leaning into environments where speed and trust are part of the job and where operational requests feel routine.
   
   The biggest signal is the services industry, which surged 65.5% year over year from 330.9 million to 547.7 million hits. Customer-facing and back-office motions like billing, renewals, support, onboarding, and document exchange create the perfect cover for lures that look legitimate.
    
3. AI site builders are accelerating phishing at scale
   AI has turned phishing infrastructure into an assembly line. ThreatLabz identified 413,524 AI-generated site instances, flagging 37,447 (9.06%) as malicious. Notably, attributed builders were Manus AI 15.6%, Blackbox AI 14.3% and Anything AI 9.8%, enabling rapid, high-fidelity fake sites, lookalike apps, and other lure infrastructure that’s cheap to spin up and easy to rotate.
    
4. Encryption is the default delivery path—and it’s hiding initial access
   Modern attacks are not slipping past defenses in the open, they are riding through on TLS. In fact, ThreatLabz uncovered that 95.2% of phishing activity was delivered over encrypted channels. Without consistent TLS/SSL inspection, credential theft, session abuse, and malicious redirects can blend into what looks like ordinary web traffic.
    
5. Initial access is being won in real time, even when MFA is enabled
   Modern phishing is often designed to produce immediate access, not just collect credentials for later. ThreatLabz observed phishing kits that combine adversary-in-the-middle (AiTM) and browser-in-the-middle (BiTM) techniques to capture credentials and MFA codes during the active login flow, turning a single click into session-level compromise.
    
6. Attack surface probing is happening at industrial scale
   Before the first lure lands, attackers are already mapping your environment, probing exposed entry points, and validating what’s reachable. ThreatLabz recorded 89.9M hostile interactions with external decoys in six months—a clear signal that scanning and probing are not just persistent background noise, but  lead indicators of targeting and future intrusion attempts.
    
7. Cloud infrastructure is the engine behind scanning and intrusion
   Disposable, highly-scalable infrastructure gives attackers speed and cover. ThreatLabz logged 121,000+ distinct AWS-hosted IPs probing customer environments, highlighting how quickly adversaries can rotate sources and scale reconnaissance beyond what static, perimeter-led approaches can keep up with.
    

AI is rewriting the phishing playbook

AI isn’t just improving phishing lures. It is speeding up the infrastructure behind them. What used to require a developer, a kit, and time can now happen in a few prompts, producing polished, brand-consistent pages and realistic user flows that pass for legitimate experiences.

ThreatLabz uncovered a campaign where attackers used AI-powered site builders, including DeepSite AI and BlackBox AI, to quickly produce convincing replicas of Brazilian government portals that mirrored the step-by-step workflows users expect. ThreatLabz also found examples of threat actors leveraging Lovable AI to generate and iterate high-fidelity lookalike phishing pages and even malicious download portals, compressing the path from lure to credential theft or unwanted tooling. The takeaway is clear: AI is making phishing faster to launch, easier to scale, and harder for users to spot.

How Zscaler helps reduce phishing attacks and initial access

Phishing has evolved beyond deceptive emails into realistic, business-like workflows designed to steal credentials and hijack sessions for initial access. ThreatLabz telemetry shows a repeatable progression: attackers deliver convincing lures, validate access through credential testing at scale, then pivot quickly to the next reachable target to expand control and drive impact.

Minimizing the attack surface
Zscaler Private Access (ZPA) reduces exposed entry points by replacing inbound connectivity and broad network access with identity- and context-based access to specific applications. Zscaler Deception adds an early-warning layer with realistic decoys in the paths attackers probe—so reconnaissance and credential-seeking behavior generates high-confidence telemetry you can act on quickly.

Preventing compromise
Zscaler Internet Access (ZIA) helps stop phishing and other web-delivered threats by blocking malicious destinations and delivery paths before a user engages. Its AI-driven phishing detection evaluates URLs, domains, certificates, impersonation patterns, and behavioral signals to stop threats early. For higher-risk web activity, Zscaler Zero Trust Browser adds another layer of protection—reducing the chance that a single click becomes usable attacker access.

Eliminating lateral movement
Zscaler replaces network-level access with direct, policy-based connections to specific applications. With least-privilege enforcement, continuous verification, segmentation, and inspection that remains effective even when traffic is encrypted, the Zscaler platform reduces attackers’ ability to discover additional targets, elevate privileges, or expand beyond the initial incident.

Shutting down compromised users and insider threats
Zscaler continuously enforces policy by inspecting user-to-internet, user-to-SaaS, and user-to-private application traffic in real time, including encrypted sessions. When malicious behavior is detected such as compromised credentials, anomalous post-phish access patterns, insider risk signals, or encrypted command-and-control activity, the platform can automatically block connections, terminate sessions, and restrict access based on identity and context.Combined with deception telemetry that exposes probing and credential seeking, these controls help contain threats quickly and prevent lateral movement or further impact.

Get the report

The ThreatLabz 2026 Phishing and Initial Access Report provides a data-backed look at how modern phishing campaigns are evolving—from AI-assisted lure creation to encrypted delivery and fast credential validation—so security teams can focus on the tactics that actually drive initial access. The full report dives deeper into real-world examples and practical guidance for reducing exposure, preventing compromise, and limiting blast radius when attackers do get in.

Read the full report to explore the data, case studies, and recommendations that can help you stay ahead of the next wave of reconnaissance and AI-powered phishing attacks.