TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Cisco Talos Intelligence

IR Trends Q1 2026: Phishing reemerges as top initial access vector, as attacks targeting public administration persist

Aliza Johnson · 2026-04-22 · Read original ↗

ATT&CK techniques detected

16 predictions
T1021.001Remote Desktop Protocol
99%
“of engagements. furthermore, the adversary ’ s use of remote desktop protocol ( rdp ) for lateral movement is consistent with rdp being the top technique for lateral movement for the previous two quarters ( q3 and q4 2025 ). targeting public administration and health care were ti…”
T1486Data Encrypted for Impact
96%
“. though these attempts were largely thwarted by the expiration of targeted secrets and effective security controls, the tactic reflects an emerging trend of supply chain and development environment attacks. ransomware trends ransomware experiences slight increase, remains low ov…”
T1021.001Remote Desktop Protocol
95%
“remain consistently active. rhysida ransomware actors use uncommon backdoor, meowbackconn talos ir responded to a ransomware incident where the adversary attempted to deploy rhysida ransomware. while the attack was mitigated in the pre - ransomware stage, we attribute this activi…”
T1556.006Multi-Factor Authentication
86%
“on - premises microsoft sharepoint servers, collectively referred to as toolshell. since then, we have observeda steady decrease in the exploitation of public - facing applications as an initial access vector from a high of 62 percent to only 18 percent in q1 2026. similarly, in …”
T1566Phishing
80%
“ir trends q1 2026 : phishing reemerges as top initial access vector, as attacks targeting public administration persist - phishing reemerged as the most observed means of gaining initial access, accounting for over a third of the engagements where initial access could be determin…”
T1071.001Web Protocols
79%
“which was dominant in the prior two quarters. - web - based c2 was the most common c2 pattern. application layer protocol over web protocols was observed most often, indicating adversaries frequently blended c2 into normal - looking traffic. - lateral movement primarily relied on…”
T1213.003Code Repositories
78%
“. the incident began when a github personal access token ( pat ) was inadvertently published on a public - facing website, exposing the organization to adversaries for several months. upon obtaining access, the adversary used trufflehog, an open - source tool commonly utilized by…”
T1021.002SMB/Windows Admin Shares
67%
“which was dominant in the prior two quarters. - web - based c2 was the most common c2 pattern. application layer protocol over web protocols was observed most often, indicating adversaries frequently blended c2 into normal - looking traffic. - lateral movement primarily relied on…”
T1528Steal Application Access Token
65%
“. the incident began when a github personal access token ( pat ) was inadvertently published on a public - facing website, exposing the organization to adversaries for several months. upon obtaining access, the adversary used trufflehog, an open - source tool commonly utilized by…”
T1566.002Spearphishing Link
59%
“for less sophisticated actors and / or accelerate the speed of phishing and credential - harvesting campaigns. using a form template and the “ vibe coding ” feature, a phishing page like the one used in this attack could be quickly created with a few ai prompts and no code. phish…”
T1195.001Compromise Software Dependencies and Development Tools
53%
“. the incident began when a github personal access token ( pat ) was inadvertently published on a public - facing website, exposing the organization to adversaries for several months. upon obtaining access, the adversary used trufflehog, an open - source tool commonly utilized by…”
T1654Log Enumeration
51%
“addressing any system vulnerabilities for the future. to address this issue, talos ir recommends organizations implement a security information and event management ( siem ) solution for centralized logging. in the event an adversary deletes or modifies logs on the host, the siem…”
T1563.002RDP Hijacking
49%
“of engagements. furthermore, the adversary ’ s use of remote desktop protocol ( rdp ) for lateral movement is consistent with rdp being the top technique for lateral movement for the previous two quarters ( q3 and q4 2025 ). targeting public administration and health care were ti…”
T1567.001Exfiltration to Code Repository
48%
“. the incident began when a github personal access token ( pat ) was inadvertently published on a public - facing website, exposing the organization to adversaries for several months. upon obtaining access, the adversary used trufflehog, an open - source tool commonly utilized by…”
T1671Cloud Application Integration
40%
“. the incident began when a github personal access token ( pat ) was inadvertently published on a public - facing website, exposing the organization to adversaries for several months. upon obtaining access, the adversary used trufflehog, an open - source tool commonly utilized by…”
T1078Valid Accounts
38%
“remain consistently active. rhysida ransomware actors use uncommon backdoor, meowbackconn talos ir responded to a ransomware incident where the adversary attempted to deploy rhysida ransomware. while the attack was mitigated in the pre - ransomware stage, we attribute this activi…”

Summary

Phishing reemerged as the most observed means of gaining initial access, accounting for over a third of the engagements where initial access could be determined. Phishing has not been the top vertical for initial access since Q2 2025.