Phishing Attacks on Enterprises Surge Amidst Evolving Threat Landscape
A Comprehensive Look at SpyCloud’s 2026 Phishing Pulse Report
Austin, TX, USA, June 17th, 2026 — CyberNewswire — Recent research conducted by SpyCloud, a leader in identity threat protection, has unveiled alarming trends regarding the escalation of phishing attacks targeting enterprise organizations. The 2026 Phishing Pulse Report indicates that the sophistication and volume of these attacks are soaring, fueled by advancements in artificial intelligence and the growth of phishing-as-a-service (PhaaS) platforms.
The report is based on a comprehensive survey of security professionals working in organizations with over 1,000 employees. A striking 78% of respondents reported an uptick in phishing attempts over the past year, with 84% noting the increasing challenges posed by AI-generated phishing attacks. These findings underscore the heightened risk that organizations face in safeguarding their critical data and employee information from malicious actors.
The implications of these findings extend far and wide. Notably, it was revealed that phishing attacks compromised employee data at 86% of Fortune 100 companies in just the last 12 months. Technology companies bore the brunt of these attacks, closely followed by the airline and automotive sectors, marking a troubling trend in the targeted industries. This underscores a critical need for organizations to enhance their cybersecurity measures.
Despite acknowledging the rising threat landscape, many enterprises appear ill-equipped to cope with successful phishing attacks. Alarmingly, only 38% of organizations expressed confidence in their ability to detect and respond to credential theft within a 24-hour timeframe. In fact, 58% of security teams reported difficulty identifying which credentials or session tokens were compromised in the aftermath of an attack. Additionally, over 40% are challenged when it comes to remediating exposed users at scale. The stark reality is that 68% of respondents required four hours or longer to identify and remediate confirmed phishing-related breaches, while merely 30% have fully integrated phishing detection with identity response workflows.
Trevor Hilligoss, Chief Intelligence Officer at SpyCloud, commented on the evolving complexity of phishing attacks, stating, "Phishing has become both more sophisticated and more scalable." He emphasized the vulnerabilities posed by AI-generated lures, PhaaS platforms, and adversary-in-the-middle (AiTM) techniques that allow attackers to capture not only usernames and passwords but also session cookies and refresh tokens. This access can endure long after a password has been reset, underlining the necessity for organizations to take proactive steps in visibility and remediation.
The report further illustrates a significant shift in targeting preferences among cybercriminals. Approximately half of the records recaptured from PhaaS platforms were linked to enterprise identities, contrasting sharply with just 11% from malware sources. This indicates that phishing attacks are now approximately five times more likely to focus on enterprise users than malware infections; a stark increase from three times more likely observed in late 2025.
Furthermore, the report reveals a multifaceted approach to phishing strategies, with organizations expressing concern over a wide array of threats. Business Email Compromise (BEC) was identified by 58% of respondents as a significant concern, while vendor impersonation and collaboration platform phishing were cited by 52% and 36%, respectively. Session hijacking, affecting 20% of those surveyed, adds to the already burdensome list of threats.
In light of these developments, AiTM phishing techniques have gained momentum, particularly through device code phishing attacks that exploit legitimate OAuth authentication workflows. Hilligoss pointed out this troubling trend, where attackers gravitate towards techniques that yield the most reliable access with minimal effort. Device code phishing enables attackers to use trusted access that often remains after the initial compromise, emphasizing the need for security teams to adapt their response strategies.
The report emphasizes a significant hurdle that organizations face post-attack: the visibility gap. When security teams lack clear visibility into which credentials or tokens were compromised, the remediation process becomes significantly more challenging. This gap allows attackers valuable time to establish persistence and potentially escalate their privileges for follow-on attacks.
Hilligoss provided a particularly stern warning: "At some point, users are going to get phished." He urged organizations to shift from solely preventing phishing incidents to developing response capabilities that enable continuous monitoring of exposed identities and credentials. Automated remediation workflows should be prioritized to revoke compromised access effectively and minimize attackers’ operational windows.
In conclusion, backed by its extensive darknet data repository, SpyCloud works diligently to help organizations identify and remediate compromised identities before they can be exploited for ransomware, account takeovers, session hijacking, fraud, and other identity-based attacks.
For those interested in the full insights of the 2026 Phishing Pulse Report, a comprehensive document can be accessed here. Organizations looking for a demonstration of SpyCloud’s capabilities can request one through the provided link.
About SpyCloud
SpyCloud is dedicated to transforming recaptured darknet data to disrupt cybercrime. Its identity threat protection solutions leverage advanced analytics and AI to secure organizational identities against pressing threats that include authentication bypass, session hijacking, and fraud. With a clientele that includes seven of the Fortune 10 and numerous global enterprises, SpyCloud is redefining the boundaries of cybersecurity.
For additional insights into SpyCloud’s services and to review information on exposed data, visit spycloud.com.