Zscaler has published its ThreatLabz 2026 Phishing and Initial Access Report, which shows phishing volumes fell while attacks became more targeted and effective.

Phishing activity declined 20% year on year in both 2024 and 2025 as tighter email and identity controls pushed attackers towards more selective campaigns, according to the report. It also found that 95.2% of phishing attempts were delivered through encrypted traffic, while 87% of all blocked malicious activity used encryption.

The shift points to a change in how attackers seek initial access. Rather than relying on broad, high-volume campaigns, the research describes a move towards fewer but more convincing attempts, including AI-generated websites and tools designed to hijack active user sessions.

In the UK, the study ranks the country second behind the US as a location for phishing infrastructure and hosting. It also places the UK fourth among the most targeted countries, behind Germany, India and the US.

AI and phishing

ThreatLabz identified 413,524 AI-generated site instances during the period covered by the research. Of those, 37,447, or 9.06%, were flagged as malicious.

Tools including Manus AI, Blackbox AI and Lovable AI are being used to create phishing pages that resemble legitimate corporate sites and customer workflows, the report says. It adds that these pages can be produced much faster than through manual development, making it easier for attackers to run targeted campaigns at scale.

Brand imitation remained a central tactic. Microsoft and Google were the most copied brands in phishing attacks, reflecting a continued focus on enterprise identity systems and account credentials.

Another finding centres on efforts to bypass multi-factor authentication. The research cites kits such as BlackForce, which it says are being used to take over active sessions in real time after users have logged in.

Sector targets

The services sector saw the sharpest increase in activity among the industries tracked in the report. Attacks against the sector rose 65.5% year on year, increasing from 330.9 million to 547.7 million hits.

Attackers were exploiting routine trust-based exchanges in billing, onboarding, renewals and support, according to Zscaler. Manufacturing and government also remained significant targets for email phishing, with government hits up 50% as attackers sought high-value intelligence.

Geographically, the US remained the leading target for email phishing attacks. Brazil recorded a 2,522% rise in phishing hosting, making it one of the top five global sources identified in the research.

Encrypted traffic

The report places heavy emphasis on encrypted traffic as a concealment method. By routing phishing content and other malicious activity through HTTPS and other encrypted channels, attackers can blend in with routine web traffic and make detection harder for organisations that do not inspect that traffic closely.

The findings suggest this is no longer a niche tactic. According to the study, encryption has become the default route for a large share of malicious activity, not just phishing.

Separate telemetry in the report points to large-scale hostile scanning before compromise. Data collected from decoys recorded 89.9 million hostile interactions from 1.37 million unique attacker IPs over six months.

This activity included attempts to probe collaboration platforms, identity systems and exposed services to identify weak points before an intrusion attempt. The report also says cloud infrastructure has become a main source of reconnaissance, with more than 121,000 distinct AWS-hosted IP addresses logged probing customer environments.

Using public cloud systems for scanning and credential validation can complicate response efforts because the traffic often originates from infrastructure more commonly associated with legitimate business services. That makes attribution and filtering more difficult for defenders.

The methodology states that the research drew on more than 500 trillion daily signals from Zscaler’s cloud platform and data gathered between January and December 2025, with deception telemetry collected between October 2025 and March 2026.

Deepen Desai, Chief Security Officer at Zscaler, said the changes reflected an adjustment in attacker behaviour rather than any retreat. “We are witnessing a strategic recalibration in the way adversaries approach initial access,” said Desai. “The decline in raw phishing volume isn’t a sign of retreat; it’s a sign of evolution. Attackers are trading quantity for quality, using GenAI to eliminate traditional ‘tells’ like poor grammar and generic lures. With 95% of phishing now hiding in encrypted traffic, organizations can no longer afford to leave their TLS traffic uninspected. A Zero Trust architecture is the only way to break the attack chain, from discovery to data exfiltration.”

At a meeting of the council’s cabinet yesterday, members of the Oxford Business Action Group (OBAG) asked councillors for transparency, consultation, and acknowledgement ahead of the introduction of traffic filters in August.

Cabinet meeting, June 16 (Image: Isabella Harris/NQ)

This follows years of calls for accountability and the publishing of survey results and “consumer spend data” this week, which the council said “reveals how business conditions and performance have changed since the temporary congestion charge was introduced”.

Gareth Epps, Oxfordshire County Council’s cabinet member for transport, said: “There are many challenges affecting businesses at this time, and data can help us understand what is having an impact.

“While it’s great that nearly 80 per cent of businesses who gave a view on their performance compared to a year ago said they are doing the same or better, it is clear that many are feeling significant pressures due to a number of local and national factors.”

Congestion charge sign (Image: Isabella Harris/NQ)

The data also showed 58 per cent of shopfront businesses have fewer customers since the congestion charge came into force eight months ago, and spend in Oxford’s shopping neighbourhoods has gone down more than in comparable cities.

Restauranteur and OBAG spokesperson, Bernadette Evans, said: “This isn’t happening to just a handful of us but to hundreds of brilliant hard-working shopfront business owners who’ve had the rug pulled from under them.”

The information was collected after businesses lobbied the county council to provide data on how the congestion charge was impacting trade, particularly footfall.

She stated: “We’ve never been asked if we’ve been impacted by the LTNs, the removal of parking or the congestion charge, and we know it’s because you know you won’t like what you hear.”

The charge is temporary and will be replaced by traffic filters after the reopening of the Botley Road.

Fraser Lloyd Jones, who is a part of Oxford Business Action Group and runs Barefoot Bakery, said: “Operating four sites in Oxford City Centre, not once have I been contacted in person, by email, phone or letter to ask my opinion on the consultation phase or the effect it has had on our business since implementation.”

He has a fifth site in Kidlington, where there is free parking and no limits on vehicle movement, which has been growing month on month.

This is not the case for one of his bakeries in Cowley, which may have to close “as footfall in the St Clements area has all but disappeared” amid restrictions, on top of increased business rates.

He described “unprecedented disruption” with works including the long-running Botley Road closure, saying businesses are just trying to “survive”.

Fraser said: “Where is the robust, independently verified evidence that demonstrates these restrictions have delivered a net economic benefit for Oxford?”

Previously, the council has been forced to apologise after congestion charge data collated by an external supplier was found to be faulty.

Geoff Sutton of OBAG and Reconnecting Oxford has analysed walking data and said footfall had reduced on St Clements, having a “severe impact” in “quick waves” with a range of restrictions “removing passing trade”.

He believes predictions for increased active travel with the scheme were “wrong” and people have been catching buses instead, bypassing local businesses.

Bernadette has attended around 20 council meetings speaking for businesses and calling for change, conversation and accountability on the congestion charge, but does not feel heard.

The group “welcomed” new transport boss Mr Epps, agreeing to speak with him after the meeting, but fear there will not be policy change as plans are already approved, with “tweaking around the edges and fiddling while Rome burns”.

Haiilo has formed a strategic partnership with Work Networks, a UK consultancy focused on workplace adoption.

Under the agreement, Work Networks will help organisations implement and roll out Haiilo’s employee experience platform. Its work will include support for community-building, leadership engagement and communication strategies designed to make the platform part of employees’ daily routines.

The move comes as many employers continue to invest in workplace technology while facing weak adoption and engagement across their workforces. Staff are often asked to work across fragmented systems, disconnected communication channels and a growing number of digital tools, leaving employees to manage information overload and competing demands on their attention.

The partnership is part of Haiilo’s wider global partner network. The company operates from offices in the US, UK, Germany and Finland.

Adoption focus

For Haiilo, the tie-up adds a consulting partner with expertise in change management and internal communication at a time when software vendors are under pressure to show that workplace platforms are being used after purchase. The platform is designed to bring communication, knowledge and tools into one place for employees, including frontline and distributed teams.

Work Networks will support organisations through implementation and adoption, rather than only at the point of software deployment. This places the emphasis on workplace habits, leadership behaviour and communication planning, which often determine whether internal platforms gain traction with staff.

Andrew Avanessian, Chief Executive Officer, Haiilo, said: “Employees are often left navigating too many tools, too many systems and too much noise. Attention has become one of the most valuable resources inside any organisation, yet too many workplace experiences are designed in ways that constantly fragment it.

“Haiilo helps organisations create a more connected experience where communication, knowledge and tools work together seamlessly. Partners like Work Networks play a critical role in making that vision a reality, ensuring lasting adoption and meaningful change.”

Consulting role

The partnership also reflects demand from employers for more support with digital workplace change programmes. In many organisations, new systems are introduced into already crowded technology environments, making it harder for staff to know where to find information or which tools should take priority.

This challenge is often more pronounced in businesses with frontline workers or dispersed teams, where communication can be inconsistent and access to corporate systems may vary. By combining software with rollout planning and leadership engagement, companies are trying to reduce the risk that new platforms become underused.

Nick Crawford, Chief Executive Officer, Work Networks, said: “Haiilo’s platform gives organisations a powerful foundation, but technology alone often isn’t enough – organisations also need the right strategy, leadership engagement and cultural change to ensure platforms are truly adopted.

“Our partnership combines Haiilo’s platform with a people-first approach to rollout and adoption, helping organisations create digital workplaces where communication flows naturally and employees feel part of a connected community.”