Phishing falls as attackers turn to AI & encryption

Zscaler has published its ThreatLabz 2026 Phishing and Initial Access Report, which shows phishing volumes fell while attacks became more targeted and effective.

Phishing activity declined 20% year on year in both 2024 and 2025 as tighter email and identity controls pushed attackers towards more selective campaigns, according to the report. It also found that 95.2% of phishing attempts were delivered through encrypted traffic, while 87% of all blocked malicious activity used encryption.

The shift points to a change in how attackers seek initial access. Rather than relying on broad, high-volume campaigns, the research describes a move towards fewer but more convincing attempts, including AI-generated websites and tools designed to hijack active user sessions.

In the UK, the study ranks the country second behind the US as a location for phishing infrastructure and hosting. It also places the UK fourth among the most targeted countries, behind Germany, India and the US.

AI and phishing

ThreatLabz identified 413,524 AI-generated site instances during the period covered by the research. Of those, 37,447, or 9.06%, were flagged as malicious.

Tools including Manus AI, Blackbox AI and Lovable AI are being used to create phishing pages that resemble legitimate corporate sites and customer workflows, the report says. It adds that these pages can be produced much faster than through manual development, making it easier for attackers to run targeted campaigns at scale.

Brand imitation remained a central tactic. Microsoft and Google were the most copied brands in phishing attacks, reflecting a continued focus on enterprise identity systems and account credentials.

Another finding centres on efforts to bypass multi-factor authentication. The research cites kits such as BlackForce, which it says are being used to take over active sessions in real time after users have logged in.

Sector targets

The services sector saw the sharpest increase in activity among the industries tracked in the report. Attacks against the sector rose 65.5% year on year, increasing from 330.9 million to 547.7 million hits.

Attackers were exploiting routine trust-based exchanges in billing, onboarding, renewals and support, according to Zscaler. Manufacturing and government also remained significant targets for email phishing, with government hits up 50% as attackers sought high-value intelligence.

Geographically, the US remained the leading target for email phishing attacks. Brazil recorded a 2,522% rise in phishing hosting, making it one of the top five global sources identified in the research.

Encrypted traffic

The report places heavy emphasis on encrypted traffic as a concealment method. By routing phishing content and other malicious activity through HTTPS and other encrypted channels, attackers can blend in with routine web traffic and make detection harder for organisations that do not inspect that traffic closely.

The findings suggest this is no longer a niche tactic. According to the study, encryption has become the default route for a large share of malicious activity, not just phishing.

Separate telemetry in the report points to large-scale hostile scanning before compromise. Data collected from decoys recorded 89.9 million hostile interactions from 1.37 million unique attacker IPs over six months.

This activity included attempts to probe collaboration platforms, identity systems and exposed services to identify weak points before an intrusion attempt. The report also says cloud infrastructure has become a main source of reconnaissance, with more than 121,000 distinct AWS-hosted IP addresses logged probing customer environments.

Using public cloud systems for scanning and credential validation can complicate response efforts because the traffic often originates from infrastructure more commonly associated with legitimate business services. That makes attribution and filtering more difficult for defenders.

The methodology states that the research drew on more than 500 trillion daily signals from Zscaler’s cloud platform and data gathered between January and December 2025, with deception telemetry collected between October 2025 and March 2026.

Deepen Desai, Chief Security Officer at Zscaler, said the changes reflected an adjustment in attacker behaviour rather than any retreat. “We are witnessing a strategic recalibration in the way adversaries approach initial access,” said Desai. “The decline in raw phishing volume isn’t a sign of retreat; it’s a sign of evolution. Attackers are trading quantity for quality, using GenAI to eliminate traditional ‘tells’ like poor grammar and generic lures. With 95% of phishing now hiding in encrypted traffic, organizations can no longer afford to leave their TLS traffic uninspected. A Zero Trust architecture is the only way to break the attack chain, from discovery to data exfiltration.”