AI-powered phishing was the biggest threat observed in the first quarter of this year, according to a statement from Cisco's Talos intelligence research group.
“Almost nine out of 10 organisations across South Africa experienced an AI-related security incident and lack visibility into how threat actors are using AI,” says Ameera Cassoojee, cyber security specialist at Cisco South Africa.
In one notable incident, adversaries leveraged Softr – an AI-powered web application development platform – to generate a credential-harvesting page targeting government employees' Microsoft Exchange and Outlook Web Access accounts.
The phishing page was created using simple AI prompts and no code, lowering the barrier to entry for less sophisticated attackers. Harvested credentials were directed to disposable external data stores such as Google Sheets, with automated alerts for new captures, without requiring a single line of code.
The research shows the resurgence of phishing as the initial access vector, marking a significant reversal. After widespread SharePoint exploitation (ToolShell) in 2025, this attack vector dropped from 62% to just 18% in Q1 2026 due to successful patching and improved security detections.
Phishing, which had not topped the list since Q2 2025, has filled the gap, with valid accounts returning as the second-most observed initial access method at 24%.
Multi-factor authentication (MFA) weaknesses are increasingly being exploited. Thirty-five percent of cyber security incidents and engagements this quarter involved MFA weaknesses, showing an increase from the previous quarter
According to the statement, public administration and healthcare were the most targeted sectors, each comprising 24% of all engagements, followed by pre-ransomware incidents at 18% – though this rate is a significant decrease from the 50% recorded a year ago.
Commenting on the report’s findings, Cassoojee said organisations must restrict self-service MFA enrolment and enforce strong, centralised authentication policies, especially those within the public sector where budgets are constrained and the impact of downtime is significant.
“Phishing-resistant MFA needs to become standard, while developer credentials and cloud tokens should be protected with the same level of scrutiny as privileged administrator accounts.”
Share
