AUSTIN, Texas, June 17, 2026 (GLOBE NEWSWIRE) —
New SpyCloud research highlights the expansion of phishing attacks as AI and phishing-as-a-service fuel enterprise targeting.
SpyCloud, the leader in identity threat protection, today released its 2026 Phishing Pulse Report, revealing that phishing attacks continue to increase in both volume and sophistication for enterprise organizations as artificial intelligence and phishing-as-a-service (PhaaS) platforms enable threat actors to launch highly effective campaigns at scale.
Based on a survey of security professionals at organizations with more than 1,000 employees, SpyCloud found that 78% of organizations experienced an increase in phishing volume over the past 12 months, while 84% say AI-generated phishing attacks are becoming more prevalent or harder to defend against.
Additional SpyCloud analysis found:
- Phishing attacks exposed employee data at 86% of Fortune 100 companies over the last 12 months.
- Technology companies experienced the highest level of phishing exposure, followed by the airline and automotive industries.
The findings suggest that while organizations recognize the growing threat posed by phishing, many remain unprepared to respond once an attack succeeds.
- Only 38% of organizations are very confident they can detect and respond to credential theft within 24 hours.
- 58% struggle to identify which credentials or session tokens were exposed following a phishing incident.
- 42% struggle to remediate exposed users at scale.
- 68% require 4 hours or longer to identify and remediate confirmed phishing-related exposures.
- Only 30% have fully integrated phishing detection with identity response workflows.
“Phishing has become both more sophisticated and more scalable,” said Trevor Hilligoss, Chief Intelligence Officer at SpyCloud. “AI-generated lures, PhaaS platforms, and adversary-in-the-middle (AiTM) techniques are helping attackers capture not only usernames and passwords, but session cookies, refresh tokens, granting them authenticated access that can persist long after a password reset. While prevention remains important, organizations also need visibility into exactly what was exposed and be able to remediate before attackers can turn those exposures into follow-on attacks like ransomware, account takeover, session hijacking, or fraud.”
Phishing’s Impact on Enterprises Continues to Grow
The report combines survey findings with SpyCloud’s analysis of active phishing campaigns and PhaaS infrastructure, revealing a clear and deliberate focus on enterprise targets.
SpyCloud researchers observed that approximately half of its recaptured PhaaS platform-sourced records are tied to enterprise identities, compared to just 11% of malware-sourced records. This indicates that phishing attacks are now approximately five times more likely to target enterprise users than malware infections – up from roughly three times more likely in late 2025. This trend is reinforced by SpyCloud’s analysis of kits such as Tycoon 2FA, where approximately 80% of captured credentials belonged to corporate email accounts.
AI, Session Hijacking, and Device Code Phishing Reshape the Threat Landscape
While AI-generated phishing emerged as the dominant concern among respondents, organizations are increasingly worried about a broader range of phishing-related threats. Business email compromise (BEC) was cited by 58% of respondents, vendor impersonation by 52%, collaboration platform phishing by 36%, and session hijacking by 20%.
The report also highlights growing concerns around AiTM phishing techniques, particularly device code phishing attacks that abuse legitimate OAuth authentication workflows to obtain authenticated access.
Hilligoss added, “Attackers gravitate toward techniques that give them the most reliable access with the least amount of effort, and device code phishing checks both boxes. Rather than continuously fighting authentication controls, they can leverage legitimate workflows to obtain trusted access that often persists long after the initial compromise. This changes the response process significantly because security teams need to think beyond credential resets and focus on revoking the tokens and sessions – a process that hasn’t historically been a part of the post-phishing playbook.”
The Visibility Gap Creates Opportunity for Attackers
The report found that visibility remains the single greatest challenge organizations face after a successful phishing attack.
When security teams cannot determine which credentials, session tokens, or other authentication artifacts were exposed, remediation becomes significantly more difficult and attackers gain valuable time to establish persistence, move laterally, escalate privileges, or launch follow-on attacks.
“At some point, users are going to get phished,” said Hilligoss. “Organizations must move beyond phishing prevention-focused strategies and build response capabilities that provide continuous visibility into exposed credentials, cookies, session tokens, and other identity data. Security teams should prioritize automated remediation workflows capable of revoking compromised access at scale and reducing the window of opportunity available to attackers.”
Backed by the world’s largest repository of darknet data, SpyCloud recaptures phished credentials, session cookies, refresh tokens, and phishing targeting data directly from criminal infrastructure and active phishing campaigns, enabling organizations to identify compromised identities and automatically remediate exposures before they can be used for ransomware, account takeover, session hijacking, fraud, or other identity-based attacks.
To read the full 2026 Phishing Pulse Report, users can click here. If interested in a SpyCloud demo, users can click here.
About SpyCloud
SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated identity threat protection solutions use advanced analytics and AI to accelerate investigations and protect workforce, consumer, and supplier identities from the threats that matter most: authentication bypass, session hijacking, malicious insiders, account takeover, ransomware, and fraud. Its data from malware-infected devices, successful phishes, combolists, and third-party breaches also powers many popular dark web monitoring and identity theft protection offerings. Customers include 7 of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 250 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now.
To learn more and see insights on the company’s exposed data, users can visit spycloud.com.
Contact
Account Director
Emily Brown
REQ for SpyCloud
spycloud@req.co
A photo accompanying this announcement is available at https://www.globenewswire.com/NewsRoom/AttachmentNg/cb311725-2b1d-4943-b49f-4f7e16f25f38
