Overall Phishing volume has dropped by 20% for the second year running, but attacks are becoming more targeted and more dangerous, according to new research from Zscaler’s ThreatLabz.
“Quality over quantity is what we’re seeing,” Deepen Desai, Zscaler’s Chief Security Officer told Expert Insights. The decline “is a good thing, but it doesn’t mean the threat has gone away. It just takes one successful phishing attack to take down an environment.”
Phishing attacks are also increasingly targeting AI agents, the report suggests, as a new way to compromise critical data. “Agents are your weakest link right now,” Desai suggests.
The ThreatLabz 2026 Phishing and Initial Access Report is based on analysis of over 500 trillion daily signals from the Zscaler Zero Trust Exchange, covering phishing activity, encrypted traffic, and deception telemetry.
Expert Insights spoke to Desai and other Zscaler executives at the company’s Zenith Live conference in Vienna this month to learn more.
AI is making phishing harder to spot
AI has had a significant impact on the phishing ecosystem, with a surge in AI-generated phishing emails reported over the last several years. AI enables attackers to spin up highly realistic phishing webpages in seconds, rather than hours.
ThreatLabz identified 413,524 AI-generated phishing site instances and flagged roughly 9% of them, some 37,447, as malicious. The sites were built with tools such as Manus AI, Blackbox AI, and Lovable AI. These are not purpose-built criminal kits. “These are all legitimate products being misused,” Desai said.
The result is phishing pages that match the language, branding, and context of real business communications, without the spelling mistakes and generic templates that once made them easy to spot. A single stolen credential can unlock email, files, and downstream SaaS access.
Attackers are also using AI and cloud infrastructure to scout targets before they send a single lure. ThreatLabz observed 89.9 million hostile interactions from 1.37 million unique attacker IPs in six months, with more than 121,000 distinct AWS-hosted IPs probing customer environments. Blocking known bad addresses cannot keep pace with infrastructure that is spun up, used, and discarded in hours.
Who is being targeted?
Phishing campaigns are increasingly targeting high value targets with supply chain weaknesses, such as service providers. Phishing against the services industry surged 65.5% year over year, from 330.9 million to 547.7 million hits, as attackers exploited everyday trust in billing, renewals, and support workflows.
Desai’s concern is what sits downstream. Compromise one IT or services provider, he said, and “every client of that services company is essentially under the radar of their attack.”
The goal of these attacks has also shifted. Identity takeover is replacing simple credential theft. Phishing kits like BlackForce intercept the login flow in real time to capture one-time codes, defeating multi-factor authentication. Attackers are no longer just stealing passwords; they are hijacking live sessions to bypass the controls organizations put in place to stop exactly that.
Attackers are also getting smarter about how phishing is delivered. ThreatLabz found that 95.2% of blocked phishing, about 1.2 billion hits, was delivered over encrypted channels. Across all blocked malicious activity, 87% travelled over HTTPS.
For security teams without inline TLS inspection, that traffic is invisible. “They’re basically blind to those attacks,” Desai said. “Unless you inspect, you will not see the phishing page coming in, or even your credentials and secrets that are leaving your environment. TLS inspection is a must.”
Agents are getting phished
The trend Desai thinks defenders most underestimate is AI agents being phished, both by humans and by other agents. This can work via indirect prompt injection, directing agents to a page with hidden instructions an agent then reads and acts on.
In one example cited in the report, a page directed an agent to make a payment using the original user’s stored card details, and the agent complied because nothing inspected the instruction.
What makes this worse than a phished employee is the absence of second thoughts. “When a user falls for a phishing attack, they will eventually realize it and tell their IT team,” Desai said.
“Agents, when they fall for phishing, they become malicious insiders.” His blunt summary: “Agents are your weakest link right now.” For all that, he said, “agents getting phished is still not getting the attention it should.”
What defenders should do
The report names three priorities: zero trust with segmentation and deception, phishing-resistant MFA, and continuous security-awareness training. Asked which he would choose if he could do only one, Desai did not hesitate. “I would prioritize zero trust segmentation with deception,” he said, because it lets you “contain the blast radius.” The logic is to assume a user or an agent will eventually make a mistake, then make sure a single compromise cannot spread: “When the adversary uses that compromised identity to do more damage, they will get caught, and I will be able to mitigate.”
Training still matters, especially as deepfake voice and video move into the second stage of attacks that begin with an email and continue on a call. That problem, Desai said, is “both a technology and a training problem,” and training “is something that’s in our hand.”
