惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Recorded Future
Recorded Future
C
Cyber Attacks, Cyber Crime and Cyber Security
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Scott Helme
Scott Helme
Cyberwarzone
Cyberwarzone
C
CERT Recently Published Vulnerability Notes
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Palo Alto Networks Blog
Google Online Security Blog
Google Online Security Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
WordPress大学
WordPress大学
博客园 - 聂微东
L
LINUX DO - 最新话题
月光博客
月光博客
小众软件
小众软件
T
Troy Hunt's Blog
A
Arctic Wolf
量子位
I
Intezer
大猫的无限游戏
大猫的无限游戏
T
Tailwind CSS Blog
S
Schneier on Security
Schneier on Security
Schneier on Security
NISL@THU
NISL@THU
T
Threat Research - Cisco Blogs
TaoSecurity Blog
TaoSecurity Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
博客园_首页
有赞技术团队
有赞技术团队
N
News and Events Feed by Topic
美团技术团队
The Cloudflare Blog
P
Privacy International News Feed
S
Security Affairs
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
G
GRAHAM CLULEY
N
News | PayPal Newsroom
Apple Machine Learning Research
Apple Machine Learning Research
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
L
LINUX DO - 热门话题
V
Vulnerabilities – Threatpost
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
C
CXSECURITY Database RSS Feed - CXSecurity.com
宝玉的分享
宝玉的分享
Application and Cybersecurity Blog
Application and Cybersecurity Blog
IT之家
IT之家
Hacker News: Ask HN
Hacker News: Ask HN
雷峰网
雷峰网

Security Research | Blog

ClaudeFix: Shared Claude Chats Meet ClickFix | Zscaler Why Do F1 Teams Need Cybersecurity, and What Is AI’s Role? Indirect Prompt Injection Targets AI Agents | ThreatLabz Splunk Enterprise RCE (CVE-2026-20253) | ThreatLabz Edgecution: Malicious Edge Extension Backdoor | ThreatLabz SmartApeSG Supply Chain Attack Targets Okendo | ThreatLabz AI Generated ClickFix Attack Delivers SmartRAT | ThreatLabz Shai-Hulud: Miasma, Hades, & AI Scanner Evasion | ThreatLabz Zscaler ThreatLabz 2026 Phishing and Initial Access Report Technical Analysis of MLTBackdoor | ThreatLabz When the Scanner Starts Thinking: Learnings from Mythos & GPT 5.5 Cyber in Security Testing | Zscaler OpenClaw Skill Distributes Remcos & GhostLoader | ThreatLabz Tropic Trooper: AdaptixC2 + Custom Beacon | ThreatLabz Do not delete blog (testing) | Zscaler Payouts King Takes Aim at the Ransomware Throne | ThreatLabz The Alibaba Incident and Why Zero Trust Matters More Than Ever In-Memory Loader Drops ScreenConnect | ThreatLabz Supply Chain Attacks Surge in March 2026 | ThreatLabz Claude Code Leak: Critical AI Security Threat 2026 Latest Xloader Obfuscation Code & C2 Protocol | ThreatLabz CVE-2026-20131: Analysis of FMC RCE | ThreatLabz Technical Analysis of SnappyClient | ThreatLabz China-nexus Group Targets Arabian Gulf Region | ThreatLabz Middle East Conflict Fuels Cyber Attacks | ThreatLabz Dust Specter APT Targets Gov’t Officials in Iraq | ThreatLabz APT37 Adds New Tools For Air-Gapped Networks | ThreatLabz GuLoader Malware Obfuscation Techniques Analyzed GuLoader Obfuscation Analysis | ThreatLabz Technical Analysis of Marco Stealer | ThreatLabz Latest Public Sector AI Adoption Trends: What Government, Healthcare, and Education Security Teams Need to Know | Zscaler Operation Neusploit: APT28 Uses CVE-2026-21509 | ThreatLabz 7 Predictions for 2026 | Zscaler SHEETCREEP, FIREPOWER, and MAILCREEP Analysis | ThreatLabz AI is Now Default Enterprise Accelerator: Takeaways from ThreatLabz 2026 AI Security Report | Zscaler GOGITTER, GITSHELLPAD, and GOSHELL Analysis | ThreatLabz Malicious NPM Packages Deliver NodeCordRAT | ThreatLabz What’s Powering Enterprise AI in 2025: ThreatLabz Report Sneak Peek | Zscaler BlindEagle Deploys Caminho and DCRAT | ThreatLabz Technical Analysis of the BlackForce Phishing Kit | ThreatLabz React2Shell RCE Vulnerability (CVE-2025-55182) | ThreatLabz Shai-Hulud V2 Poses Risk to NPM Supply Chain | ThreatLabz Technical Analysis of Matanbuchus 3.0 | ThreatLabz In-Depth Analysis: Water Gamayun APT Multi-Stage Attack Uncovered CVE-2025-50165: Windows Graphics Component Flaw | ThreatLabz Mobile, IoT, and OT Risks Converge in the Public Sector | Zscaler Industry Attacks Surge, Mobile Malware Spreads: The ThreatLabz 2025 Mobile, IoT & OT Report | Zscaler Zscaler Discovers Vulnerability in Keras Models Allowing Arbitrary File Access and SSRF (CVE-2025-12058) | Zscaler F5 Security Incident Advisory | Zscaler Under the Radar: How Non-Web Protocols Are Redefining the Attack Surface | Zscaler SEO Poisoning Targets Ivanti VPN: Credential Theft Alert Cisco Firewall and VPN Zero Day Attacks | ThreatLabz COLDRIVER Adds BAITSWITCH and SIMPLEFIX | ThreatLabz YiBackdoor: Linked to IcedID and Latrodectus | ThreatLabz Technical Analysis of Zloader Updates | ThreatLabz Mitigating Risks from the Shai-Hulud NPM Worm | ThreatLabz Malicious PyPI Packages Deliver SilentSync RAT | ThreatLabz Technical Analysis of SmokeLoader Version 2025 | ThreatLabz Technical Analysis of kkRAT | ThreatLabz APT37: Rust Backdoor & Python Loader | ThreatLabz Anatsa’s Latest Updates | ThreatLabz Termncolor and Colorinal Explained | ThreatLabz GenAI Used to Impersonate Brazil’s Govt Websites | ThreatLabz Tracking Updates to Raspberry Robin | ThreatLabz Ransomware Surges, Extortion Escalates: ThreatLabz 2025 Ransomware Report | Zscaler China-nexus APT Targets the Tibetan Community | ThreatLabz CVE-2025-53770 | ThreatLabz Black Hat SEO Poisoning Search Engine Results For AI | ThreatLabz
What the ThreatLabz 2026 Phishing and Initial Access Report Means for the Public Sector | Zscaler
Adam Ford · 2026-06-17 · via Security Research | Blog

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

It only takes one click. One convincing credential page, one well-timed lure impersonating a trusted agency workflow, and an attacker gains the initial access needed to move from inbox to identity to impact. 

That reality sits at the center of the ThreatLabz 2026 Phishing and Initial Access Report. While overall phishing volume in the Zscaler cloud fell 20% year over year, the campaigns that remain are more targeted, more AI-powered, and harder to distinguish from legitimate activity. ThreatLabz identified 413,524 AI-generated site instances across the analysis period, flagging 9% as malicious. These were produced by platforms like Manus AI, BlackBox AI, and Anything AI that allow attackers to spin up high-fidelity phishing infrastructure in minutes rather than days.

For public sector defenders, the implications are direct. Government services, healthcare operations, and education environments all depend on digital trust, and attackers are exploiting that trust at every layer: AI-generated content, brand impersonation, credential theft, encrypted delivery channels, and real-time session hijacking that defeats traditional MFA. A single successful lure can still lead to account takeover, data exposure, service disruption, and loss of public trust. 

The data tells three distinct stories across government, healthcare, and education, but the underlying shift toward targeted, high-conversion initial access is consistent across all three.

This blog post summarizes the key ThreatLabz report takeaways for the teams protecting government services, healthcare operations, and education environments.

Government saw a 50% surge in phishing attacks

Phishing attack attempts against the government sector jumped 50% year over year, one of the largest sector increases reported. With 138.5 million phishing hits in 2025, government ranked as the third-most targeted industry overall in the Zscaler cloud.

That increase reflects how threat actors are turning public trust into an initial access opportunity. Citizens expect to interact with government agencies online, whether they are paying taxes, accessing benefits, renewing licenses, or resolving administrative issues. Attackers exploit that expectation by impersonating official services and creating workflows that feel legitimate.

ThreatLabz researchers saw this play out in a campaign impersonating Brazilian government services. Attackers used AI-powered site builders, including DeepSite AI and BlackBox AI, to create convincing replicas of official portals. They paired those sites with SEO poisoning and guided users through a process that mirrored a real public service interaction before requesting payment through a trusted instant payment system. This is the new template for government-targeted phishing: AI-generated, workflow-aware, and designed to pass every human trust test.

The IRS has similarly warned about impersonation scams that use email, SMS, and QR codes to mimic official communications and direct users to fraudulent portals designed to steal credentials and financial data.

Government agencies need to protect the full citizen-facing experience, not only the inbox. That means detecting lookalike domains and fake portals, inspecting web and encrypted traffic, reducing exposure across public-facing services and applications, and applying identity controls that can stop credential theft from becoming account takeover.

Healthcare recorded lower phishing volume, but consequences remain high

Among tracked sectors, the healthcare industry saw comparatively lower phishing hit counts in the Zscaler cloud in 2025, along with 1.58 million encrypted attack hits. By volume alone, the sector may look less exposed than higher-ranking industries.

But for healthcare security teams, a convincing login page or trusted brand impersonation can turn a lower-volume campaign into a direct path to credentials, sessions, and application access that puts patient care at risk. With 95.2% of all phishing activity now delivered over encrypted channels, campaigns that reach healthcare users are already bypassing legacy defenses that don't inspect TLS traffic.

These stakes make brand impersonation especially relevant. Microsoft and Google remained the top two most-imitated brands in the report, and both are common entry points into the cloud productivity and collaboration environments healthcare users rely on every day. 

As highlighted in the report, adversary-in-the-middle (AiTM) and browser-in-the-middle (BiTM) phishing kits are also designed to capture credentials and MFA tokens during the active login flow, turning a single click into session-level compromise regardless of whether MFA is enabled.

For healthcare organizations, lower phishing volume changes the scale of the problem, not the stakes. The priority is stopping credential capture, session theft, and malicious redirects before a single successful lure becomes access to patient data and clinical operations.

Education phishing fell sharply, but encrypted attacks kept risk in view

Phishing attempts against education organizations dropped 65.6% year over year. The sector lost more absolute phishing volume than any other tracked industry in the Zscaler cloud.

The risk, however, has not disappeared. Education experienced roughly 1.6 billion encrypted attack hits in the past year, representing 6% of encrypted attack activity in the Zscaler cloud. For schools and universities, that contrast matters. Lower phishing volume in the inbox can coexist with significant malicious activity moving through TLS sessions, web traffic, cloud applications, and authentication flows, all channels where traditional email security has no visibility.

The report also analyzes how attackers probe exposed entry points outside the inbox. ThreatLabz recorded 89.9 million hostile interactions with external decoys in just six months, underscoring the scale of reconnaissance against internet-facing assets. Education environments with broad public-facing infrastructure (portals, LMS platforms, federated authentication systems) present a large reconnaissance target.

A drop in phishing volume should be treated as a positive signal, not proof that initial access risk is declining. Education teams need visibility across the activity that follows or bypasses the phish, including encrypted traffic, authentication flows, SaaS usage, browser behavior, and compromised credential use.

What public sector security teams should do now

Across government, healthcare, and education, the report's findings point to a consistent set of priorities for reducing initial access risk:

  1. Inspect encrypted traffic consistently. With 95.2% of phishing delivered over TLS, any gap in SSL/TLS inspection is a blind spot attackers will exploit. Inline inspection must cover web, SaaS, and cloud application traffic, not just email.
     
  2. Deploy phishing-resistant authentication. AiTM and BiTM kits defeat legacy MFA in real time. Transitioning to FIDO2-based, phishing-resistant credentials removes the most reliable path from click to session compromise.
     
  3. Reduce application exposure. Before the first lure is sent, attackers are already mapping your environment. Minimize discoverable attack surface by making applications invisible to the internet and enforcing identity-based access only after verification.
     
  4. Monitor for AI-generated phishing infrastructure. AI site builders are compressing the time from campaign ideation to live phishing page to minutes. Detection must account for rapidly rotating, high-fidelity lookalike domains and portals, not just known-bad indicators.
     
  5. Extend visibility beyond the inbox. Phishing is the entry point, but initial access is won in browsers, authentication flows, SaaS sessions, and encrypted channels. Security teams need visibility and control across the full path from lure to compromise.

A Zero Trust architecture that verifies every connection, inspects encrypted traffic inline, minimizes exposed attack surface, and enforces least-privilege access provides the most effective foundation for disrupting the attacker's path at every stage, from reconnaissance through credential theft to lateral movement.

Learn more: ThreatLabz 2026 Phishing and Initial Access Report

These public sector findings are part of the broader ThreatLabz analysis of how phishing and initial access tactics are evolving in the AI era. Download the full report for the complete dataset, real-world attack chain walkthroughs, and actionable guidance for reducing initial access risk across government, healthcare, and education environments.

form submtited

Thank you for reading

Was this post useful?

Disclaimer: This blog post has been created by Zscaler for informational purposes only and is provided "as is" without any guarantees of accuracy, completeness or reliability. Zscaler assumes no responsibility for any errors or omissions or for any actions taken based on the information provided. Any third-party websites or resources linked in this blog post are provided for convenience only, and Zscaler is not responsible for their content or practices. All content is subject to change without notice. By accessing this blog, you agree to these terms and acknowledge your sole responsibility to verify and use the information as appropriate for your needs.

Explore more Zscaler blogs

Driving to a Technical Debt-Free Future

Driving to a Technical Debt-Free Future

States, Municipalities, and AI: How to Secure GenAI in Government

States, Municipalities, and AI: How to Secure GenAI in Government

How Zero Trust Branch Addresses the TIC 3.0 Branch Office Requirement

How Zero Trust Branch Addresses the TIC 3.0 Branch Office Requirement

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.