























Zscaler Blog
Get the latest Zscaler blog updates in your inbox
It only takes one click. One convincing credential page, one well-timed lure impersonating a trusted agency workflow, and an attacker gains the initial access needed to move from inbox to identity to impact.
That reality sits at the center of the ThreatLabz 2026 Phishing and Initial Access Report. While overall phishing volume in the Zscaler cloud fell 20% year over year, the campaigns that remain are more targeted, more AI-powered, and harder to distinguish from legitimate activity. ThreatLabz identified 413,524 AI-generated site instances across the analysis period, flagging 9% as malicious. These were produced by platforms like Manus AI, BlackBox AI, and Anything AI that allow attackers to spin up high-fidelity phishing infrastructure in minutes rather than days.
For public sector defenders, the implications are direct. Government services, healthcare operations, and education environments all depend on digital trust, and attackers are exploiting that trust at every layer: AI-generated content, brand impersonation, credential theft, encrypted delivery channels, and real-time session hijacking that defeats traditional MFA. A single successful lure can still lead to account takeover, data exposure, service disruption, and loss of public trust.
The data tells three distinct stories across government, healthcare, and education, but the underlying shift toward targeted, high-conversion initial access is consistent across all three.
This blog post summarizes the key ThreatLabz report takeaways for the teams protecting government services, healthcare operations, and education environments.
Phishing attack attempts against the government sector jumped 50% year over year, one of the largest sector increases reported. With 138.5 million phishing hits in 2025, government ranked as the third-most targeted industry overall in the Zscaler cloud.
That increase reflects how threat actors are turning public trust into an initial access opportunity. Citizens expect to interact with government agencies online, whether they are paying taxes, accessing benefits, renewing licenses, or resolving administrative issues. Attackers exploit that expectation by impersonating official services and creating workflows that feel legitimate.
ThreatLabz researchers saw this play out in a campaign impersonating Brazilian government services. Attackers used AI-powered site builders, including DeepSite AI and BlackBox AI, to create convincing replicas of official portals. They paired those sites with SEO poisoning and guided users through a process that mirrored a real public service interaction before requesting payment through a trusted instant payment system. This is the new template for government-targeted phishing: AI-generated, workflow-aware, and designed to pass every human trust test.
The IRS has similarly warned about impersonation scams that use email, SMS, and QR codes to mimic official communications and direct users to fraudulent portals designed to steal credentials and financial data.
Government agencies need to protect the full citizen-facing experience, not only the inbox. That means detecting lookalike domains and fake portals, inspecting web and encrypted traffic, reducing exposure across public-facing services and applications, and applying identity controls that can stop credential theft from becoming account takeover.
Among tracked sectors, the healthcare industry saw comparatively lower phishing hit counts in the Zscaler cloud in 2025, along with 1.58 million encrypted attack hits. By volume alone, the sector may look less exposed than higher-ranking industries.
But for healthcare security teams, a convincing login page or trusted brand impersonation can turn a lower-volume campaign into a direct path to credentials, sessions, and application access that puts patient care at risk. With 95.2% of all phishing activity now delivered over encrypted channels, campaigns that reach healthcare users are already bypassing legacy defenses that don't inspect TLS traffic.
These stakes make brand impersonation especially relevant. Microsoft and Google remained the top two most-imitated brands in the report, and both are common entry points into the cloud productivity and collaboration environments healthcare users rely on every day.
As highlighted in the report, adversary-in-the-middle (AiTM) and browser-in-the-middle (BiTM) phishing kits are also designed to capture credentials and MFA tokens during the active login flow, turning a single click into session-level compromise regardless of whether MFA is enabled.
For healthcare organizations, lower phishing volume changes the scale of the problem, not the stakes. The priority is stopping credential capture, session theft, and malicious redirects before a single successful lure becomes access to patient data and clinical operations.
Phishing attempts against education organizations dropped 65.6% year over year. The sector lost more absolute phishing volume than any other tracked industry in the Zscaler cloud.
The risk, however, has not disappeared. Education experienced roughly 1.6 billion encrypted attack hits in the past year, representing 6% of encrypted attack activity in the Zscaler cloud. For schools and universities, that contrast matters. Lower phishing volume in the inbox can coexist with significant malicious activity moving through TLS sessions, web traffic, cloud applications, and authentication flows, all channels where traditional email security has no visibility.
The report also analyzes how attackers probe exposed entry points outside the inbox. ThreatLabz recorded 89.9 million hostile interactions with external decoys in just six months, underscoring the scale of reconnaissance against internet-facing assets. Education environments with broad public-facing infrastructure (portals, LMS platforms, federated authentication systems) present a large reconnaissance target.
A drop in phishing volume should be treated as a positive signal, not proof that initial access risk is declining. Education teams need visibility across the activity that follows or bypasses the phish, including encrypted traffic, authentication flows, SaaS usage, browser behavior, and compromised credential use.
Across government, healthcare, and education, the report's findings point to a consistent set of priorities for reducing initial access risk:
A Zero Trust architecture that verifies every connection, inspects encrypted traffic inline, minimizes exposed attack surface, and enforces least-privilege access provides the most effective foundation for disrupting the attacker's path at every stage, from reconnaissance through credential theft to lateral movement.
These public sector findings are part of the broader ThreatLabz analysis of how phishing and initial access tactics are evolving in the AI era. Download the full report for the complete dataset, real-world attack chain walkthroughs, and actionable guidance for reducing initial access risk across government, healthcare, and education environments.
Thank you for reading
Disclaimer: This blog post has been created by Zscaler for informational purposes only and is provided "as is" without any guarantees of accuracy, completeness or reliability. Zscaler assumes no responsibility for any errors or omissions or for any actions taken based on the information provided. Any third-party websites or resources linked in this blog post are provided for convenience only, and Zscaler is not responsible for their content or practices. All content is subject to change without notice. By accessing this blog, you agree to these terms and acknowledge your sole responsibility to verify and use the information as appropriate for your needs.

Driving to a Technical Debt-Free Future

States, Municipalities, and AI: How to Secure GenAI in Government

How Zero Trust Branch Addresses the TIC 3.0 Branch Office Requirement
![]()
By submitting the form, you are agreeing to our privacy policy.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。