Q1 2026 incident response trends reveal a significant resurgence of phishing as the leading initial access vector for breaches, particularly targeting public administration agencies. While defenders shifted focus to other attack surfaces in recent years, threat actors have refined phishing campaigns with improved social engineering and credential harvesting techniques.
Security researchers have identified an active Formbook malware campaign leveraging multiple obfuscation techniques to avoid detection by traditional security controls. The campaign distributes Formbook alongside other information-stealing malware including AsyncRAT, Remcos, SmokeLoader, and XWorm.
Threat actors are systematically targeting higher education institutions through coordinated phishing campaigns designed to harvest credentials, followed by sophisticated MFA exploitation techniques. These attacks focus on administrative and faculty accounts that provide access to student records, financial systems, and research data.
Security researchers have documented a sophisticated attack pattern leveraging native macOS primitives for post-compromise movement and execution. Attackers abuse legitimate tools including Git, Netcat, Terminal.app, bash, osascript, and socat to establish persistence and move across networks without deploying traditional malware.
LeakNet threat actors have been observed exploiting ConnectWise ScreenConnect vulnerabilities to establish persistent access within managed IT environments serving legal, accounting, and medical firms. The attack chain involves deploying MeshAgent alongside tools like Shai-Hulud, Tactical RMM, and Tycoon 2FA to maintain control and bypass authentication mechanisms.
Recent security assessments have identified unauthorized AI model deployments across enterprise networks, including instances of Claude, OpenAI, HuggingFace, and associated tools like ClawdBot, MoltBot, and OpenClaw.
Security researchers tracking Metasploit Framework activity have documented a coordinated exploitation campaign leveraging CompatTelRunner as an initial access vector. The attack chain combines CVE-2025-68109 and CVE-2026-28501 to deploy Meterpreter payloads, with attackers abusing Microsoft BITS and PowerShell for command execution and lateral movement.