IR Trends Q1 2026: Phishing reemerges as top initial access vector, as attacks targeting public administration persist

Talos Incident Response Q1 2026: Phishing reemerged as the top initial access vector — including the first documented use of the Softr AI web-builder for credential harvesting — while Crimson Collective leveraged a leaked GitHub PAT and TruffleHog to discover and exfiltrate cloud-hosted secrets; Rhysida-associated pre-ransomware activity using Gootloader and an uncommon MeowBackConn backdoor was detected and mitigated before encryption. The report highlights widespread weaknesses (MFA bypasses/partial MFA, exposed WinRM/RDP and vulnerable public-facing apps, and insufficient centralized logging), maps observed behaviors to MITRE ATT&CK techniques, and provides prioritized defenses: properly configured MFA, robust patch management, and centralized logging.