Zscaler: 413k AI sites as phishing volume falls | #cybercrime | #infosec

06/10/2026 – 08:05 AM

While total phishing volume declined for the second year in a row, ThreatLabz identified 413,524 AI-generated site instances, underscoring how quickly adversaries can scale high-fidelity phishing

News Highlights 

• Quality Over Quantity: Phishing volume fell 20% for the second year in a row as attackers recalibrate to high-fidelity, AI-accelerated lures.
• Services Sector Surge: Targeted hits against the Services sector jumped 65.5%, as adversaries exploit trust-based workflows like billing and renewals.
• The Encryption Blind Spot: 95.2% of phishing attempts now hide in encrypted traffic, bypassing legacy security stacks that lack deep TLS inspection.
• “Text-to-Site” Weaponization: ThreatLabz identified over 413,000 AI-generated phishing instances, proving how easily attackers can now spin up polished, malicious sites.
• MFA Under Threat: Sophisticated kits like “BlackForce” are being deployed to hijack active sessions and bypass multi-factor authentication in real-time.
• Reconnaissance Exposed: Deception telemetry recorded 89.9 million hostile interactions from 1.37 million unique attacker IPs in six months, revealing large-scale scanning and credential validation before compromise.

LAS VEGAS, June 10, 2026 (GLOBE NEWSWIRE) — Zenith Live 2026 — Zscaler, Inc. (NASDAQ: ZS), the cybersecurity platform for the AI era, today announced the release of the Zscaler ThreatLabz 2026 Phishing and Initial Access Report. Based on the comprehensive telemetry across the world’s largest inline security cloud, spanning phishing activity, encrypted sessions, and deception decoy interactions, the research reveals a fundamental shift in the economics of cybercrime: while overall phishing volume dropped for the second consecutive year (down 20% year-over-year (YoY)), the effectiveness and sophistication of attacks have surged.

Threat actors are increasingly utilizing AI-powered “text-to-site” tools and real-time session hijacking kits to bypass multi-factor authentication (MFA). Crucially, adversaries are heavily cloaking these sophisticated campaigns, with 95.2% of phishing attempts now hiding within encrypted traffic to bypass legacy security stacks. Furthermore, newly unveiled deception telemetry, capturing nearly 90 million hostile interactions, reveals that attackers are aggressively scanning and probing enterprise identities and collaboration platforms long before the initial compromise occurs.

“We are witnessing a strategic recalibration in the way adversaries approach initial access,” said Deepen Desai, Chief Security Officer, Zscaler. “The decline in raw phishing volume isn’t a sign of retreat; it’s a sign of evolution. Attackers are trading quantity for quality, using GenAI to eliminate traditional ‘tells’ like poor grammar and generic lures. With 95% of phishing now hiding in encrypted traffic, organizations can no longer afford to leave their TLS traffic uninspected. A Zero Trust architecture is the only way to break the attack chain, from discovery to data exfiltration.”

How Adversaries Are Using GenAI for High-Fidelity Initial Compromise
The report highlights how AI has become the primary engine for modern intrusion. ThreatLabz identified 413,524 AI-generated site instances, with nearly 10% flagged as explicitly malicious. Tools like Manus AI, Blackbox AI, and Lovable AI are being weaponized to spin up polished, brand-consistent phishing portals in minutes, tasks that previously required days of manual development.

These AI-generated lures are particularly effective at mimicking trusted workflows. The Services sector bore the brunt of this shift, experiencing a 65.5% YoY surge in hits as attackers exploited trust-based interactions like billing, onboarding, and support renewals.

Additional Findings From the 2026 Report Include:

• The Global Landscape: The U.S. remains a top target for email phishing attacks; Brazil saw a 2,522% surge in phishing hosting, becoming a top-five global origin.
• Industry Breakdown: Manufacturing and Government remain primary targets for email phishing attacks, with Government hits up 50% as attackers pursue high-value intelligence.
• Credential Harvesting Trends: Microsoft and Google are the most imitated brands for phishing attacks, showing continued focus on compromising enterprise identity systems.
• Detection Evasion: Encryption is now the default for cybercriminals, with 87% of malicious activity delivered via HTTPS.
• Hostile Scanning Activity: Attackers are leveraging legitimate cloud infrastructure for reconnaissance, using over 121,000 unique Public Cloud-hosted IPs to probe environments.

Deception Technology Unmasks Attacker Intent
Zscaler telemetry from global decoys captured nearly 90 million hostile interactions across 1.37 million unique attacker IPs. This data confirms that adversaries are aggressively probing collaboration and identity platforms to find weak spots, and test assumptions about what defenses will give.

Mitigating the Path to Compromise
To counter these evolving threats, the Zscaler Zero Trust Exchange™ platform delivers the AI security platform built on Zero Trust that:

1. Minimizes Attack Surface Discovery: Reduces exposure by hiding applications behind a cloud-delivered proxy, while leveraging Deception technology to surface reconnaissance attempts via scanning, probing, and credential validation attempts early.
2. Helps Eliminate Initial Compromise: Blocks AI-enabled phishing and session-based attacks with AI-driven inline inspection, including full TLS/SSL inspection, to expose threats hiding in encrypted traffic.
3. Stops Lateral Movement: Connects users directly to applications and enforces Zero Trust access controls to prevent attackers from moving from a single foothold to broader environments.
4. Prevents Data Loss: Reduces breach impact with AI-powered data protection to identify sensitive data in motion and prevent unauthorized sharing or exfiltration.

For a deeper dive into the findings and best practices for securing your organization, download the full Zscaler ThreatLabz 2026 Phishing and Initial Access Report at https://www.zscaler.com/campaign/threatlabz-phishing-initial-access-report.

Methodology
ThreatLabz analyzed over 500 trillion daily signals from the Zscaler Zero Trust Exchange, blocking over 9 billion threats daily. The report is based on data collected from January to December 2025, supplemented by deception telemetry observed between October 2025 and March 2026.

About Zscaler
Zscaler (NASDAQ: ZS) is a pioneer and global leader in zero trust security. The world’s largest businesses, critical infrastructure organizations, and government agencies rely on Zscaler to secure users, branches, applications, data & devices, and to accelerate digital transformation initiatives. Distributed across 160+ data centers globally, the Zscaler Zero Trust Exchange™ platform combined with advanced AI combats billions of cyber threats and policy violations every day and unlocks productivity gains for modern enterprises by reducing costs and complexity.

Media Contact
Nick Gonzalez, Director of Global Public Relations, press@zscaler.com

FAQ

What are the key findings of the 2026 Zscaler (ZS) ThreatLabz phishing report?

The 2026 report finds phishing volume down 20% year-over-year, but attacks are more sophisticated and AI-driven. According to Zscaler, 413,524 AI-generated site instances and 95.2% of phishing attempts hiding in encrypted traffic highlight a shift toward high-fidelity, harder-to-detect campaigns.

How is generative AI changing phishing attacks according to Zscaler (ZS) in 2026?

Generative AI is enabling high-fidelity phishing sites and lures that closely mimic trusted brands and workflows. According to Zscaler, ThreatLabz identified 413,524 AI-generated site instances, with tools like Manus AI, Blackbox AI, and Lovable AI used to rapidly create polished phishing portals.

Which sectors were most targeted in the 2026 Zscaler (ZS) phishing research?

The Services sector saw a 65.5% year-over-year surge in phishing hits, while Manufacturing and Government remained major email phishing targets. According to Zscaler, Government phishing hits rose 50% as attackers pursued sensitive data and high-value intelligence from public-sector entities worldwide.

How do attackers use encryption to evade detection in the Zscaler (ZS) 2026 report?

Attackers increasingly hide phishing and malicious traffic inside HTTPS encryption to bypass legacy tools. According to Zscaler, 95.2% of phishing attempts and 87% of malicious activity were delivered via encrypted channels, underscoring the need for deep TLS/SSL inspection in modern defenses.

What does the Zscaler (ZS) report say about hostile scanning and reconnaissance activity?

Hostile reconnaissance is widespread, with nearly 90 million hostile interactions recorded from 1.37 million attacker IPs. According to Zscaler, adversaries use more than 121,000 public cloud-hosted IPs to probe collaboration and identity platforms before attempting compromise, testing where defenses may fail.

How does Zscaler (ZS) propose mitigating AI-driven phishing and initial access threats?

Zscaler highlights its Zero Trust Exchange platform to reduce attack surface and inspect encrypted traffic. According to Zscaler, the platform uses AI-driven inline inspection, full TLS/SSL inspection, deception technology, and Zero Trust access controls to block AI-enabled phishing, stop lateral movement, and limit data loss.