AI and Phishing-as-a-Service Fuel Surge in Sophisticated Enterprise Attacks, SpyCloud Report Reveals
Austin, TX – June 17, 2026 – A new report from SpyCloud, a leader in identity threat protection, underscores the rapid escalation of phishing attacks targeting enterprises, driven by artificial intelligence (AI) and phishing-as-a-service (PhaaS) platforms. The 2026 Phishing Pulse Report reveals that 78% of organizations with over 1,000 employees experienced a rise in phishing volume over the past year, while 84% report that AI-generated attacks are becoming more prevalent or harder to detect.
The analysis found that phishing exposed employee data at 86% of Fortune 100 companies in the last 12 months, with technology firms facing the highest exposure, followed by the airline and automotive sectors. Despite awareness of the threat, many organizations remain ill-equipped to respond effectively. Only 38% are highly confident in detecting and mitigating credential theft within 24 hours, while 58% struggle to identify exposed credentials or session tokens post-incident. Remediation challenges persist, with 42% unable to scale responses and 68% requiring four hours or more to address confirmed exposures.
SpyCloud’s research also highlights a shift in attacker tactics, with PhaaS platforms now five times more likely to target enterprise identities than malware up from three times in late 2025. Nearly half of recaptured PhaaS-sourced records are tied to corporate accounts, and tools like Tycoon 2FA show 80% of stolen credentials belong to enterprise email addresses. Beyond traditional phishing, organizations face growing threats from business email compromise (BEC), vendor impersonation, and adversary-in-the-middle (AiTM) techniques, including device code phishing, which exploits OAuth workflows for persistent access.
Trevor Hilligoss, SpyCloud’s Chief Intelligence Officer, noted that attackers are increasingly capturing session cookies and refresh tokens, enabling prolonged access even after password resets. The report emphasizes a critical visibility gap: without clear insight into exposed credentials or tokens, attackers gain time to establish persistence, escalate privileges, or launch follow-on attacks like ransomware or session hijacking. Only 30% of organizations have fully integrated phishing detection with identity response workflows, leaving many vulnerable to prolonged breaches.
The findings are based on a survey of security professionals and SpyCloud’s analysis of active phishing campaigns, darknet data, and criminal infrastructure. The company’s recaptured data including credentials, session cookies, and tokens helps enterprises identify and remediate exposures before they lead to further compromise.
Fortune cybersecurity rating report: https://www.rankiteo.com/company/fortune
"id": "FOR1781706487",
"linkid": "fortune",
"type": "Cyber Attack",
"date": "6/2025",
"severity": "85",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"
{'affected_entities': [{'industry': ['technology', 'airline', 'automotive'],
'name': 'Fortune 100 companies',
'size': 'over 1,000 employees',
'type': 'enterprise'}],
'attack_vector': ['phishing-as-a-service (PhaaS)',
'AI-generated attacks',
'session cookie theft',
'OAuth workflow exploitation'],
'data_breach': {'personally_identifiable_information': 'employee data',
'sensitivity_of_data': 'high',
'type_of_data_compromised': ['credentials',
'session cookies',
'refresh tokens',
'employee data']},
'date_publicly_disclosed': '2026-06-17',
'description': 'A new report from SpyCloud underscores the rapid escalation '
'of phishing attacks targeting enterprises, driven by '
'artificial intelligence (AI) and phishing-as-a-service '
'(PhaaS) platforms. The report reveals that 78% of '
'organizations with over 1,000 employees experienced a rise in '
'phishing volume over the past year, while 84% report that '
'AI-generated attacks are becoming more prevalent or harder to '
'detect. Phishing exposed employee data at 86% of Fortune 100 '
'companies in the last 12 months, with technology firms facing '
'the highest exposure, followed by the airline and automotive '
'sectors. Attackers are increasingly capturing session cookies '
'and refresh tokens, enabling prolonged access even after '
'password resets. The report highlights a critical visibility '
'gap in detecting exposed credentials or tokens, leaving '
'organizations vulnerable to prolonged breaches.',
'impact': {'data_compromised': 'employee data, credentials, session cookies, '
'refresh tokens',
'identity_theft_risk': 'high',
'operational_impact': 'prolonged breaches, privilege escalation, '
'follow-on attacks'},
'initial_access_broker': {'high_value_targets': 'enterprise email addresses'},
'lessons_learned': 'Organizations struggle with detecting and mitigating '
'credential theft, identifying exposed credentials or '
'session tokens, and scaling responses. There is a '
'critical visibility gap in phishing detection and '
'identity response workflows, enabling attackers to '
'establish persistence and launch follow-on attacks.',
'motivation': ['credential theft',
'persistent access',
'privilege escalation',
'ransomware',
'session hijacking'],
'post_incident_analysis': {'corrective_actions': ['integrate phishing '
'detection with identity '
'response workflows',
'enhance monitoring for '
'exposed credentials and '
'tokens',
'improve remediation '
'scalability'],
'root_causes': ['AI-generated phishing attacks',
'PhaaS platforms',
'lack of identity response '
'integration',
'weak phishing detection']},
'recommendations': 'Integrate phishing detection with identity response '
'workflows, enhance monitoring for exposed credentials and '
'session tokens, and improve remediation scalability to '
'reduce response times.',
'references': [{'date_accessed': '2026-06-17',
'source': 'SpyCloud 2026 Phishing Pulse Report'}],
'title': 'AI and Phishing-as-a-Service Fuel Surge in Sophisticated Enterprise '
'Attacks',
'type': ['phishing',
'business email compromise (BEC)',
'vendor impersonation',
'adversary-in-the-middle (AiTM)',
'device code phishing'],
'vulnerability_exploited': ['exposed credentials',
'session tokens',
'weak phishing detection',
'lack of identity response integration']}