Identity Attacks Dominate Despite Slight Decline from Peak
Expel’s Q1 2026 threat data shows identity incidents fell from their third quarter 2025 peak but remain the primary attack surface. Valid credential abuse stayed steady throughout the quarter, with February recording the highest attacker success rate at 50.4% of incidents resulting in some level of access. However, the picture grew grimmer in March, when the share of incidents leading to confirmed malicious activity rose to 11%, indicating fewer successful access events but more severe outcomes when attackers succeeded.
The trend underscores a critical shift: attackers are moving beyond simple credential theft toward more destructive post-compromise activity. Multi-factor authentication gaps and weak password practices continue enabling initial breaches, while sophisticated social engineering amplifies impact once inside.
Endpoint Threats Surge With AI-Themed Malware and Microsoft Teams Phishing
Endpoint incidents climbed to 38.4% of total breaches, with malware remaining the largest threat category. Targeted attacks spiked dramatically, with 74% linked to phishing campaigns delivered through Microsoft Teams, signaling attackers’ pivot toward workplace collaboration platforms.
Malware families ChatGPT Stealer, ClickFix, and InstallFix dominated the quarter. Rather than leveraging sophisticated AI-generated code, these variants exploited user curiosity about artificial intelligence tools themselves. InstallFix led activity by March, accounting for 14.3% of incidents, while ClickFix remained the primary delivery mechanism at 43.7% overall, surpassing traditional binary-based methods for the first time.
Browser-based threats accounted for 12.7% of entry points, driven largely by ChatGPT Stealer campaigns masquerading as productivity extensions. Some cloned legitimate tools; others were built from scratch to exfiltrate users’ AI conversations to external servers. This represents a fundamental shift from technical exploitation toward social engineering as the primary attack vector.
Cloud Infrastructure Exposure Accelerates Despite Low Current Share
Cloud-related incidents remained small at 2.9% of total breaches but showed upward momentum. Unauthorised access and exposed cloud secrets drove most cloud compromises, reflecting broader supply chain weaknesses where third-party vulnerabilities cascade across customers and partners.
Security Fundamentals, Not Innovation, Drive Attacker Success
Expel CEO Dave Merkel stated that attackers continue exploiting basic security failings alongside newer deception tactics. “Attackers continue to find success through unpatched systems, weak password practices, and by simply tricking people,” Merkel said. He emphasized that AI interest provides attackers fresh social engineering angles rather than fundamentally changing malware capabilities.
The data suggests security teams must balance patching discipline and credential hygiene with evolving awareness of how threat actors weaponise user curiosity and workplace tools against employees.
What Comes Next
Watch for continued migration of phishing campaigns toward collaboration platforms and further refinement of AI-themed lures as attackers capitalize on organisational adoption of generative tools. The rising share of post-compromise malicious activity signals that preventing initial access alone is insufficient; detection and response speed will determine breach severity.
Follow Hashlytics on Bluesky, LinkedIn , Telegram and X to Get Instant Updates
