SpyCloud Report: Phishing Attacks Surge as Employee Data Exposed at 86% of Fortune 100 Companies
SpyCloud's 2026 Phishing Pulse Report reveals that phishing attacks exposed employee data at 86% of Fortune 100 companies over the past year, with 84% of organizations reporting AI-generated phishing is harder to defend against.
SpyCloud's 2026 Phishing Pulse Report paints a stark picture of the escalating phishing threat landscape, revealing that employee data was exposed at 86% of Fortune 100 companies over the past 12 months. The report, based on a survey of security professionals at organizations with more than 1,000 employees, found that 78% experienced an increase in phishing volume, while 84% say AI-generated phishing attacks are becoming more prevalent or harder to defend against. These findings underscore a fundamental shift in how attackers operate, leveraging artificial intelligence and phishing-as-a-service (PhaaS) platforms to launch highly effective campaigns at scale.
The report highlights a dramatic shift in attacker focus toward enterprise targets. SpyCloud researchers observed that approximately half of its recaptured PhaaS platform-sourced records are tied to enterprise identities, compared to just 11% of malware-sourced records. This indicates that phishing attacks are now approximately five times more likely to target enterprise users than malware infections – up from roughly three times more likely in late 2025. This trend is reinforced by analysis of kits such as Tycoon 2FA, where approximately 80% of captured credentials belonged to corporate email accounts. Technology companies experienced the highest level of phishing exposure, followed by the airline and automotive industries.
AI-generated phishing emerged as the dominant concern among respondents, but organizations are increasingly worried about a broader range of phishing-related threats. Business email compromise (BEC) was cited by 58% of respondents, vendor impersonation by 52%, collaboration platform phishing by 36%, and session hijacking by 20%. The report also highlights growing concerns around adversary-in-the-middle (AiTM) phishing techniques, particularly device code phishing attacks that abuse legitimate OAuth authentication workflows to obtain authenticated access. These techniques allow attackers to capture not only usernames and passwords, but session cookies and refresh tokens, granting them authenticated access that can persist long after a password reset.
The report reveals a significant visibility gap that creates opportunity for attackers. Only 38% of organizations are very confident they can detect and respond to credential theft within 24 hours. 58% struggle to identify which credentials or session tokens were exposed following a phishing incident, and 42% struggle to remediate exposed users at scale. 68% require 4 hours or longer to identify and remediate confirmed phishing-related exposures, while only 30% have fully integrated phishing detection with identity response workflows.
“Phishing has become both more sophisticated and more scalable,” said Trevor Hilligoss, Chief Intelligence Officer at SpyCloud. “AI-generated lures, PhaaS platforms, and adversary-in-the-middle (AiTM) techniques are helping attackers capture not only usernames and passwords, but session cookies, refresh tokens, granting them authenticated access that can persist long after a password reset. While prevention remains important, organizations also need visibility into exactly what was exposed and be able to remediate before attackers can turn those exposures into follow-on attacks like ransomware, account takeover, session hijacking, or fraud.”
The report underscores that phishing attacks are now five times more likely to target enterprise users than malware infections, a significant increase from late 2025. This shift is driven by the availability of sophisticated PhaaS platforms and AI-generated lures that make phishing campaigns more convincing and harder to detect. Attackers are also increasingly using device code phishing attacks that abuse legitimate OAuth authentication workflows to obtain authenticated access, bypassing traditional MFA protections.
Hilligoss added, “Attackers gravitate toward techniques that give them the most reliable access with the least amount of effort, and device code phishing checks both boxes. Rather than continuously fighting authentication controls, they can leverage legitimate workflows to obtain trusted access that often persists long after the initial compromise. This changes the response process significantly because security teams need to think beyond credential resets and focus on revoking the tokens and sessions – a process that hasn’t historically been a part of the post-phishing playbook.”
The findings suggest that while organizations recognize the growing threat posed by phishing, many remain unprepared to respond once an attack succeeds. The report recommends that organizations move beyond phishing prevention-focused strategies and build response capabilities that provide continuous visibility into exposed credentials, cookies, session tokens, and other identity data. Security teams should prioritize automated remediation workflows capable of revoking compromised access at scale and reducing the window of opportunity available to attackers.