Welcome to The Optery Dispatch — a newsletter delivering the latest insights on threat intelligence and proactive cybersecurity strategy. In Issue #11, published March 31, 2026, we cover:
- CrowdStrike’s 2026 Global Threat Report shows how attackers are using AI to accelerate the attack lifecycle, while rapid breakout times continue to compress defenders’ response window.
- Push Security’s latest report details how modern breaches increasingly begin in the browser, where attackers use phishing, OAuth abuse, session hijacking, and malicious extensions to bypass traditional controls.
- Hoxhunt’s phishing trends report highlights the rise of AI-assisted phishing, malicious calendar invites, callback phishing, recruitment scams, and cross-channel attacks that are helping more malicious messages reach and fool users.
CrowdStrike 2026 Global Threat Report: Year of the Evasive Adversary
AI is accelerating attacks as response windows keep shrinking
- reconnaissance and target research
- generating phishing content and fake personas
- translating lures into local languages
- generating scripts and malicious tooling
- accelerating discovery and post-exploitation tasks
The result is faster and more scalable social-engineering campaigns, allowing both sophisticated and lower-skill actors to operate more effectively.
The report highlights several social-engineering techniques that expanded significantly in 2025.
Most notably, fake CAPTCHA lures surged 563%.
CrowdStrike also notes continued use of:
- voice phishing (vishing) to persuade employees to grant access or install remote management tools
- adversary-in-the-middle (AITM) phishing, which captures credentials and authentication tokens by proxying legitimate login sessions and bypassing MFA protections
- credential harvesting and impersonation campaigns targeting identity systems and SaaS platforms
The report also documents an instance of prompt injection embedded in a phishing email, designed to manipulate AI-based email triage systems into treating the message as legitimate.
CrowdStrike reports that the average breakout time for eCrime intrusions dropped to 29 minutes in 2025, a roughly 70% reduction since 2021.
As this window shrinks, defenders have less time to detect and contain intrusions once access is obtained, making prevention and early disruption increasingly critical.
CrowdStrike concludes that organizations must adapt to a threat environment defined by:
- AI-accelerated social engineering
- identity-driven intrusions
- rapid attacker movement within cloud and SaaS environments
- increasing exploitation of trusted relationships
The report recommends strengthening identity security, improving visibility across environments, expanding threat hunting, and building stronger defenses against social engineering.
Reducing publicly exposed employee personal data should also be part of this defensive strategy. Personal information available through data brokers and people-search sites provides attackers with the reconnaissance data needed to identify targets and launch social engineering attacks.
Read the full report for more insights: 2026 Global Threat Report | Latest Cybersecurity Trends & Insights | CrowdStrike
Push Security: 2026 Browser Attack Techniques
A variety of browser-based attacks are bypassing traditional controls
A new report from Push Security highlights that modern breaches increasingly begin in the browser, where attackers target users directly as they access cloud apps, SaaS services, and legitimate websites. These attacks often unfold entirely inside the browser, blending into normal web traffic and user activity while bypassing traditional endpoint and network defenses.
Push says browser-based attacks are now a primary attack path in major breaches. Attackers are increasingly using techniques such as Adversary-in-the-Middle phishing, ClickFix variants, malicious OAuth grants, malicious browser extensions, credential stuffing, and session hijacking to compromise cloud apps and services, steal data, disrupt access, and monetize stolen access.
One in three payloads that Push intercepted in 2025 were sent outside of email, with search engines, messaging platforms, and social media increasingly used to deliver malicious content. The report also highlights widespread abuse of legitimate services such as SharePoint, Firebase, Azure, Cloudflare, Atlassian, and Jotform to host attack infrastructure that blends into trusted traffic.
Push notes that 95% of in-browser attacks it detected used some form of bot-protection service, while attackers also relied on redirect chains, rapid domain rotation, and various filtering checks to keep phishing pages hidden from security tools.
The report emphasizes how little time defenders now have once access is obtained. Push says modern attack chains can move from initial access to data theft and extortion in minutes, and cites CrowdStrike’s 29-minute average e-crime breakout time as an example of how quickly defenders can lose the window to respond.
MFA-bypassing Adversary-in-the-Middle phishing kits are now widely available. Push describes these kits as the standard phishing method today because they can intercept credentials, MFA approvals, and session tokens in real time while proxying the victim to the legitimate site. In Push’s detections, Tycoon 2FA accounted for 59% of AitM campaigns.
The report also highlights the continued rise of ClickFix and related “Fix” variants, including browser-native evolutions such as ConsentFix. Push found that four in five ClickFix payloads it intercepted were accessed via search engines through malvertising or infected webpages.
Weak authentication remains a major SaaS exposure point. In Push’s observed login data, one in four logins used passwords instead of SSO, two in five were not protected by MFA, and one in five used weak, breached, or reused passwords. The report also warns about “ghost logins” — local app logins outside centralized identity controls — as a major path to compromise.
Malicious browser extensions and stolen session tokens are cited as growing attack vectors. Extensions can be turned into mass compromise mechanisms through malicious updates, while session hijacking allows attackers to replay stolen tokens and bypass authentication entirely.
The report argues that defenders need more visibility into browser sessions, real-time interruption of malicious behavior, and stronger controls around SaaS identities, OAuth, extensions, and session misuse.
Additionally, several of the social engineering techniques described in the report rely on identifying and targeting specific individuals. This targeting is enabled by exposed personal data, including email addresses, phone numbers, job roles, and organizational relationships—information that is widely available through data broker and people-search sites.
As attack paths continue to shift toward identity and browser-based access, reducing exposed personal data becomes an important control for disrupting targeted social engineering attacks before they begin.
Read the full report: 2026 Browser Attack Techniques | Push Security
Hoxhunt Phishing Trends Report (Updated For 2026)
Phishing tactics are evolving to reach and deceive users more effectively
A new phishing trends report from Hoxhunt analyzed more than 50 million phishing simulations and millions of real malicious emails reported by users across 125 countries, providing a snapshot of the phishing attacks that actually bypass security filters and reach employee inboxes.
For most of 2025, fewer than 5% of phishing emails observed in the Hoxhunt network appeared to be generated with AI assistance. In a sample of phishing emails analyzed between November 2025 and January 2026, AI-generated phishing jumped from 4% in November to 56% in December, before dropping to 40% in January. Analysts noted that the messages were typically more polished versions of familiar phishing templates, rather than highly personalized or deepfake-style attacks.
The report identified a surge in phishing campaigns using malicious .ics calendar invite files. When Hoxhunt simulated this technique, the results showed failure rates 4–6 times higher than the global baseline, reaching 24% of users clicking or interacting with the attack. The technique can persist even after a suspicious email is reported because the calendar event may remain in the user’s calendar.
Callback phishing emails—messages that prompt recipients to call a phone number rather than click a link—are gaining traction because they bypass common email defenses. Industry data cited in the report shows a 500% increase in callback phishing campaigns in Q4 2025, and 43% of business email compromise attacks now include a callback lure.
The report highlights the rise of phishing campaigns disguised as job recruitment offers, particularly targeting sales and marketing professionals. In these attacks, threat actors gather information about targets, impersonate companies such as Google, Meta, or Coca-Cola, and direct victims to fake interview scheduling pages that prompt them to authenticate using Facebook, capturing credentials through a Browser-in-the-Browser (BitB) login window.
Among phishing emails that bypassed filters, PDF files remained the most common malicious attachment at 23.7%, but the report noted a sharp rise in malicious SVG files, which increased 50-fold compared to 2024 and accounted for 5% of malicious attachments in 2025. SVG files appear to be simple images but bypass anti-spam controls and deliver malicious content.
The report found that many phishing emails originate from legitimate consumer email services. In the dataset analyzed, gmail.com accounted for 17.9% of malicious sender domains in Microsoft environments and 30.1% in Google environments, making it the most common sender domain in phishing emails observed in the network.
Phishing campaigns are also increasingly moving beyond traditional email. The report notes that around 40% of phishing campaigns now extend beyond email to other channels, including messaging platforms such as Slack and Teams.
The report emphasizes that organizations can reduce phishing risk by improving how employees detect and report suspicious messages. Programs that emphasize reporting suspicious messages and provide continuous practice through simulations were associated with significantly higher detection rates for real phishing attacks.
Beyond reporting and training, organizations that proactively minimize exposed employee personal data can significantly lower the volume of targeted social engineering attacks that employees face to begin with.
Read the full report: Phishing Trends Report (Updated for 2026)
Thanks for reading! Want us to write about something specific? Submit a topic or idea.
If you’re looking to reduce your organization’s exposed PII and prevent phishing, voice and messaging scams, credential theft, and other PII-based threats, Optery can help. Get started here: Optery for business
Subscribe to receive future editions of The Optery Dispatch