A new Cisco report shows that AI is lowering the barrier to entry for cybercriminals — and that government agencies and hospitals are bearing the brunt.
Cisco has documented what it describes as the first known instance of a specific AI tool being used by attackers in a phishing campaign, after researchers identified a credential-harvesting scheme in which hackers used the Softr platform to build a fake Outlook Web Access login page — without writing a single line of code.
The attackers used Softr, a no-code website builder powered by AI, to create a convincing replica of Microsoft’s Outlook login interface. Cisco said it was “fairly confident” that attackers had been using Softr for credential-harvesting websites since at least May 2023, and had done so with increasing frequency since then. The fake login page could be connected to a third-party service such as Google Sheets to automatically collect stolen credentials and send notifications every time a victim attempts to sign in.
Also Read: Sanchit Monga on Why the Hyperscalers’ Biggest Strength Is Also Their Blind Spot
“This incident demonstrates how AI tools can lower the barrier to entry for less sophisticated actors and accelerate the speed of phishing and credential-harvesting campaigns,” Cisco researchers wrote.
The finding is one of several in Cisco’s first-quarter 2026 threat report. Government agencies and healthcare organizations were tied as the most frequently targeted sectors in the period — a position government has held since the third quarter of 2025. Cisco noted that government agencies, which are often underfunded and reliant on outdated equipment, “may have access to sensitive data as well as a low downtime tolerance, making them attractive to financially motivated and espionage-focused threat groups.” The professional, scientific and technical services sector ranked third.
Deficient multifactor authentication was the most common security weakness enabling intrusions in the first quarter, present in 35% of Cisco’s engagements. In some cases, MFA was not enabled at all; in others, it was active but misconfigured. Researchers found that attackers could bypass MFA by registering new devices to previously compromised accounts and, in one instance, by configuring Outlook clients to connect directly to Exchange servers, thereby circumventing authentication requirements entirely.
Also Read:Â
“Addressing these weaknesses — especially by restricting self-service MFA enrollment and enforcing strong, centralized authentication policies — is essential to reducing risk and strengthening organizational resilience,” the researchers wrote.
Other common vulnerabilities identified in the first quarter included exposed internet-facing infrastructure (present in 25% of engagements) and inadequate logging capabilities (found in 18%).
