SpyCloud Report Finds Phishing Attacks Surge as Employee Data Is Exposed at 86% of Fortune 100 Companies

New SpyCloud research highlights the expansion of phishing attacks as AI and phishing-as-a-service fuel enterprise targeting.

SpyCloud, the leader in identity threat protection, today released its 2026 Phishing Pulse Report, revealing that phishing attacks continue to increase in both volume and sophistication for enterprise organizations as artificial intelligence and phishing-as-a-service (PhaaS) platforms enable threat actors to launch highly effective campaigns at scale.

Based on a survey of security professionals at organizations with more than 1,000 employees, SpyCloud found that 78% of organizations experienced an increase in phishing volume over the past 12 months, while 84% say AI-generated phishing attacks are becoming more prevalent or harder to defend against.

The findings suggest that while organizations recognize the growing threat posed by phishing, many remain unprepared to respond once an attack succeeds.

The report combines survey findings with SpyCloud’s analysis of active phishing campaigns and PhaaS infrastructure, revealing a clear and deliberate focus on enterprise targets.

SpyCloud researchers observed that approximately half of its recaptured PhaaS platform-sourced records are tied to enterprise identities, compared to just 11% of malware-sourced records. This indicates that phishing attacks are now approximately five times more likely to target enterprise users than malware infections – up from roughly three times more likely in late 2025. This trend is reinforced by SpyCloud’s analysis of kits such as Tycoon 2FA, where approximately 80% of captured credentials belonged to corporate email accounts.

AI, Session Hijacking, and Device Code Phishing Reshape the Threat Landscape

While AI-generated phishing emerged as the dominant concern among respondents, organizations are increasingly worried about a broader range of phishing-related threats. Business email compromise (BEC) was cited by 58% of respondents, vendor impersonation by 52%, collaboration platform phishing by 36%, and session hijacking by 20%.

The report also highlights growing concerns around AiTM phishing techniques, particularly device code phishing attacks that abuse legitimate OAuth authentication workflows to obtain authenticated access.

Hilligoss added, “Attackers gravitate toward techniques that give them the most reliable access with the least amount of effort, and device code phishing checks both boxes. Rather than continuously fighting authentication controls, they can leverage legitimate workflows to obtain trusted access that often persists long afte