Identity stays top attack surface as threats broaden

Expel has released quarterly threat data showing that identity accounted for 58.7% of incidents in the first quarter of 2026, keeping it as the main attack surface.

The report also found that endpoint incidents rose to 38.4%, while cloud infrastructure incidents reached 2.9%, suggesting attackers continued to broaden their activity beyond stolen credentials and account access.

The data paints a more mixed picture for identity-related attacks. Although identity incidents fell from their peak in the third quarter of 2025, valid credential abuse remained steady in the latest quarter.

February recorded the highest success rate for attackers using valid credentials, with 50.4% of incidents resulting in some level of access. That rate declined in March, but the share of incidents leading to confirmed malicious activity rose to 11%.

Together, those figures suggest fewer successful access events late in the quarter, but more serious outcomes when attackers did get in. The broader trend points to more credential misuse leading to malicious activity.

Endpoint rise

On endpoints, malware remained the largest category of threat activity. Targeted attacks also increased, with 74% linked to phishing campaigns delivered through Microsoft Teams.

The figures reflect a wider shift in the tools and techniques used to reach employees, as attackers increasingly use workplace messaging and collaboration software alongside email and other established channels.

Malware families such as ChatGPT Stealer and InstallFix featured prominently during the quarter. Their significance lay less in sophisticated AI-generated code than in the use of AI branding, and interest in AI tools, to persuade users to engage.

ClickFix and ChatGPT Stealer led activity early in the quarter before InstallFix became the leading variant in March, accounting for 14.3% of incidents. ClickFix was also the most common delivery mechanism overall at 43.7%, overtaking binary-based methods for the first time.

That shift suggests a move towards attacks that rely more on social engineering than on technical exploitation alone. Browser-based threats also accounted for 12.7% of entry points, driven largely by ChatGPT Stealer campaigns.

In those cases, malicious browser extensions masqueraded as AI productivity tools. Some were cloned from legitimate extensions, while others were built from scratch to monitor, collect and exfiltrate users' AI conversations to external servers.

Cloud exposure

Cloud-related incidents remained a small share of the total in the first quarter, but the trend was upward. Unauthorised access and exposed cloud secrets were the main methods used to gain entry to cloud infrastructure.

The pattern underlines the role of supply chain weaknesses in cloud security, where vulnerabilities affecting third parties can create wider exposure across customers and partners. Even at a relatively low share of incidents, that risk is drawing more attention as businesses expand their use of cloud services.

Dave Merkel, Chief Executive Officer at Expel, said the latest figures showed a need to focus on basic security failings as much as newer forms of deception. "Attackers continue to find success through unpatched systems, weak password practices, and by simply tricking people. While identity remains the top attack surface, what's changing is how threat actors operate once they gain access - and increasingly, how they get users to open the door in the first place," Merkel said.

He added that interest in AI was giving attackers a new way to entice targets rather than changing the technical nature of the malware itself. "The rise of malware lures tied to AI tools shows how quickly attackers adapt to what people are curious about and willing to click on. Security teams need to stay focused on fundamentals while also tracking how social engineering techniques evolve," he said.