The threat landscape is forcing CISOs to rethink what they consider normal. The latest Cybersecurity Report 2026 by Hornetsecurity, based on analysis of more than 70 billion emails and broad threat telemetry, shows attackers adopting automation, AI driven social engineering, and new evasion techniques at scale.
Email becomes a more dangerous channel
Email remains the primary entry point for compromise. Malware in email increased by more than 130% year over year. Scams rose by more than 30% and phishing increased by more than 20%. These categories continue to drive most of the operational impact that organizations experience, including account compromise and business disruption.
TXT files grew more than 180% as a malicious carrier, and legacy DOC files grew more than 118%. These are file types that many security teams no longer view as high risk. Their resurgence reflects an attacker strategy to exploit blind spots in filtering and inspection. ZIP archives remain common, while formats like HTML and RAR declined.
Attackers increasingly use forged headers, obscure top level domains, URL shortening, and HTML techniques that confuse filters rather than readers. The goal is to slip past controls, avoid early detection, and begin multi step intrusion chains.
Ransomware returns at scale
After a period of decline, ransomware returned as a top tier threat. 24% of organizations reported a ransomware incident, up from 18% the previous year. Only 13% of victims paid a ransom, but the overall volume and persistence of attacks increased.
CISOs report that AI generated phishing and automated reconnaissance have increased pressure on defenses. Attackers now blend credential theft, endpoint exploitation, and supply chain access rather than relying solely on email. Endpoint entry accounted for more than one quarter of infections, and compromised credentials also rose.
62% of organizations now use immutable backups and more than 80% have a disaster recovery plan. These practices reduce the leverage that attackers gain during extortion attempts. Cyber insurance coverage declined, and premiums continue to rise.
AI as a dual force
Many CISOs believe AI has increased ransomware risk. More than two thirds of organizations are investing in AI driven detection and analytics in response.
The report shows that governance is not keeping pace with adoption. Employees adopt public AI tools without understanding the compliance and security risks. CISOs describe low awareness among end users and inconsistent understanding among senior leadership. This gap raises the risk of data leakage and misinformation.
Emerging AI driven threats include deepfake impersonation, model poisoning, synthetic identity fraud, and misuse of AI services for credential harvesting. These trends reveal an expanding attack surface tied directly to uncontrolled AI use.
“AI is both a tool and a target, and attack vectors are expanding faster than many realise. The result is an arms race where both sides are using machine learning. On one side, the goal is to deceive; on the other, to defend and forestall. Attackers are increasingly using generative AI and automation to identify vulnerabilities, craft more convincing phishing lures, and orchestrate multi-stage intrusions with minimal human oversight,” said Daniel Hofmann, CEO, Hornetsecurity.
Identity remains the weakest link
Attacker in the middle techniques now bypass many forms of MFA by stealing session tokens in real time. Phishing kits can manage MFA prompts and pass user credentials to legitimate authentication portals while capturing tokens for attacker use.
Phishing resistant MFA methods such as hardware keys, certificate based authentication, Windows Hello for Business, and passkeys provide strong protection. Adoption remains inconsistent. Passkeys in particular face issues with fragmented experiences across platforms and restrictions around syncable and non syncable keys in enterprise settings.
Credential recovery processes also remain vulnerable. Several major breaches occurred because helpdesk staff were tricked into resetting privileged accounts. CISOs need stronger in person verification for administrative identity recovery and tighter controls across the identity lifecycle.
SaaS and the browser become key attack surfaces
SaaS platforms and cloud integrations now offer attackers direct paths into critical data and workflows. OAuth token theft stands out, since revoking tokens is often the only way to contain abuse. Recent incidents show how a single compromised integration can expose many organizations at once.
Malicious or vulnerable browser extensions can bypass internal controls or harvest sensitive data. CISOs should monitor extension use and restrict high risk categories through central policy.
High profile incidents across technology, aviation, manufacturing, and cloud ecosystems show that attackers are increasingly targeting suppliers and infrastructure providers. These attacks bypass traditional perimeter defenses and impose cascading consequences across dependent organizations.