Executive Summary

Every 90 days, we review the latest cyber threat trends to identify what IT leaders should learn, where resilience gaps are widening, and what practical actions organisations should take next. 

The first quarter of 2026 has been intense. The UK threat picture is not defined by one single malware family or one headline ransomware group.

Instead, it is being shaped by a broader rise in disruptive incidents, persistent phishing, growing supply-chain exposure, and more sophisticated abuse of identity, data and AI-enabled workflows.  

The key trend in Q1 2026 is the accelerated exploitation of zero day and no day vulnerabilities within 24 hours. Most organisations can not respond this quickly, but now need to.  

The National Cyber Security Centre (NCSC) says it handled 204 nationally significant cyber attacks in the 12 months to August 2025, up from 89 the year before, showing how quickly the operational pressure on UK organisations is rising. 

Whilst automation is helping SOC teams (average 1st line incident automation on average increased from 53% to 59%), benign and true positive triage to resolution remained at an average of 154 minutes.  

Key Cyber Threat Trends (last 90 days) 

• Data theft is overtaking ransomware as the primary attack objective  

• AI-driven data exfiltration is becoming harder to detect  

• Attackers are increasingly targeting developers and third-party code  

• Backup and recovery systems are now a primary target  

• New phishing techniques like Clickfix are rapidly emerging  

• Insider-led attacks are rising and taking longer to detect  

Data Theft Is Replacing Ransomware in 2026 

We’re seeing a clear move towards smaller, repeated data theft events. These may involve lower ransom demands, but they still create significant financial, regulatory and reputational risk.

These attacks don’t always trigger immediate disruption, which makes them harder to spot and easier to sustain over time.

The impact, however, is just as serious.

Data loss creates regulatory exposure, reputational damage and often leads to ongoing extortion. The difference is that it happens more quietly, and often for longer.

For IT leaders, it’s no longer enough to focus on preventing system disruption. You need visibility into how data is being accessed, used and potentially extracted.

Watch on-demand: You Paid the Ransom. Incident Response Teardown

The Rise of AI-Driven Data Exfiltration Attacks 

Dark settlements have become more complex and frequent, but so have the repeated events in these businesses seeking a faster resolution to exposures. 

It is not the quantity but the content of the data which is being focused on and with Shadow AI tools now widely prevalent.

Sensitive information is now being exposed through:

• prompts
• summaries
• analysis workflows

Visibility of these remains a key issue as traditional DLP detection techniques are less effective as these are not physical file changes or movements, rather through summarisation and analysis actions.  

The NCSC warns that prompt injection and insecure AI integrations can give attackers paths into wider systems, while AI’s ability to summarise large volumes of information quickly can increase the efficiency and impact of data theft. 

Action: Data Loss Prevention remains difficult for many organisations to gain user and board support to progress beyond initial data classification and labelling.

Developer and Third-Party Risk Is Increasing 

Another consistent pattern is the growing risk across development environments and third-party relationships.

Organisations are shipping faster. They’re relying more on external developers, offshore teams, and AI-assisted coding tools. That speed brings efficiency, but also risk.

This is a longer term espionage tactic, where vibe coding, development expertise is being infused with DPRK capabilities in 3rd parties. These 3rd parties are off-shore, freelance, burst rapid application coding services.

We’re seeing more cases where:

• third-party access isn’t fully controlled
• externally developed code isn’t properly validated
• trusted relationships are used as entry points

Organisational security and integrity validation of 3rd party developed code has become more reliant on AI security tools in then last 3 months and more issues are remaining undetected and evaded.  

Action: Organisations need to rapidly improve development screening and verify the background checks on personnel, on shore and off shore. They are working for your business so please verify.

Backup and Recovery Systems Are Being Targeted 

More recently, with so many organisations now adopting both immutable and tenant backups, adversarial entities are focusing on recovery denial techniques.

Malicious entities are systematically targeting backup infrastructure, identity services, storage containers and MSP providers delivering these services.

The target is reducing the ability to recover a key service dependency quickly.  

Clickfix Is Emerging as a Common Attack Technique 

And the most common attack vector in the last 90 days…. is the Clickfix technique.

Instead of asking users to click a link, they are prompted to:

• verify access
• join a meeting
• run a command to “fix” an issue

We are observing more and more businesses fail to update key website services (usually a 3rd party responsibility) and adversarial groups are using prompts to replicate on a phishing page, short term DNS hijacking for traffic redirection and asking users to execute Powershell to verify identity or legitimacy.

We’ve seen many fake CAPTCHA’s but this has shifted to verification for meeting invitations and joining actions.  

 Attack Vectors Last 90 Days 

There is no change is the industry focus though in the last 90 days with Financial, Insurance, Business & Professional Services, Tech firms (MSP providers) and Healthcare remaining firmly the most frequently researched and targeted.  

They are also the industries most rapidly adopting a wider spectrum of generative AI technologies.  

• Exploitation combined with specifically targeted phishing email campaigns remain the predominant initial attack vectors. There was a significant increase in gaining access to an internal impersonated or compromise user account, to create mailbox forwarding rules to send phishing emails.  

• The most common malicious attachment for Outlook application related malware is financial documents using dynamic code execution capabilities in graphics and e-signature fields.  

• The most common attack source is Internal (52%) which also observed an increase in dwell time as well as attack evasion. Those organisations not leveraging user behavioural analysis are up to 4 times slower in detection than those that do have UEBA activated.  

AI tools are increasing the challenge of detecting IP and data theft across organisations. Research shows that 40% of knowledge workers admit to entering sensitive business information into public AI tools. 

As many of these platforms operate under standard user privileges, they create new blind spots for security teams. As a result, insider risk controls need to become a much higher priority for businesses in 2026. 

Learn more about AI-Driven risk here: The AI-Enabled Insider Threat – From Accidental Leaks to Intentional Knowledge Distillation

The Threat Has Changed. Has Your Strategy? 

The key lesson from Q1 2026 is that cyber risk is broadening, not narrowing.

Ransomware still matters, but IT leaders should now plan for a wider range of outcomes: data theft, extortion, identity abuse, supplier compromise, destructive attacks on recovery systems and AI-enabled attack paths.

The organisations that respond fastest will be the ones that improve visibility across data, identity, third parties and recovery, not just endpoints.