Check Point Research (CPR), the threat intelligence arm of Check Point Software Technologies Ltd., a cybersecurity solutions company, has released its brand-based phishing rankings for Q1 2026. The latest findings show that Microsoft remained the most imitated brand, appearing in 22% of all phishing attempts recorded during the quarter. The results continue to highlight a persistent trend: cybercriminals are systematically abusing widely used enterprise, cloud, and consumer platforms to harvest credentials and gain initial access to accounts and corporate environments.
Apple rose to second place with 11%, followed by Google in third place with 9%. Amazon took fourth place with 7%, while LinkedIn rose to fifth place with 6%, highlighting the growing interest of attackers in professional identities and access to the workplace. It is worth noting that the top four brands alone accounted for almost 50% of all phishing attempts observed during the quarter, reflecting a strong concentration around a small number of globally trusted platforms.
By industry, the Technology sector remained the category with the most cases of impersonation, followed by Social Networks and the banking sector, demonstrating that identity-based services and financial platforms continue to be prime targets for phishing attacks.
Omer Dembinsky, Data Research Manager at Check Point Research, said: “Phishing attacks continue to evolve in both scale and sophistication, increasingly relying on highly convincing brand impersonations, well-designed user interfaces and subtle domain manipulation techniques. The fact that Microsoft, Apple and Google remain at the top of the rankings shows how critical identity and cloud access have become for attackers. At the same time, the rise of platforms like LinkedIn highlights the growing interest in professional and corporate environments. To mitigate risk, organizations must adopt an approach that prioritizes prevention and combines AI-powered threat intelligence with proactive protection across email, web and collaboration platforms.”
Top 10 most copied brands in phishing cases – Q1 2026
- Microsoft – 22%
- Apple - 11%
- Google – 9%
- Amazon – 7%
- LinkedIn – 6%
- Dropbox – 2%
- Facebook - 2%
- WhatsApp – 1%
- Tesla - 1%
- YouTube – 1%
The continued dominance of large technology companies reflects the essential role they play in identity management, productivity tools, cloud services, and professional networks, which makes the related credentials extremely valuable to cybercriminals.
Phishing campaigns observed in Q1 2026
Microsoft: Credential harvesting through subdomain abuse
In Q1 2026, CPR detected a malicious website designed to impersonate Microsoft's legitimate authentication service: login[.]microsoftonline[.]com[.]office[.]sibis-office365[.]mtigroup[.]myshn[.]net
The campaign leveraged a common phishing technique, in which trusted brands are embedded in long subdomains under unrelated parent domains, increasing the likelihood that users will overlook the full URL. The site presented a Microsoft-branded login page and exhibited inconsistent authentication behavior, strongly suggesting an attempt to harvest credentials.
Play Station: Fake online store and payment fraud
CPR also identified a phishing website hosted at playstation-stores[.]com, which falsely presents itself as an official PlayStation store.
The website advertised promotional discounts and allowed users to proceed through the checkout process, ultimately asking victims to complete payment via direct bank transfer — an indication of financial fraud.
The numerous broken links and redirects further suggested malicious intent.
WhatsApp: Account Takeover via QR Code Abuse
Another campaign identified during the quarter impersonated WhatsApp Web, hosted at web[.]whatsapp[.]app[.]hl[.]cn. The phishing page closely resembled the legitimate WhatsApp Web interface and prompted users to scan a QR code. By doing so, victims risked linking their accounts to attacker-controlled sessions, potentially enabling unauthorized access to private conversations and account activity.
Adobe: Malware distribution through fake software downloads
In a separate incident, CPR detected a phishing website pretending to be Adobe Acrobat, hosted at adobe[.]donittech[.]com/windows[.]php.
The domain, which was registered in November 2025, tricked users into downloading a malicious MSI file that installed the ConnectWise software, which was used as a remote access Trojan (RAT), allowing attackers to gain remote control of infected systems.
Why "brand phishing" is gaining ground
Brand phishing continues to gain traction as cybercriminals increasingly exploit the credibility of globally recognized digital services. By using convincing domain names that resemble those of the genuine ones, realistic login interfaces, and multi-step authentication processes, attackers are able to bypass users’ suspicions and discreetly steal credentials on a large scale, commit financial fraud, or start malware infection chains.
This trend is fueled by the widespread adoption of cloud services and digital identity platforms, where a single compromised account can provide access to email, collaboration tools, financial data or corporate networks. As a result, brand phishing has become one of the most common initial access methods behind both large-scale consumer fraud and enterprise security breaches, reinforcing its growing role in today’s threat landscape.
Although the press releases will range from very select to rare, I said I'd pass...because sometimes the editors hide.
