Microsoft Reports Surge in Identity-Based Attacks Driven by Infostealers
Microsoft has reported a significant increase in identity-based cyberattacks, with a 32% rise in such incidents during the first half of 2025. The company’s annual threat assessment highlights a shift in attacker tactics, with hackers increasingly using stolen credentials obtained through infostealers or from large-scale data breaches to gain initial access to systems. Malware families such as Lumma Stealer, RedLine, Vidar, Atomic Stealer, and Raccoon Stealer, traditionally used after initial compromise, are now being deployed as first-stage payloads, making credential theft a foundational component of modern cybercrime campaigns.
This evolution in attack methodology has led to greater specialization within the cybercrime ecosystem, with distinct roles for initial access brokers, credential sellers, and ransomware operators who leverage stolen credentials for extortion. Microsoft also noted its collaboration with federal authorities to disrupt infostealer infrastructure, such as the Lumma Stealer network, though threat actors have demonstrated resilience by quickly reestablishing operations. The report underscores the growing threat posed by identity compromise and the need for organizations to strengthen credential management and detection capabilities.
Sources
Related Stories
Recent Surge in Infostealer and Credential Theft Tactics
Threat actors have significantly escalated the use of information-stealing malware and credential theft techniques, leveraging new methods to bypass traditional security controls and exploit human vulnerabilities. Flashpoint reports an 800% increase in infostealer-driven credential theft in 2025, with over 1.8 billion accounts compromised globally. Attackers are neutralizing Windows' Mark of the Web (MotW) protections using drag-and-drop lures, exploiting vulnerabilities, and targeting alternative software to evade detection. The rise of session token theft is also enabling attackers to bypass multi-factor authentication (MFA), as tokens stored in browsers are increasingly targeted and sold on underground markets, often escaping detection by network-focused security tools. The evolving threat landscape is further complicated by the proliferation of infostealer malware, which has become a primary entry point for enterprise breaches. Security experts emphasize the need for organizations to look beyond malware signatures and focus on deceptive initial access vectors, such as malicious scripts, third-party supply chain risks, and user manipulation. Effective defense now requires monitoring browser behavior, treating client-side security as a core responsibility, and understanding the full identity attack surface to counteract these sophisticated evasion tactics.
2 months agoCredential Theft Techniques Targeting Microsoft Environments
Attackers are increasingly leveraging advanced credential theft techniques to compromise Microsoft-based environments, with a focus on identity-first intrusions and abuse of authentication protocols. Kerberoasting attacks have resurged, exploiting legacy RC4 encryption in Kerberos to crack service account passwords, as seen in the Ascension Health ransomware incident. These attacks are facilitated by weak password policies and the continued use of outdated encryption, allowing threat actors to obtain domain administrator credentials and move laterally within networks. The prevalence of credential-based intrusions is underscored by threat intelligence reports indicating that identity attacks are now the leading entry point for breaches. Simultaneously, authentication coercion attacks are evolving, enabling adversaries to force Windows systems to authenticate to attacker-controlled infrastructure without user interaction. Techniques such as exploiting rarely monitored RPC interfaces and tools like PetitPotam (CVE-2021-36942) have been observed in real-world incidents, targeting critical assets like Domain Controllers. Additionally, threat actors are abusing OAuth consent, device code flow, and service principal credential manipulation to maintain persistent, stealthy access to cloud and SaaS platforms, often pivoting from on-premises exploits to Microsoft 365 environments. Organizations are advised to implement robust monitoring, enforce strong authentication policies, and phase out legacy protocols to mitigate these threats.
4 months ago
2025 Threat Landscape Reports Highlight Identity-Based Intrusions and High-Impact Ransomware Losses
Multiple 2025 retrospective threat reports describe **identity compromise** as the dominant initial access vector, with attackers repeatedly exploiting predictable control gaps such as weak identity security, third-party access paths, and exposed/perimeter systems. Barracuda’s Managed XDR telemetry analysis (spanning trillions of events and hundreds of thousands of alerts) reported that **Microsoft 365 anomalous login** and **“impossible travel”** detections were among the most common signals, consistent with credential theft and account takeover activity; it also noted post-compromise behavior including suspicious privilege manipulation (e.g., adding users to high-risk Windows groups). Dataminr’s 2026 Cyber Threat Landscape Report similarly characterized 2025 as a structural shift toward **accelerated identity-based intrusions**, citing that a significant share of intrusions leveraged **valid credentials**, alongside growth in **infostealer malware** and AI-enabled social engineering, and increased exploitation of third-party weaknesses. The same reporting also emphasizes that while overall ransomware activity may have stabilized in volume, **loss severity increased**, with “mega-loss” incidents exceeding **$100M** and in some cases **$1B**, driven by multi-vector campaigns combining credential theft, data exfiltration, and disruption. Other items in the set are broader commentary rather than incident- or disclosure-driven intelligence: an opinion piece argues that the rapid expansion of AI-driven data center infrastructure raises systemic risk from ransomware, supply-chain compromise, and OT disruption, while a predictions article discusses 2026 security investment themes without tying to a specific campaign. A separate news roundup recaps multiple 2025 events (including third-party/SaaS integration compromises and other vulnerabilities) rather than providing new, single-story reporting, making it only loosely aligned with the identity-and-ransomware trend narrative.
3 weeks ago