Microsoft Reports Surge in Identity-Based Attacks Driven by Infostealers
Microsoft has reported a significant increase in identity-based cyberattacks, with a 32% rise in such incidents during the first half of 2025. The company’s annual threat assessment highlights a shift in attacker tactics, with hackers increasingly using stolen credentials obtained through infostealers or from large-scale data breaches to gain initial access to systems. Malware families such as Lumma Stealer, RedLine, Vidar, Atomic Stealer, and Raccoon Stealer, traditionally used after initial compromise, are now being deployed as first-stage payloads, making credential theft a foundational component of modern cybercrime campaigns.
This evolution in attack methodology has led to greater specialization within the cybercrime ecosystem, with distinct roles for initial access brokers, credential sellers, and ransomware operators who leverage stolen credentials for extortion. Microsoft also noted its collaboration with federal authorities to disrupt infostealer infrastructure, such as the Lumma Stealer network, though threat actors have demonstrated resilience by quickly reestablishing operations. The report underscores the growing threat posed by identity compromise and the need for organizations to strengthen credential management and detection capabilities.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Flashpoint warns infostealer activity remains resilient despite takedowns
In October 2025 reporting, Flashpoint said infostealer operations continued to thrive despite disruptions by law enforcement and companies such as Microsoft. The report noted that operators quickly rebuilt infrastructure, sold logs cheaply on illicit markets, and adapted with stealthier delivery methods.
Microsoft publishes annual cyberthreat assessment on evolving attacker tactics
Microsoft's annual cyberthreat assessment, published in October 2025, described the growing use of infostealers as initial access tools and emphasized that multifactor authentication still blocks more than 99% of identity compromise attacks. The report also highlighted increased specialization among cybercriminals and rising abuse of social engineering to bypass defenses.
Flashpoint reports 1.8 billion credentials stolen from 5.8 million devices
Flashpoint said that in the first half of 2025, infostealer malware harvested more than 1.8 billion credentials from 5.8 million infected devices. The findings highlighted the scale of credential theft and the role of stolen usernames, passwords, and session tokens in follow-on intrusions.
Identity-based attacks rise sharply in the first half of 2025
Microsoft reported a 32% increase in identity-based attacks during the first half of 2025. The company said attackers increasingly used infostealers, secret-store theft, MFA bypass tactics, and ClickFix-style social engineering to gain initial access.
Lumma Stealer infrastructure seized by law enforcement
Law enforcement seized infrastructure tied to Lumma Stealer in May 2025 as part of efforts to disrupt a major infostealer operation. The disruption was temporary, with operators reportedly regrouping and restoring activity afterward.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Infostealers Run Wild
bankinfosecurity.com
Open sourceInfostealers Run Wild
govinfosecurity.com
Open sourceClick, Call, Compromise: Hackers Continue to Evolve Tactics
govinfosecurity.com
Open sourceClick, Call, Compromise: Hackers Continue to Evolve Tactics
bankinfosecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Credential Theft and Identity-Based Intrusions Surge Across Enterprises
**Credential compromise** and identity abuse are increasing as attackers rely more on stolen logins, session artifacts, and phishing rather than noisy exploitation alone. Recorded Future reported a sharp rise in exposed credentials during 2025, including nearly **2 billion** credentials indexed from malware combo lists, with the second half of the year up **50%** over the first and Q4 up **90%** over Q1. The trend is being driven by the industrialization of **infostealer malware**, malware-as-a-service ecosystems, and AI-enabled phishing and social engineering, while weak identity governance continues to expand the attack surface. A separate survey of UK organizations found **77%** fail to promptly disable former employees' accounts, **34%** grant overly broad access, and many still use manual processes such as spreadsheets for account validation, creating persistent opportunities for unauthorized access. A targeted phishing attempt against **Outpost24** illustrates how these identity-focused attacks are being operationalized against even security vendors. Attackers used a convincing fake JP Morgan email, valid **DKIM** authentication via Amazon SES infrastructure, and a **seven-stage redirect chain** leveraging trusted brands including Cisco to steer a C-suite executive toward a Microsoft Office credential-harvesting page while evading email defenses. The broader threat environment shows the same shift toward access abuse and stealthier post-compromise tradecraft: Google Threat Intelligence Group found ransomware actors increasingly favor native Windows tools over **Cobalt Strike**, with data theft present in **77%** of incidents and exploitation of VPNs and firewalls still common for initial access. Together, the reporting shows attackers are increasingly **logging in rather than breaking in**, then using legitimate access and built-in tools to deepen compromise and extort victims.
Apr 24, 2026
Recent Surge in Infostealer and Credential Theft Tactics
Threat actors have significantly escalated the use of information-stealing malware and credential theft techniques, leveraging new methods to bypass traditional security controls and exploit human vulnerabilities. Flashpoint reports an 800% increase in infostealer-driven credential theft in 2025, with over 1.8 billion accounts compromised globally. Attackers are neutralizing Windows' Mark of the Web (MotW) protections using drag-and-drop lures, exploiting vulnerabilities, and targeting alternative software to evade detection. The rise of session token theft is also enabling attackers to bypass multi-factor authentication (MFA), as tokens stored in browsers are increasingly targeted and sold on underground markets, often escaping detection by network-focused security tools. The evolving threat landscape is further complicated by the proliferation of infostealer malware, which has become a primary entry point for enterprise breaches. Security experts emphasize the need for organizations to look beyond malware signatures and focus on deceptive initial access vectors, such as malicious scripts, third-party supply chain risks, and user manipulation. Effective defense now requires monitoring browser behavior, treating client-side security as a core responsibility, and understanding the full identity attack surface to counteract these sophisticated evasion tactics.
Mar 21, 2026
Credential Theft Techniques Targeting Microsoft Environments
Attackers are increasingly leveraging advanced credential theft techniques to compromise Microsoft-based environments, with a focus on identity-first intrusions and abuse of authentication protocols. Kerberoasting attacks have resurged, exploiting legacy RC4 encryption in Kerberos to crack service account passwords, as seen in the Ascension Health ransomware incident. These attacks are facilitated by weak password policies and the continued use of outdated encryption, allowing threat actors to obtain domain administrator credentials and move laterally within networks. The prevalence of credential-based intrusions is underscored by threat intelligence reports indicating that identity attacks are now the leading entry point for breaches. Simultaneously, authentication coercion attacks are evolving, enabling adversaries to force Windows systems to authenticate to attacker-controlled infrastructure without user interaction. Techniques such as exploiting rarely monitored RPC interfaces and tools like PetitPotam (CVE-2021-36942) have been observed in real-world incidents, targeting critical assets like Domain Controllers. Additionally, threat actors are abusing OAuth consent, device code flow, and service principal credential manipulation to maintain persistent, stealthy access to cloud and SaaS platforms, often pivoting from on-premises exploits to Microsoft 365 environments. Organizations are advised to implement robust monitoring, enforce strong authentication policies, and phase out legacy protocols to mitigate these threats.
Mar 21, 2026