Credential-Based Attacks and Identity Threats in Modern Cybersecurity
Credential abuse, phishing, and vulnerability exploitation remain the primary vectors for cyber breaches, with attackers increasingly leveraging automation, AI-driven social engineering, and new evasion techniques. Recent research highlights a 160% surge in leaked credentials, with billions exposed in single incidents, and a significant rise in email-based threats, including a 130% increase in malware delivered via email and a resurgence of ransomware. Attackers exploit overlooked file types and advanced obfuscation tactics to bypass security controls, while compromised credentials and endpoint exploitation are now frequently blended in multi-stage attacks.
The rapid proliferation of non-human digital identities, such as AI agents, has dramatically expanded the attack surface, with non-human accounts now outnumbering human users by 82 to 1. This shift has led 90% of business leaders to rank identity attacks as their top concern, and most organizations are reevaluating their identity and access management strategies. The growing complexity and scale of identity-based threats have eroded confidence in rapid recovery, underscoring the need for robust identity resilience and specialized security staff to defend against increasingly sophisticated credential and identity attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Check Point report spotlights widespread routine breach techniques
A report covered on November 25, 2025 described the most common breach methods affecting organizations and focused on practical ways to prevent these frequently encountered attacks. The reporting framed these incidents as pervasive, everyday security failures rather than isolated advanced threats.
Reports highlight rising identity and email-borne cyber risks
Industry reports published in late November 2025 warned that organizations are facing growing exposure from identity-based attacks, non-human identities, and persistent email security gaps. The coverage emphasized that attackers increasingly use valid credentials and common attack paths rather than novel intrusion methods, driving reassessment of IAM and email defenses.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
The breaches everyone gets hit by (and how to stop them)
helpnetsecurity.com
Open sourceEmail blind spots are back to bite security teams
helpnetsecurity.com
Open sourceNon-human identities overwhelm cyber defenses
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Credential Theft and Identity-Based Intrusions Surge Across Enterprises
**Credential compromise** and identity abuse are increasing as attackers rely more on stolen logins, session artifacts, and phishing rather than noisy exploitation alone. Recorded Future reported a sharp rise in exposed credentials during 2025, including nearly **2 billion** credentials indexed from malware combo lists, with the second half of the year up **50%** over the first and Q4 up **90%** over Q1. The trend is being driven by the industrialization of **infostealer malware**, malware-as-a-service ecosystems, and AI-enabled phishing and social engineering, while weak identity governance continues to expand the attack surface. A separate survey of UK organizations found **77%** fail to promptly disable former employees' accounts, **34%** grant overly broad access, and many still use manual processes such as spreadsheets for account validation, creating persistent opportunities for unauthorized access. A targeted phishing attempt against **Outpost24** illustrates how these identity-focused attacks are being operationalized against even security vendors. Attackers used a convincing fake JP Morgan email, valid **DKIM** authentication via Amazon SES infrastructure, and a **seven-stage redirect chain** leveraging trusted brands including Cisco to steer a C-suite executive toward a Microsoft Office credential-harvesting page while evading email defenses. The broader threat environment shows the same shift toward access abuse and stealthier post-compromise tradecraft: Google Threat Intelligence Group found ransomware actors increasingly favor native Windows tools over **Cobalt Strike**, with data theft present in **77%** of incidents and exploitation of VPNs and firewalls still common for initial access. Together, the reporting shows attackers are increasingly **logging in rather than breaking in**, then using legitimate access and built-in tools to deepen compromise and extort victims.
Apr 24, 2026
AI-Driven Phishing and Identity-Related Breaches Escalate Cybersecurity Risks
Organizations across industries are experiencing a surge in identity-related breaches, with attackers exploiting weaknesses in authentication systems and leveraging advanced phishing techniques. Despite years of investment in stronger access controls, many companies continue to rely on passwords, which remain a primary entry point for cybercriminals. Password reuse, weak verification processes, and overconfidence in outdated systems contribute to the persistence of these breaches. Attackers often gain initial access through compromised credentials and can move laterally within networks for extended periods before detection. Social engineering tactics, such as convincing help desk staff to reset passwords or bypass multi-factor authentication, have become increasingly effective, as support teams are typically trained to assist rather than scrutinize user legitimacy. Most organizations have not implemented robust identity verification for support interactions, relying instead on easily compromised methods like security questions and one-time codes. The adoption of passwordless authentication remains low, and where it is higher, organizations report fewer identity-related breaches and losses. Meanwhile, phishing remains a dominant vector for malware delivery, with attackers using email to introduce ransomware, spyware, and other malicious software into business networks. AI-powered phishing campaigns are on the rise, with cybercriminals using generative tools to craft highly personalized and convincing messages that evade traditional detection methods. These AI-enhanced attacks can be launched at scale, targeting entire organizations rapidly and making it more difficult for employees to distinguish legitimate communications from malicious ones. The evolution of AI in cybercrime has also led to the proliferation of synthetic fraud, deepfake scams, and autonomous fraud campaigns that operate continuously. Despite the growing threat, only a minority of businesses have adopted AI-driven defenses, even as the majority of leaders recognize AI-generated fraud as a top challenge in the near future. The gap between the sophistication of attacker tactics and the defensive capabilities of organizations is widening, with operational damage and financial losses mounting as a result. Security teams face challenges in modernizing identity controls across diverse environments, including legacy systems that are incompatible with newer authentication methods. The need for comprehensive, adaptive security strategies that incorporate AI-powered detection and response is becoming increasingly urgent as adversaries continue to innovate. Organizations are urged to strengthen identity verification processes, accelerate the adoption of passwordless technologies, and invest in AI-driven security solutions to counter the escalating threat landscape. The convergence of identity-related breaches and AI-enhanced phishing underscores the critical importance of proactive, multi-layered defenses in protecting against modern cyberattacks.
Mar 21, 2026
Identity Abuse and Credential Misuse as the Primary Initial Access Vector
Recent threat intelligence reporting indicates **identity-based attacks** (credential theft, social engineering, and misuse of legitimate access) are now the dominant driver of initial compromise, increasingly outpacing exploitation of software vulnerabilities. A *Unit 42* report cited by SC Media attributes **65% of initial access** to identity techniques versus **22%** to vulnerabilities, and notes accelerating attacker tempo—down to **72 minutes** from initial access to data exfiltration in the fastest observed cases—alongside growing cross-surface intrusions where **87%** of incidents span multiple environments (endpoints, cloud, SaaS, and identity systems). The report also highlights the **browser** as a key battleground (involved in **48%** of attacks) and a sharp rise in **SaaS supply-chain** abuse (nearly **4x** since 2022), including the use of **OAuth tokens** and **API keys** for lateral movement. Separately, Google Threat Intelligence Group commentary on the **defense industrial base (DIB)** describes adversaries shifting beyond classic espionage toward operations intended to **disrupt production capacity** and **compromise supply chains**, with **identity** increasingly treated as the “new security boundary” across the broader defense ecosystem (from prime contractors to smaller dual-use suppliers). The DIB focus underscores that credential-driven access and downstream supply-chain compromise can have strategic impact beyond data theft, including staging access for future contingencies and enabling ransomware/extortion that indirectly degrades defense supply availability.
Mar 21, 2026