Credential-Based Attacks and the Shift Toward Phishing-Resistant MFA
Recent high-profile breaches at major UK retailers, including M&S and Co-op Group, have highlighted the growing threat of identity-based attacks. Attackers used vishing techniques to obtain corporate passwords, which enabled ransomware deployment and resulted in significant financial and reputational damage. The distributed nature of modern IT environments, with resources spread across cloud and on-premises systems, has made identity the new security perimeter, increasing the value of credentials for cybercriminals. Infostealer malware and various forms of phishing, including smishing and vishing, are now primary methods for harvesting credentials, contributing to a surge in identity-related breaches across industries.
To counter these threats, security experts emphasize the importance of robust multifactor authentication (MFA), particularly methods that are resistant to phishing. While traditional MFA methods such as one-time passwords (OTPs) sent via SMS or email are still widely used, they are increasingly vulnerable to social engineering and interception. The adoption of passkeys and other phishing-resistant MFA solutions is being promoted as the gold standard, with Microsoft reporting that MFA blocks over 99% of unauthorized access attempts. Organizations are urged to move beyond basic MFA and implement stronger, phishing-resistant authentication to protect against evolving identity-based attacks.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Global passkey usage surpasses 2 billion
The Register reports that more than 2 billion passkeys are in use worldwide, indicating significant uptake of passkey-based authentication. This reflects the growing move away from SMS and email one-time codes toward phishing-resistant MFA.
Major technology companies adopt passkeys for authentication
Amazon, Google, Microsoft, and Apple are described as having adopted passkeys as part of the broader industry shift toward phishing-resistant multifactor authentication. The references do not provide a specific adoption date, but present this as an already established development by the time of publication.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


