Identity Abuse and Credential Misuse as the Primary Initial Access Vector
Recent threat intelligence reporting indicates identity-based attacks (credential theft, social engineering, and misuse of legitimate access) are now the dominant driver of initial compromise, increasingly outpacing exploitation of software vulnerabilities. A Unit 42 report cited by SC Media attributes 65% of initial access to identity techniques versus 22% to vulnerabilities, and notes accelerating attacker tempo—down to 72 minutes from initial access to data exfiltration in the fastest observed cases—alongside growing cross-surface intrusions where 87% of incidents span multiple environments (endpoints, cloud, SaaS, and identity systems). The report also highlights the browser as a key battleground (involved in 48% of attacks) and a sharp rise in SaaS supply-chain abuse (nearly 4x since 2022), including the use of OAuth tokens and API keys for lateral movement.
Separately, Google Threat Intelligence Group commentary on the defense industrial base (DIB) describes adversaries shifting beyond classic espionage toward operations intended to disrupt production capacity and compromise supply chains, with identity increasingly treated as the “new security boundary” across the broader defense ecosystem (from prime contractors to smaller dual-use suppliers). The DIB focus underscores that credential-driven access and downstream supply-chain compromise can have strategic impact beyond data theft, including staging access for future contingencies and enabling ransomware/extortion that indirectly degrades defense supply availability.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Google analyst warns defense industrial base faces broader cyber disruption
On Feb. 18, Google Threat Intelligence Group Deputy Chief Analyst Luke McNamara said cyber operations against the defense industrial base are increasingly focused on production disruption, supply-chain compromise, and pre-positioning for potential wartime scenarios, not just espionage. He also emphasized that attackers target the full defense ecosystem, including smaller suppliers and startups, and recommended stronger identity controls and sector-specific threat intelligence.
Unit 42 reports identity abuse drives most breach initial access
On Feb. 17, Palo Alto Networks' Unit 42 reported that identity-based techniques such as social engineering and credential misuse accounted for 65% of breach initial access, compared with 22% attributed to exploitation of vulnerabilities. The report also said attacks are becoming faster and more cross-domain, with some intrusions reaching data exfiltration in 72 minutes.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Credential Theft and Identity-Based Intrusions Surge Across Enterprises
**Credential compromise** and identity abuse are increasing as attackers rely more on stolen logins, session artifacts, and phishing rather than noisy exploitation alone. Recorded Future reported a sharp rise in exposed credentials during 2025, including nearly **2 billion** credentials indexed from malware combo lists, with the second half of the year up **50%** over the first and Q4 up **90%** over Q1. The trend is being driven by the industrialization of **infostealer malware**, malware-as-a-service ecosystems, and AI-enabled phishing and social engineering, while weak identity governance continues to expand the attack surface. A separate survey of UK organizations found **77%** fail to promptly disable former employees' accounts, **34%** grant overly broad access, and many still use manual processes such as spreadsheets for account validation, creating persistent opportunities for unauthorized access. A targeted phishing attempt against **Outpost24** illustrates how these identity-focused attacks are being operationalized against even security vendors. Attackers used a convincing fake JP Morgan email, valid **DKIM** authentication via Amazon SES infrastructure, and a **seven-stage redirect chain** leveraging trusted brands including Cisco to steer a C-suite executive toward a Microsoft Office credential-harvesting page while evading email defenses. The broader threat environment shows the same shift toward access abuse and stealthier post-compromise tradecraft: Google Threat Intelligence Group found ransomware actors increasingly favor native Windows tools over **Cobalt Strike**, with data theft present in **77%** of incidents and exploitation of VPNs and firewalls still common for initial access. Together, the reporting shows attackers are increasingly **logging in rather than breaking in**, then using legitimate access and built-in tools to deepen compromise and extort victims.
Apr 24, 2026
Credential-Based Attacks and Identity Threats in Modern Cybersecurity
Credential abuse, phishing, and vulnerability exploitation remain the primary vectors for cyber breaches, with attackers increasingly leveraging automation, AI-driven social engineering, and new evasion techniques. Recent research highlights a 160% surge in leaked credentials, with billions exposed in single incidents, and a significant rise in email-based threats, including a 130% increase in malware delivered via email and a resurgence of ransomware. Attackers exploit overlooked file types and advanced obfuscation tactics to bypass security controls, while compromised credentials and endpoint exploitation are now frequently blended in multi-stage attacks. The rapid proliferation of non-human digital identities, such as AI agents, has dramatically expanded the attack surface, with non-human accounts now outnumbering human users by 82 to 1. This shift has led 90% of business leaders to rank identity attacks as their top concern, and most organizations are reevaluating their identity and access management strategies. The growing complexity and scale of identity-based threats have eroded confidence in rapid recovery, underscoring the need for robust identity resilience and specialized security staff to defend against increasingly sophisticated credential and identity attacks.
Mar 21, 2026
Incident Response Reports Highlight Identity and Low-Complexity Initial Access as Dominant Intrusion Drivers
Two 2026 incident-response reports describe threat actors increasingly favoring **fast, low-complexity initial access** over sophisticated exploitation, with **identity compromise** and common remote access paths repeatedly enabling broad downstream impact. Unit 42’s *Global Incident Response Report 2026* data (based on 750+ engagements) indicates attacker activity crossed multiple attack surfaces in **87%** of cases, requiring investigation across endpoints, identity systems, networks, and cloud services; it also attributes a material role to **identity weaknesses** in nearly **90%** of investigations and reports identity-based techniques as the initial access method in **65%** of cases (e.g., phishing, stolen credentials, brute force, insider activity). Phishing and vulnerability exploitation were cited as top initial access vectors (tied at **22%** each), reinforcing that common, repeatable techniques remain highly effective. Arctic Wolf reporting similarly concludes that attackers are prioritizing **accessible entry points**, with **phishing** frequently initiating business email compromise and with ransomware intrusions often beginning via abuse of **remote access services** such as `RDP`, `VPN`, and **remote monitoring and management (RMM)** tooling. Both sources emphasize that weak access controls—such as excessive permissions, non-phishing-resistant MFA, credential reuse/default passwords, IAM misconfigurations, unmanaged OAuth grants, and stale/shared accounts—allow a single foothold to expand laterally across SaaS, cloud, and on-prem environments, increasing blast radius and complicating detection and response.
Mar 21, 2026