Reports Highlight Shift Toward Identity-First Attacks and Phishing-Driven Intrusions
Recent reporting and vendor research indicate threat actors are increasingly prioritizing identity-based intrusion paths—notably phishing, credential theft, and Business Email Compromise (BEC)—over traditional vulnerability exploitation as the most common initial access vector. A Darktrace report cited by SC Media describes identity breaches as the leading entry point, alongside broader trends including accelerated breach tempo, increased automation, and “converging” tactics; it also notes exploitation can occur before public disclosure and that overall CVE volume rose by 20%+ year-over-year.
Email remains a dominant delivery mechanism in these identity-first campaigns. Darktrace telemetry referenced by SC Media reported 32M+ high-confidence phishing emails across its customer base, with many messages bypassing baseline controls (including 70% passing DMARC), targeting executives, using malicious QR codes, and leveraging newly registered domains. Separately, a SOCRadar analysis frames the U.S. financial sector as a disproportionate target for phishing and dark-web activity, emphasizing AI-enabled crime, persistent BEC, and third-party/supply-chain risk, and citing metrics such as ~48% of global financial phishing activity and ~23.5% of finance-related dark web threat activity attributed to the U.S. market.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Industry reporting highlights shift toward identity-based cyberattacks
Media coverage of the Darktrace findings reported a broader shift toward identity-focused attacks, emphasizing phishing, credential abuse, and access control weaknesses over traditional exploit-led intrusion. The reporting framed dynamic, real-time identity security as a key defensive response.
SOCRadar outlines 2026 cyber risks facing U.S. financial institutions
SOCRadar published an assessment warning that U.S. financial institutions remain prime targets for cybercrime due to their scale, valuable data, and digitization. It highlighted monetization-driven data theft, BEC and social engineering, AI-enabled phishing and deepfakes, ransomware, North Korean remote IT worker infiltration, and zero-day and supply-chain exploitation as major risks.
Darktrace records large-scale phishing and regional attack trends during 2025
Across incidents in its global customer base, Darktrace observed more than 32 million high-confidence phishing emails, many of which bypassed standard controls and 70% of which passed DMARC authentication. The report also identified regional patterns including cloud and email intrusions in Europe, rising ransomware in Africa, AI-driven threats in Asia-Pacific, and malware following credential theft in Latin America.
Darktrace observes identity breaches become the top initial access vector in 2025
According to a Darktrace report covering threat activity last year, identity-based breaches overtook vulnerability exploitation as the leading initial access method. The report also said attackers increasingly moved faster, used more automation, and often exploited weaknesses before public disclosure.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing and BEC Trends Show Increased Impersonation and Evolving Social Engineering
Threat researchers reported continued growth and diversification in **impersonation-driven phishing**. Guardio data cited by KnowBe4 identified **Microsoft** as the most impersonated brand in phishing during **Q4 2025**, followed by **Facebook, Roblox, McAfee, Steam, AT&T, Amazon, Google, Yahoo, and Coinbase**. The activity reportedly surged around high-traffic seasonal moments (e.g., Black Friday “storefront” scams, December delivery scams, and January job-search lures), reflecting attackers’ focus on exploiting predictable user behavior and time-sensitive themes. Separately, LevelBlue **SpiderLabs** reported **BEC** activity increased **15% in 2025 vs. 2024** based on *MailMarshal* telemetry, averaging **3,000+ BEC messages/month** (peaking at **4,300** in July). The report noted seasonal/operational timing effects (e.g., quarter transitions and summer vacation staffing gaps) and highlighted evolving tactics including **“contact details swapping,”** where attackers impersonate finance teams to “update” official contact information to redirect payments or communications. Together, the reporting indicates sustained growth in **impersonation and social engineering** as a primary driver of fraud and account compromise risk, with attackers adapting lures to business cycles and consumer seasons.
Mar 21, 2026
Credential Theft and Identity-Based Intrusions Surge Across Enterprises
**Credential compromise** and identity abuse are increasing as attackers rely more on stolen logins, session artifacts, and phishing rather than noisy exploitation alone. Recorded Future reported a sharp rise in exposed credentials during 2025, including nearly **2 billion** credentials indexed from malware combo lists, with the second half of the year up **50%** over the first and Q4 up **90%** over Q1. The trend is being driven by the industrialization of **infostealer malware**, malware-as-a-service ecosystems, and AI-enabled phishing and social engineering, while weak identity governance continues to expand the attack surface. A separate survey of UK organizations found **77%** fail to promptly disable former employees' accounts, **34%** grant overly broad access, and many still use manual processes such as spreadsheets for account validation, creating persistent opportunities for unauthorized access. A targeted phishing attempt against **Outpost24** illustrates how these identity-focused attacks are being operationalized against even security vendors. Attackers used a convincing fake JP Morgan email, valid **DKIM** authentication via Amazon SES infrastructure, and a **seven-stage redirect chain** leveraging trusted brands including Cisco to steer a C-suite executive toward a Microsoft Office credential-harvesting page while evading email defenses. The broader threat environment shows the same shift toward access abuse and stealthier post-compromise tradecraft: Google Threat Intelligence Group found ransomware actors increasingly favor native Windows tools over **Cobalt Strike**, with data theft present in **77%** of incidents and exploitation of VPNs and firewalls still common for initial access. Together, the reporting shows attackers are increasingly **logging in rather than breaking in**, then using legitimate access and built-in tools to deepen compromise and extort victims.
Apr 24, 2026
Incident Response Reports Highlight Identity and Low-Complexity Initial Access as Dominant Intrusion Drivers
Two 2026 incident-response reports describe threat actors increasingly favoring **fast, low-complexity initial access** over sophisticated exploitation, with **identity compromise** and common remote access paths repeatedly enabling broad downstream impact. Unit 42’s *Global Incident Response Report 2026* data (based on 750+ engagements) indicates attacker activity crossed multiple attack surfaces in **87%** of cases, requiring investigation across endpoints, identity systems, networks, and cloud services; it also attributes a material role to **identity weaknesses** in nearly **90%** of investigations and reports identity-based techniques as the initial access method in **65%** of cases (e.g., phishing, stolen credentials, brute force, insider activity). Phishing and vulnerability exploitation were cited as top initial access vectors (tied at **22%** each), reinforcing that common, repeatable techniques remain highly effective. Arctic Wolf reporting similarly concludes that attackers are prioritizing **accessible entry points**, with **phishing** frequently initiating business email compromise and with ransomware intrusions often beginning via abuse of **remote access services** such as `RDP`, `VPN`, and **remote monitoring and management (RMM)** tooling. Both sources emphasize that weak access controls—such as excessive permissions, non-phishing-resistant MFA, credential reuse/default passwords, IAM misconfigurations, unmanaged OAuth grants, and stale/shared accounts—allow a single foothold to expand laterally across SaaS, cloud, and on-prem environments, increasing blast radius and complicating detection and response.
Mar 21, 2026