Reports Highlight Shift Toward Identity-First Attacks and Phishing-Driven Intrusions
Recent reporting and vendor research indicate threat actors are increasingly prioritizing identity-based intrusion paths—notably phishing, credential theft, and Business Email Compromise (BEC)—over traditional vulnerability exploitation as the most common initial access vector. A Darktrace report cited by SC Media describes identity breaches as the leading entry point, alongside broader trends including accelerated breach tempo, increased automation, and “converging” tactics; it also notes exploitation can occur before public disclosure and that overall CVE volume rose by 20%+ year-over-year.
Email remains a dominant delivery mechanism in these identity-first campaigns. Darktrace telemetry referenced by SC Media reported 32M+ high-confidence phishing emails across its customer base, with many messages bypassing baseline controls (including 70% passing DMARC), targeting executives, using malicious QR codes, and leveraging newly registered domains. Separately, a SOCRadar analysis frames the U.S. financial sector as a disproportionate target for phishing and dark-web activity, emphasizing AI-enabled crime, persistent BEC, and third-party/supply-chain risk, and citing metrics such as ~48% of global financial phishing activity and ~23.5% of finance-related dark web threat activity attributed to the U.S. market.
Sources
Related Stories
Phishing and BEC Trends Show Increased Impersonation and Evolving Social Engineering
Threat researchers reported continued growth and diversification in **impersonation-driven phishing**. Guardio data cited by KnowBe4 identified **Microsoft** as the most impersonated brand in phishing during **Q4 2025**, followed by **Facebook, Roblox, McAfee, Steam, AT&T, Amazon, Google, Yahoo, and Coinbase**. The activity reportedly surged around high-traffic seasonal moments (e.g., Black Friday “storefront” scams, December delivery scams, and January job-search lures), reflecting attackers’ focus on exploiting predictable user behavior and time-sensitive themes. Separately, LevelBlue **SpiderLabs** reported **BEC** activity increased **15% in 2025 vs. 2024** based on *MailMarshal* telemetry, averaging **3,000+ BEC messages/month** (peaking at **4,300** in July). The report noted seasonal/operational timing effects (e.g., quarter transitions and summer vacation staffing gaps) and highlighted evolving tactics including **“contact details swapping,”** where attackers impersonate finance teams to “update” official contact information to redirect payments or communications. Together, the reporting indicates sustained growth in **impersonation and social engineering** as a primary driver of fraud and account compromise risk, with attackers adapting lures to business cycles and consumer seasons.
2 months ago
Incident Response Reports Highlight Identity and Low-Complexity Initial Access as Dominant Intrusion Drivers
Two 2026 incident-response reports describe threat actors increasingly favoring **fast, low-complexity initial access** over sophisticated exploitation, with **identity compromise** and common remote access paths repeatedly enabling broad downstream impact. Unit 42’s *Global Incident Response Report 2026* data (based on 750+ engagements) indicates attacker activity crossed multiple attack surfaces in **87%** of cases, requiring investigation across endpoints, identity systems, networks, and cloud services; it also attributes a material role to **identity weaknesses** in nearly **90%** of investigations and reports identity-based techniques as the initial access method in **65%** of cases (e.g., phishing, stolen credentials, brute force, insider activity). Phishing and vulnerability exploitation were cited as top initial access vectors (tied at **22%** each), reinforcing that common, repeatable techniques remain highly effective. Arctic Wolf reporting similarly concludes that attackers are prioritizing **accessible entry points**, with **phishing** frequently initiating business email compromise and with ransomware intrusions often beginning via abuse of **remote access services** such as `RDP`, `VPN`, and **remote monitoring and management (RMM)** tooling. Both sources emphasize that weak access controls—such as excessive permissions, non-phishing-resistant MFA, credential reuse/default passwords, IAM misconfigurations, unmanaged OAuth grants, and stale/shared accounts—allow a single foothold to expand laterally across SaaS, cloud, and on-prem environments, increasing blast radius and complicating detection and response.
3 weeks ago
Reports Highlight Identity, Supply-Chain, and Healthcare as Key Cyber Risk Drivers
Recent reporting highlights a shift in enterprise cyber risk toward **external dependencies and identity abuse**. Coverage of the EU’s **NIS2** directive emphasizes that organizations are expected to treat **supply-chain security** as a core governance and architecture issue, reflecting the reality that third parties (e.g., cloud providers, software suppliers, maintenance access, and outsourced services) are frequent intrusion paths rather than risks contained “inside the firewall.” Separately, findings cited from Eye Security’s *State of Incident Response Report 2026* indicate attackers are increasingly **exploiting existing access** rather than “hacking in,” with **identity-based attacks** dominating and **passwords** implicated in the vast majority of such incidents; common initial compromise paths still include phishing, exposed/misconfigured internet-facing systems, social engineering, and software supply-chain attacks. In healthcare, a Trellix threat intelligence report based on **54.7 million detections** from 2025 healthcare environments warns cyber incidents are escalating from IT disruption into a **patient safety** issue due to highly interconnected systems and “cascading” outages. The report identifies **email** as the leading threat vector and the **U.S.** as the primary target, and describes ransomware and extortion activity intensifying, including groups such as **Qilin** (noted for targeting EHR databases), **INC Ransom**, and newer actors like **Sinobi** focusing on biotech; it also reports a sharp rise in **extortion-only** tactics with per-patient ransom demands intended to sidestep corporate insurance dynamics. Across these sources, **phishing** remains a dominant initial access method, with lures increasingly tailored to privileged IT roles (e.g., “AI Transformation” themes).
1 months ago