Credential Theft and Identity-Based Intrusions Surge Across Enterprises
Credential compromise and identity abuse are increasing as attackers rely more on stolen logins, session artifacts, and phishing rather than noisy exploitation alone. Recorded Future reported a sharp rise in exposed credentials during 2025, including nearly 2 billion credentials indexed from malware combo lists, with the second half of the year up 50% over the first and Q4 up 90% over Q1. The trend is being driven by the industrialization of infostealer malware, malware-as-a-service ecosystems, and AI-enabled phishing and social engineering, while weak identity governance continues to expand the attack surface. A separate survey of UK organizations found 77% fail to promptly disable former employees' accounts, 34% grant overly broad access, and many still use manual processes such as spreadsheets for account validation, creating persistent opportunities for unauthorized access.
A targeted phishing attempt against Outpost24 illustrates how these identity-focused attacks are being operationalized against even security vendors. Attackers used a convincing fake JP Morgan email, valid DKIM authentication via Amazon SES infrastructure, and a seven-stage redirect chain leveraging trusted brands including Cisco to steer a C-suite executive toward a Microsoft Office credential-harvesting page while evading email defenses. The broader threat environment shows the same shift toward access abuse and stealthier post-compromise tradecraft: Google Threat Intelligence Group found ransomware actors increasingly favor native Windows tools over Cobalt Strike, with data theft present in 77% of incidents and exploitation of VPNs and firewalls still common for initial access. Together, the reporting shows attackers are increasingly logging in rather than breaking in, then using legitimate access and built-in tools to deepen compromise and extort victims.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
Cisco Talos says phishing became top initial-access vector in Q1 2026
Cisco Talos reported that in Q1 2026, 35% of incident-response cases it investigated began with successful phishing, making phishing the leading initial-access vector ahead of exploitation of external vulnerabilities. The report said attackers were increasingly using AI to generate more convincing, multilingual, and personalized phishing lures, while abuse of trusted services and MFA weaknesses also featured prominently.
GitGuardian reports 28.65 million secrets exposed in GitHub commits
GitGuardian's State of Secrets Sprawl 2026 report said 28.65 million new hardcoded secrets were exposed in public GitHub commits during 2025, continuing a multi-year rise in leaked keys, tokens, and passwords. The report also warned that AI development, internal repositories, collaboration platforms, and exposed self-hosted services were expanding credential leakage and slowing remediation.
SpyCloud publishes 2026 Identity Exposure Report
SpyCloud published its 2026 Identity Exposure Report, stating that recaptured identity records rose 23% to 65.7 billion total records and warning of growing exposure involving API keys, session tokens, and machine identities. The report highlighted increasing risks from non-human identities and session theft.
Outpost24 links phishing tooling to Kratos PhaaS kit
After obtaining and examining an encrypted phishing kit and its configuration, Outpost24 researchers linked the operation's tooling to the Kratos phishing-as-a-service kit. They said the activity was consistent with phishing-as-a-service operations but could not attribute it to a specific threat group.
Outpost24 detects seven-stage phishing attack targeting its executive
Outpost24 disclosed that a C-suite executive was targeted in a sophisticated phishing campaign impersonating JP Morgan and using a seven-stage redirect chain through trusted services such as Cisco Secure Web and Nylas. The company said it detected and analyzed the attack before any damage occurred.
SailPoint survey finds widespread UK identity security weaknesses
A SailPoint survey of 333 IT decision-makers found that 77% of UK organizations do not promptly deactivate ex-employee accounts and that credential compromise incidents rose 160% year over year. The survey also found many businesses grant overly broad access and still rely on manual identity management processes.
U.S. and European agencies warn of Russia-linked OT credential intrusions
On 2025-12-10, a joint cybersecurity advisory from U.S. and European agencies warned that Russia-linked hacktivist actors were increasingly targeting critical infrastructure sectors including water, energy, and agriculture by abusing weak, default, reused, and leaked credentials. The advisory highlighted a shift from disruptive scanning and DDoS activity toward credential-based access into OT and ICS environments rather than reliance on advanced malware or software exploits.
Ontinue identifies early signs of LLM-assisted malware development
Ontinue reported what it described as the first meaningful signs of threat actors using large language models to assist malware development during the second half of 2025. The finding was presented alongside broader reporting on identity abuse and phishing enabled by stolen credentials.
SpyCloud records major rise in exposed identities during 2025
SpyCloud's 2026 Identity Exposure Report said that in 2025 it captured 18.1 million exposed API keys and tokens, 8.6 billion stolen cookies and session artifacts, and 642.4 million credentials tied to 13.2 million infostealer infections. The report also found that nearly half of 28.6 million phished identity records were linked to corporate users.
Ransomware actors shift tactics as profits fall in 2025
Google Threat Intelligence Group and Mandiant found that during 2025 the ransomware ecosystem became less profitable, with lower victim payment rates and more frequent data theft and leak-site shaming. Attackers increasingly moved away from tools like Cobalt Strike and Mimikatz toward native Windows utilities, PowerShell, and legitimate admin protocols to evade detection.
Credential theft dominates initial access in 2025
Recorded Future reported that credential theft became a leading initial access vector during 2025, with attackers increasingly using stolen usernames, passwords, tokens, and session cookies instead of exploiting vulnerabilities. The firm observed nearly two billion credentials indexed from malware combo lists and a sharp rise in compromised credentials over the course of the year.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
11 references tracked. Mallory keeps watching after this page renders.
AI Phishing Is No. 1 With a Bullet for Cyberattackers
darkreading.com
Open sourceYour Next Breach Will Look Like Business as Usual
darkreading.com
Open sourceCyberattacks powered by stolen credentials on the rise | brief | SC Media
scworld.com
Open sourceAI frenzy feeds credential chaos, secrets spread through code, tools, and infrastructure - Help Net Security
helpnetsecurity.com
Open sourceLess Lucrative Ransomware Market Makes Attackers Alter Methods
darkreading.com
Open sourceMore Attackers Are Logging In, Not Breaking In
darkreading.com
Open sourceHackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish
darkreading.com
Open sourceHave I Been Pwned: Synthient Credential Stuffing Threat Data Breach
haveibeenpwned.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Identity Abuse and Credential Misuse as the Primary Initial Access Vector
Recent threat intelligence reporting indicates **identity-based attacks** (credential theft, social engineering, and misuse of legitimate access) are now the dominant driver of initial compromise, increasingly outpacing exploitation of software vulnerabilities. A *Unit 42* report cited by SC Media attributes **65% of initial access** to identity techniques versus **22%** to vulnerabilities, and notes accelerating attacker tempo—down to **72 minutes** from initial access to data exfiltration in the fastest observed cases—alongside growing cross-surface intrusions where **87%** of incidents span multiple environments (endpoints, cloud, SaaS, and identity systems). The report also highlights the **browser** as a key battleground (involved in **48%** of attacks) and a sharp rise in **SaaS supply-chain** abuse (nearly **4x** since 2022), including the use of **OAuth tokens** and **API keys** for lateral movement. Separately, Google Threat Intelligence Group commentary on the **defense industrial base (DIB)** describes adversaries shifting beyond classic espionage toward operations intended to **disrupt production capacity** and **compromise supply chains**, with **identity** increasingly treated as the “new security boundary” across the broader defense ecosystem (from prime contractors to smaller dual-use suppliers). The DIB focus underscores that credential-driven access and downstream supply-chain compromise can have strategic impact beyond data theft, including staging access for future contingencies and enabling ransomware/extortion that indirectly degrades defense supply availability.
Mar 21, 2026
Identity-Driven Intrusions Fueled by Infostealer Credentials and MFA-Aware Phishing
Threat actors are increasingly achieving initial access through **identity compromise** rather than software exploitation, with infostealer malware and phishing infrastructure supplying large volumes of valid credentials for automated login attempts against enterprise authentication front doors. Defused Cyber reported a large-scale credential-stuffing campaign targeting **F5 BIG-IP** and other SSO-adjacent services (including **ADFS**, **STS**, and **OWA**), where honeypots observed high-confidence corporate email/password pairs being submitted at scale from `219.75.254.166` (OPTAGE Inc., Japan). Correlation against Hudson Rock’s infostealer telemetry indicated the majority of observed credentials were harvested from **infostealer-infected employee endpoints**, suggesting a pipeline from endpoint infection to external SSO gateway intrusion attempts impacting major enterprises and public-sector entities. In parallel, Datadog Security Labs documented the evolution of the **1Phish** kit into an operationally mature, **MFA-aware** phishing framework targeting *1Password* users, shifting from simple credential capture to multi-stage workflows that explicitly collect **2FA codes**—consistent with real-time authentication attempts even without confirmed reverse-proxy session hijacking. Broader incident-response telemetry in Sophos’ Active Adversary Report reinforces the same trend: **identity-related techniques** (compromised credentials, brute force, phishing) accounted for a majority of observed root causes, and attackers often pivot quickly to **Active Directory** after initial access. A separate finance-sector “2026” threat landscape post is largely high-level and does not add specific, verifiable details to the infostealer/SSO or 1Phish activity described elsewhere.
Mar 25, 2026
Recent Surge in Infostealer and Credential Theft Tactics
Threat actors have significantly escalated the use of information-stealing malware and credential theft techniques, leveraging new methods to bypass traditional security controls and exploit human vulnerabilities. Flashpoint reports an 800% increase in infostealer-driven credential theft in 2025, with over 1.8 billion accounts compromised globally. Attackers are neutralizing Windows' Mark of the Web (MotW) protections using drag-and-drop lures, exploiting vulnerabilities, and targeting alternative software to evade detection. The rise of session token theft is also enabling attackers to bypass multi-factor authentication (MFA), as tokens stored in browsers are increasingly targeted and sold on underground markets, often escaping detection by network-focused security tools. The evolving threat landscape is further complicated by the proliferation of infostealer malware, which has become a primary entry point for enterprise breaches. Security experts emphasize the need for organizations to look beyond malware signatures and focus on deceptive initial access vectors, such as malicious scripts, third-party supply chain risks, and user manipulation. Effective defense now requires monitoring browser behavior, treating client-side security as a core responsibility, and understanding the full identity attack surface to counteract these sophisticated evasion tactics.
Mar 21, 2026