Credential Theft and Identity-Based Intrusions Surge Across Enterprises
Credential compromise and identity abuse are increasing as attackers rely more on stolen logins, session artifacts, and phishing rather than noisy exploitation alone. Recorded Future reported a sharp rise in exposed credentials during 2025, including nearly 2 billion credentials indexed from malware combo lists, with the second half of the year up 50% over the first and Q4 up 90% over Q1. The trend is being driven by the industrialization of infostealer malware, malware-as-a-service ecosystems, and AI-enabled phishing and social engineering, while weak identity governance continues to expand the attack surface. A separate survey of UK organizations found 77% fail to promptly disable former employees' accounts, 34% grant overly broad access, and many still use manual processes such as spreadsheets for account validation, creating persistent opportunities for unauthorized access.
A targeted phishing attempt against Outpost24 illustrates how these identity-focused attacks are being operationalized against even security vendors. Attackers used a convincing fake JP Morgan email, valid DKIM authentication via Amazon SES infrastructure, and a seven-stage redirect chain leveraging trusted brands including Cisco to steer a C-suite executive toward a Microsoft Office credential-harvesting page while evading email defenses. The broader threat environment shows the same shift toward access abuse and stealthier post-compromise tradecraft: Google Threat Intelligence Group found ransomware actors increasingly favor native Windows tools over Cobalt Strike, with data theft present in 77% of incidents and exploitation of VPNs and firewalls still common for initial access. Together, the reporting shows attackers are increasingly logging in rather than breaking in, then using legitimate access and built-in tools to deepen compromise and extort victims.
Related Entities
Threat Actors
Affected Products
Sources
Related Stories
Identity Abuse and Credential Misuse as the Primary Initial Access Vector
Recent threat intelligence reporting indicates **identity-based attacks** (credential theft, social engineering, and misuse of legitimate access) are now the dominant driver of initial compromise, increasingly outpacing exploitation of software vulnerabilities. A *Unit 42* report cited by SC Media attributes **65% of initial access** to identity techniques versus **22%** to vulnerabilities, and notes accelerating attacker tempo—down to **72 minutes** from initial access to data exfiltration in the fastest observed cases—alongside growing cross-surface intrusions where **87%** of incidents span multiple environments (endpoints, cloud, SaaS, and identity systems). The report also highlights the **browser** as a key battleground (involved in **48%** of attacks) and a sharp rise in **SaaS supply-chain** abuse (nearly **4x** since 2022), including the use of **OAuth tokens** and **API keys** for lateral movement. Separately, Google Threat Intelligence Group commentary on the **defense industrial base (DIB)** describes adversaries shifting beyond classic espionage toward operations intended to **disrupt production capacity** and **compromise supply chains**, with **identity** increasingly treated as the “new security boundary” across the broader defense ecosystem (from prime contractors to smaller dual-use suppliers). The DIB focus underscores that credential-driven access and downstream supply-chain compromise can have strategic impact beyond data theft, including staging access for future contingencies and enabling ransomware/extortion that indirectly degrades defense supply availability.
4 weeks ago
Identity-Driven Intrusions Fueled by Infostealer Credentials and MFA-Aware Phishing
Threat actors are increasingly achieving initial access through **identity compromise** rather than software exploitation, with infostealer malware and phishing infrastructure supplying large volumes of valid credentials for automated login attempts against enterprise authentication front doors. Defused Cyber reported a large-scale credential-stuffing campaign targeting **F5 BIG-IP** and other SSO-adjacent services (including **ADFS**, **STS**, and **OWA**), where honeypots observed high-confidence corporate email/password pairs being submitted at scale from `219.75.254.166` (OPTAGE Inc., Japan). Correlation against Hudson Rock’s infostealer telemetry indicated the majority of observed credentials were harvested from **infostealer-infected employee endpoints**, suggesting a pipeline from endpoint infection to external SSO gateway intrusion attempts impacting major enterprises and public-sector entities. In parallel, Datadog Security Labs documented the evolution of the **1Phish** kit into an operationally mature, **MFA-aware** phishing framework targeting *1Password* users, shifting from simple credential capture to multi-stage workflows that explicitly collect **2FA codes**—consistent with real-time authentication attempts even without confirmed reverse-proxy session hijacking. Broader incident-response telemetry in Sophos’ Active Adversary Report reinforces the same trend: **identity-related techniques** (compromised credentials, brute force, phishing) accounted for a majority of observed root causes, and attackers often pivot quickly to **Active Directory** after initial access. A separate finance-sector “2026” threat landscape post is largely high-level and does not add specific, verifiable details to the infostealer/SSO or 1Phish activity described elsewhere.
2 weeks agoRecent Surge in Infostealer and Credential Theft Tactics
Threat actors have significantly escalated the use of information-stealing malware and credential theft techniques, leveraging new methods to bypass traditional security controls and exploit human vulnerabilities. Flashpoint reports an 800% increase in infostealer-driven credential theft in 2025, with over 1.8 billion accounts compromised globally. Attackers are neutralizing Windows' Mark of the Web (MotW) protections using drag-and-drop lures, exploiting vulnerabilities, and targeting alternative software to evade detection. The rise of session token theft is also enabling attackers to bypass multi-factor authentication (MFA), as tokens stored in browsers are increasingly targeted and sold on underground markets, often escaping detection by network-focused security tools. The evolving threat landscape is further complicated by the proliferation of infostealer malware, which has become a primary entry point for enterprise breaches. Security experts emphasize the need for organizations to look beyond malware signatures and focus on deceptive initial access vectors, such as malicious scripts, third-party supply chain risks, and user manipulation. Effective defense now requires monitoring browser behavior, treating client-side security as a core responsibility, and understanding the full identity attack surface to counteract these sophisticated evasion tactics.
2 months ago