Cyber threats are undergoing a fundamental shift in how they operate. Account compromise and identity-based threats are now the dominant attack vector in cybersecurity, and the window to detect and respond has collapsed to minutes.
For just $200-300 per month, any aspiring cybercriminal can subscribe to a Phishing-as-a-Service (PhaaS) platform that bypasses multi-factor authentication (MFA) and hands off compromised accounts to threat actors who begin exploitation within 14 minutes of credential theft.
This new reality comes from the latest threat research conducted by the eSentire Threat Response Unit (TRU), which analyzed thousands of incidents across our global customer base throughout 2025.
Account compromise surged 389% year-over-year and now represents 50% of all threats. When attackers possess legitimate credentials, they bypass your defenses entirely, achieve 85% intrusion success rates, and move from initial access to active exploitation faster than traditional security operations can detect and respond.
For CISOs, this shift implies that traditional security models built around perimeter defense, next-day log reviews, and business-hours security operations are structurally insufficient against adversaries who operate continuously with valid credentials.
This creates an existential challenge for security programs wherein the speed of modern attacks has outpaced the speed of traditional defense. Organizations must make a critical strategic decision; either restructure security operations to match adversary speed with 24/7 monitoring, AI-driven behavioral detection, and immediate response capabilities, or accept that they will consistently discover compromises only after significant damage has occurred.
Based on threat and incident data from eSentire's 2,000+ global customers, we cover the following seven key findings in this blog that highlight the most critical threats security leaders must address immediately, and the defensive strategies required to operate at the speed the threat landscape now demands.
Key Stat #1: Account Compromise Surged 389% and Now Represents 50% of All Threats
Credential access and account compromise dominated the 2025 threat landscape, representing over 50% of all observed threats with a staggering 389% year-over-year increase. This reflects a strategic shift by threat actors: why exploit vulnerabilities when you can simply log in with valid credentials?
PhaaS platforms account for 63% of all account compromise incidents. These subscription services leverage Adversary-in-the-Middle (AitM) techniques to intercept credentials and session tokens in real-time, primarily targeting cloud services like Microsoft 365.
What's more, threat actors begin active exploitation within an average of 14 minutes of credential theft.
In addition, email-initiated account compromises rose from to 54.8% in 2025, a 110% year-over-year increase. TRU's analysis found that 28% of Business Email Compromise (BEC) cases were traced back to PhaaS services like Tycoon2FA and FlowerStorm, demonstrating how stolen credentials quickly convert to financial fraud.
Traditional MFA provides little protection against Adversary in the Middle (AitM) phishing techniques that capture both MFA codes and session tokens. Therefore, organizations need real-time identity threat detection and response capabilities that detect credential misuse as it happens.
We recommend implementing an Identity Threat Detection and Response (IDTR) strategy that addresses this threat through:
- Real-time credential misuse detection using identity-based behavioral analytics and machine learning
- Continuous monitoring of authentication patterns, geolocation anomalies, and session tokens
- 24/7 analysis of identity systems including Active Directory, Azure AD, and cloud service providers
- Immediate response capabilities including session termination, account isolation, and credential resets
The speed of credential-based attacks demands security operations that match attacker velocity. Waiting until next-day log reviews means giving adversaries hours of uncontested access.
Key Stat #2: Valid Credentials Achieve an 85% Intrusion Ratio with Attackers Moving in 14 Minutes
Once threat actors obtain valid credentials, they successfully progress beyond initial access 85% of the time. Attackers with valid credentials bypass perimeter defenses entirely, and from the perspective of most security systems, their activity appears legitimate.
In other words, threat actors no longer need to break in; they can simply log in.
TRU documented cases where attackers moved from initial authentication to data exfiltration, lateral movement, and ransomware deployment within hours. Organizations relying on next-day log reviews or weekly threat hunts are structurally disadvantaged against adversaries who operate continuously.
Moreover, supply chain and trusted relationship attacks demonstrated the same 85% intrusion ratio. TRU observed ransomware operators abusing SonicWall SSL VPN credentials belonging to third-party MSPs, providing immediate privileged access to victim networks – no exploitation required – just legitimate login credentials from a trusted partner.
We recommend partnering with a 24/7 Managed Detection and Response (MDR) partner who has a fully deployed AI-driven security operations platform to provide:
- Continuous monitoring with immediate response authority
- Behavioral anomaly detection across high-volume telemetry
- Cross-platform correlation of authentication logs, network traffic, and endpoint activity
- Automated containment capabilities including account isolation and network segmentation
Key Stat #3: Email Bombing and IT Impersonation Attacks Surged 14x YoY, Specifically Impacting the Legal Industry
Social engineering has scaled beyond human-paced attacks. Email bombing combined with IT impersonation surged from 4 observed cases to 60 cases by year-end, a 1,450% increase and the largest growth of any threat category. These attacks achieve a 72% intrusion ratio.
The attack pattern follows two stages: First, attackers flood target inboxes with spam, creating a manufactured crisis. Second, they contact victims via Microsoft Teams (using compromised accounts from other organizations in 80% of cases) posing as IT support to "resolve" the problem.
Once victims grant remote access, the path to ransomware deployment is measured in hours. After establishing contact through Microsoft Quick Assist, threat actors deploy secondary RMM tools and, in severe cases, escalate to Black Basta ransomware.
We recommend addressing this threat with a 24/7 multi-layered cyber defense strategy with:
- Behavioral analytics identifying unusual email volume spikes and Teams activity patterns
- Real-time RMM tool monitoring with approval workflows for legitimate IT support tools
- Integration across security domains correlating email anomalies with authentication attempts and endpoint changes
- 24/7 SOC response to social engineering indicators
Key Stat #4: ClickFix Browser Attacks Increased Nearly 300% and Now Represent 30% of Malware Delivery
The browser has become the primary battlefield for malware delivery. Attacks involving ClickFix as an initial access vector increased nearly 300%, now representing over 30% of all malware delivery cases.
These attacks contain no malicious files; instead, they manipulate users into executing malicious commands through fake error messages and CAPTCHA prompts.
Users are directed to copy and paste PowerShell or command prompt instructions that appear to resolve a problem but actually download and execute attacker-controlled payloads. This bypasses traditional file-based detection entirely.
Fake browser updates maintained steady momentum at 10-11% of malware cases, led by SocGholish and NetSupport RAT installations. Traffic Distribution Systems like Kongtuke provide sophisticated infrastructure that filters out security researchers and routes victims based on geography or browser fingerprint.
In response, we recommend implementing Endpoint Detection and Response capabilities as well as user activity monitoring to help with:
- Detection of PowerShell, command prompt, or scripting engine launches from browser processes
- Establishment of baselines for normal user activity to flag social engineering compromise
- Monitoring of unusual parent-child process relationships indicating malicious command execution
- Integration with web filtering to identify compromised sites and TDS infrastructure
Key Stat #5: RMM Tool Abuse Exploded 143% as Attackers Exploit the Legitimacy Gap
Threat cases involving RMM tools surged 143% YoY, with distinct tool observations doubling. TRU observed RMMs and RATs deployed alongside other malware 30% of the time for redundant remote access.
The strategic shift is clear: RATs are purpose-built for malicious access and trigger detections, while RMMs like AnyDesk, TeamViewer, and ConnectWise are legitimate IT support tools used daily. An RMM connection doesn't inherently signal compromise, and this ambiguity is precisely the point.
Moreover, TRU's analysis shows that RMMs increasingly appear as initial payloads in browser-based attacks (1.4% of cases) and email-based attacks (0.6% of cases) with the latter representing a significant increase from virtually zero in 2024.
We recommend adapting your governance and monitoring policies to include:
- Application allowlisting with default-deny posture for RMM tools
- Real-time monitoring of approved RMM deployments for unusual usage patterns
- Detection of unauthorized RMM installations with immediate alerting
- Behavioral analytics identifying anomalous activity during RMM sessions
- Integration with identity and endpoint security to correlate RMM connections with authentication and privileged access
Key Stat #6: Information Stealers Increased 30% Despite Law Enforcement Disruption
Threat cases involving infostealers increased 30% in 2025, with 14% more distinct variants detected, demonstrating robust demand despite law enforcement disruption. These tools harvest credentials, session tokens, cryptocurrency wallets, and browser data, feeding directly into the PhaaS ecosystem.
Lumma Stealer maintained dominance while Rhadamanthys displaced Vidar. Modern infostealers are engineered to evade detection through Anti-Malware Scan Interface (AMSI) bypasses, process injection techniques, sandbox detection, and UAC prompt bombing.
The loader-stealer ecosystem reveals many-to-many relationships, with 2-3 different loaders delivering payloads ranging from stealers to RATs to RMMs. The HijackLoader-to-LummaStealer pipeline appeared consistently, indicating strong market preference or deliberate bundling.
We recommend an approach that combines layered endpoint protection with behavioral detection to focus on:
- Detecting process injection techniques, memory-only execution, and AMSI bypass attempts
- Identifying anomalous parent-child process relationships indicating injected code
- Monitoring credential access patterns associated with dumping and browser data extraction
- Network behavior analysis to identify data exfiltration regardless of specific stealer variant
Key Stat #7: Ransomware Operations Rapidly Adopted Identity-Based Access Methods
The most active ransomware groups in 2025, such as Akira, RansomHub, Interlock, BlackBasta, and Sinobi, rapidly adopted identity-based access methods. Social engineering coupled with remote access tooling emerged as the predominant entry point.
Ransomware operators don't develop novel access techniques, but rather they rapidly adopt whatever methods prove effective. Akira affiliates leveraged email bombing techniques pioneered by BlackBasta. ClickFix and SocGholish campaigns served as RansomHub precursors.
TRU engaged in multiple intrusions where privileged MSP accounts in SonicWall VPN appliances provided immediate privileged access to victim networks. Dedicated hosting infrastructure (4VPS) was used by multiple ransomware groups for high-speed data exfiltration.
AI adoption accelerated with GLOBAL GROUP promoting AI-driven ransom negotiations and researchers identifying AI-powered strains with specific coding patterns enabling low-skill actors to produce semi-functional malware.
We recommend using an integrated Continuous Threat Exposure Management (CTEM) and Managed Detection and Response (MDR) strategy that addresses ransomware through:
- Continuous Threat Exposure Management identifying and remediating identity-based attack paths
- 24/7 multi-signal MDR to detect, investigate, and respond to ransomware precursor activities including credential compromise and RMM deployment
- Privileged access management for third-party credentials with time-based controls
- Network segmentation to limit lateral movement and contain compromises
- Backup and recovery validation with regular testing of integrity and procedures
The Strategic Imperative: Operating at the Speed of Modern Threats
The speed of modern attacks has outpaced the speed of traditional defense. Identity compromise accounts for 50% of all cases with a 389% increase. When attackers possess valid credentials, they achieve 85% intrusion ratios and progress from initial access to exploitation in minutes.
Addressing this reality requires a strategic approach integrating multiple capabilities:
24/7 Multi-Signal MDR with AI-Driven Atlas Security Operations Platform detects cyberattacks in real-time and neutralizes them before damage is done. With a 95% alignment to Tier-3 SOC Analysts, eSentire delivers AI you can trust, with expert validated outcomes you can prove.
Identity Threat Detection and Response provides real-time credential misuse detection, continuous authentication monitoring, and immediate response capabilities operating 24/7 at the speed attackers move.
Continuous Threat Exposure Management (CTEM) identifies and remediates identity-based vulnerabilities, manages third-party risks, and validates security controls against real-world techniques.
Organizations that build these integrated capabilities will contain incidents before they become breaches. Those that continue to rely on traditional architectures will learn through costly experience: in 2026, the battleground is identity, the timeline is minutes, and half-measures are insufficient.
Download the Full eSentire 2026 Annual Cyber Threat Report
The statistics presented here represent only a fraction of the threat intelligence and actionable recommendations contained in eSentire's complete 2025 Year in Review, 2026 Threat Landscape Outlook Report.
The full report provides comprehensive threat actor analysis, detailed malware profiles, industry-specific trends, and technical recommendations for detection, response, and remediation.
Understanding the threat landscape is the first step. Building the capabilities to defend against it is what separates organizations that contain incidents from organizations that experience breaches.
To learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next Level MDR, connect with an eSentire Security Specialist now.
GET STARTEDABOUT THE AUTHOR
Mitangi Parekh Content Marketing Director
As the Content Marketing Director, Mitangi Parekh leads content and social media strategy at eSentire, overseeing the development of security-focused content across multiple marketing channels. She has nearly a decade of experience in marketing, with 8 years specializing in cybersecurity marketing. Throughout her time at eSentire, Mitangi has created multiple thought leadership content programs that drive customer acquisition, expand share of voice to drive market presence, and demonstrate eSentire's security expertise. Mitangi holds dual degrees in Biology (BScH) and English (BAH) from Queen's University in Kingston, Ontario.