The biggest threat to your business may no longer be malware or ransomware. It’s your people. Or rather, their identities.
Between 2023 and the first quarter of 2025, identity-driven threats surged by 156%, now accounting for 59% of all confirmed cyber incidents, according to new research by eSentire’s Threat Response Unit (TRU). The findings mark a fundamental shift in how attackers gain access to organizations.
Instead of breaking in, they log in.
Where traditional attacks targeted software flaws or exposed ports, today’s adversaries are choosing the path of least resistance: valid user credentials. Often stolen. Sometimes bought. Occasionally given away.
Phishing-as-a-Service (PhaaS) operations like Tycoon2FA have made this easier than ever. For a few hundred dollars a month, cybercriminals can rent turnkey services that harvest credentials and bypass multi-factor authentication using Adversary-in-the-Middle (AitM) techniques. These tools intercept login details and session tokens in real time, handing threat actors the keys to the kingdom — often before the victim even notices.
These credentials don’t sit idle.
They are sold in underground marketplaces that operate more like e-commerce platforms than dark web bazaars. Credentials are categorized, priced, and searchable. Business email accounts fetch a premium. Financial logins fly go quickly. Admin credentials fly off the “shelf”.
Infostealers play a central role here. No longer crude keyloggers, these malware variants extract browser-stored passwords, VPN configs, SSH keys, and token-based authentication data. Malware families like Lumma Stealer have been optimized for scale, offering dashboard filters to prioritize high-value data. The model is efficient. Infection to monetization takes hours, not days.
TRU reports that information stealers now account for over a third of all malware cases in 2025. Their impact cuts across sectors, but Business Services, Software, and Manufacturing are among the hardest hit. Not just because they’re frequent targets, but because they often lack visibility across their full IT footprint.
That’s where blind spots come in.
Many breaches begin on unmanaged devices (personal laptops, test servers, legacy endpoints) that aren’t monitored by standard security controls. Credentials stolen from these machines allow attackers to blend in. They can log in through corporate VPNs, mimic legitimate users, and sit undetected for days or weeks, until it’s too late.
One case highlighted by TRU shows how a threat actor purchased credentials from a dark web market, accessed a network using the company’s VPN, and deployed ransomware, all before the victim realized anything was wrong. The attacker exploited a simple gap: the organization wasn’t logging VPN access.
These gaps aren’t rare, they’re structural.
Third-party access is another open door. Compromises of Managed Service Providers (MSPs) have allowed attackers to gain privileged access to dozens or even hundreds of customer networks. Remote Monitoring and Management (RMM) tools become force multipliers, turning one compromise into many.
The pattern is clear. Modern cyberattacks are increasingly identity-first. They are no longer just technical breaches, but abuses of trust.
Entities are responding by rethinking their approach. TRU recommends a move toward Zero Trust architectures with real-time risk-based authentication. That includes replacing traditional MFA with phishing-resistant methods like passkeys and FIDO2, enforcing strict device compliance, and implementing context-aware access controls. Detection also needs a reboot.
Static rules won’t catch credential abuse in time. Instead, companies need centralized authentication logs, behavioral baselining, ASN-based threat intelligence, and anomaly detection that goes beyond geo-velocity. When a user logs in from two countries an hour apart, that’s a flag. But so is a familiar login pattern from an unfamiliar device or location.
Speed is key. TRU urges organizations to cut response times for identity-related threats to under an hour. That means automated triggers, faster containment, and coordinated playbooks across identity, security, and legal teams.
Because once a credential is stolen, the clock starts ticking.
Attackers don’t need to break in anymore. They just need to be let in, by someone who looks like they belong.
Identity is the New Perimeter
James Maude, Field CTO at BeyondTrust, says this report is a great example of how identity is the new perimeter with attackers simply logging in rather than hacking in. “The significant increase in Adversary-in-the-Middle (AitM) attacks demonstrates how reliant many organizations are on weaker non-phishing resistant forms of MFA that are vulnerable to session hijacking or worse use no MFA at all. The real danger is often the privileges and access the compromised identity has as one identity could have access to dozens of systems or accounts each with their own privileges and risks.”
A Wake-up Call
Maude calls this a “wake-up call to not only think about how those identities are secured but what access and privileges they have in order to remove standing privileges and reduce the risk of compromise. Many organizations struggle to take a holistic view of identity which prevents them from understanding the risks and the “blast radius” associated with any given identity.” In the race to the cloud, he says organizations have become overwhelmed with managing the privileges of their identities, as they have added cloud infrastructure and SaaS applications a complex web of paths to privilege has formed vastly increasing the identity attack surface. “By thinking in graphs attackers are quick to take a compromised identity and exploit these often-hidden paths to privilege to inflict significant harm. Meanwhile the defenders are often stuck in silos without an identity centric approach to security.”
Challenging Traditional Security Controls
According to Maude, many of the identity attack vectors are challenging traditional security controls, from push or TOTP based MFA that allows a session to be hijacked to infostealers and initial access brokers that provide browser fingerprints and IP information to evade network access controls. “This is why it is vital for organizations to think about zero trust and least privilege approaches to identity security to proactively reduce their attack surface. As an industry we have become overly reliant on detection and identity threats are exploiting this by being almost indistinguishable from the real user until it is too late. This is why having visibility and control over the paths to privilege of your identities in order to reduce them and mitigate risk, is vital.”
Identity threats are only going to increase and organizations that don’t have a holistic approach to undercovering, managing, and protecting their identity attack surface are going to suffer the most, Maude adds. “Ask yourself this, do you know which identities present the greatest overall risk to your organization? The answer just might surprise you.”
A Cat and Mouse Game
Will Bailey, Senior Cyber Defender at Ontinue, says: “With the rise of a lucrative underground economy powered by Phishing-as-a-Service (PhaaS) platforms like Tycoon2FA, even low-skilled threat actors can now gain initial access without exploiting technical vulnerabilities. As a result, phishing and identity-based attacks have become a persistent cat-and-mouse game between attackers and defenders. This underscores the critical need for a 24/7 Managed Detection and Response (MDR) service that includes identity threat detection and response enabling organizations to revoke session tokens and terminate active sessions in real time.”
Accessible to Anyone
J Stephen Kowski, Field CTO at SlashNext, says: “What’s particularly concerning is how these phishing-as-a-service (PaaS) platforms have made sophisticated attacks accessible to anyone with a few hundred dollars, essentially democratizing cybercrime. The real game-changer here is that traditional security measures like multi-factor authentication are being bypassed through session token replay attacks, which means organizations need to think beyond just adding more authentication layers.”
Kowski adds that companies should focus on real-time threat detection that can spot malicious URLs and suspicious communications before they reach employees’ inboxes, combined with proactive protection that analyzes threats at the moment of click – especially since infostealers are specifically targeting the passwords many people conveniently store in their browsers.
An Attractive Option for Malefactors
Phishing-as-a-Service (PhaaS) criminal organizations provide a platform for others to use to conduct phishing attacks, adds Thomas Richards, Infrastructure Security Practice Director at Black Duck. “They often come with support and claims of bypassing anti-phishing controls along with spam detection. This is an attractive option for malicious actors with limited technical skill or resources who can pay for access to the services. These are often not very sophisticated and come with generic templates to steal credentials from popular platforms, but they still pose a risk if your email address is included in their campaign.”
To avoid falling victim to these attacks, Richards advises to not click links or open attachments from a sender you are not familiar with nor were expecting an email from. “They will often pretend to be an invoice or say there was an error in payment and direct you to enter your credentials to fix the issue. Double check the web site address as they will often clone Microsoft 365 or Google login pages. We have seen recent cases where major tech companies have partnered with law enforcement to shut down the infrastructure used by cyber-criminal organizations such as PhaaS. With this continued cooperation, these malicious actors who sell the services can be made less effective.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.