Cybercriminals have dramatically shifted their attack strategies, with identity-based threats skyrocketing 156% between 2023 and 2025, according to new threat intelligence from eSentire's Threat Response Unit.
According to eSentire's report, these attacks now represent 59% of all confirmed cybersecurity incidents in the first quarter of 2025, marking a fundamental transformation in how adversaries approach organisational targets.
The surge reflects criminals' recognition that stealing valid user credentials provides easier access to valuable corporate assets than exploiting technical vulnerabilities in systems. Rather than investing time in complex code exploits, threat actors are now purchasing ready-made phishing services for as little as $200-300 monthly through "Cybercrime-as-a-Service" platforms.
Phishing-as-a-Service Platforms Democratise Advanced Attacks
Leading this transformation is Tycoon2FA, a sophisticated phishing platform that accounts for 58% of observed account compromises. These services employ "Adversary-in-the-Middle" techniques that can intercept and replay authentication tokens, effectively bypassing traditional multi-factor authentication within minutes of credential theft.
 |
| Anatomy of a Tycoon2FA Campaign | Image- esentire |
"The economic model is compelling for threat actors: low barrier to entry with exceptionally high return potential," the report states.
Information stealer malware has evolved alongside these services, now representing 35% of all disrupted malware threats while harvesting browser passwords, password manager databases, and VPN configurations.
Underground Markets Fuel Rapid Monetisation
Stolen credentials are immediately sold through sophisticated underground marketplaces that operate like legitimate e-commerce platforms. These markets automatically categorise and price stolen identities based on perceived value, with business email accounts commanding premium pricing.
The timeline from credential theft to active fraud has compressed dramatically. eSentire's analysis shows threat actors now move from stealing credentials to executing business email compromise attacks within hours, compared to the days or weeks typical of previous attack patterns.
Traditional Security Models Prove Inadequate
The research exposes critical blind spots in organisational security architectures. Unmanaged devices, shadow IT infrastructure, and third-party partnerships create attack surfaces invisible to traditional security controls. In one documented case, threat actors used credentials purchased from underground markets to access corporate networks via VPN services, ultimately deploying ransomware before detection.
"Traditional security models built around perimeter defense and endpoint protection are fundamentally insufficient against adversaries who possess valid credentials," the report concludes.
Immediate Action Required
Security experts recommend organisations immediately implement phishing-resistant authentication methods like FIDO2/WebAuthn for high-value accounts, while deploying comprehensive monitoring for authentication anomalies. The eSentire's report emphasises that waiting for traditional incident response timelines is no longer viable when attackers can complete their missions within hours of initial compromise.
Organisations must architect security strategies around the assumption that identities will be compromised, requiring continuous authentication verification and rapid response capabilities specifically designed for identity-based threats.