{"id":4137,"date":"2026-01-16T19:37:56","date_gmt":"2026-01-16T19:37:56","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2026\/01\/16\/account-compromise-surged-389-in-2025-says-esentire\/"},"modified":"2026-01-16T19:37:56","modified_gmt":"2026-01-16T19:37:56","slug":"account-compromise-surged-389-in-2025-says-esentire","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2026\/01\/16\/account-compromise-surged-389-in-2025-says-esentire\/","title":{"rendered":"Account Compromise Surged 389% in 2025, Says eSentire"},"content":{"rendered":"
\n
\n

Cyber threat actors went all in on credential theft in 2025, with eSentire reporting a 389% year-over-year rise in account compromise, making up 55% of all attacks observed by the cybersecurity firm.<\/p>\n

The firm\u2019s 2025 Year in Review & 2026 Threat Landscape Outlook Report<\/em>, published on January 15, 2026, showed that credential access represented 75% of the malicious activity observed in the wild by its Threat Response Unit (TRU) over the reported period.<\/p>\n

Two-thirds of it was aimed at conducting account takeovers and another third to deliver phishing campaigns. Microsoft 365 accounts were prime targets, noted eSentire<\/p>\n

Meanwhile, malware continued to be a prime threat, accounting for 25% of threats observed in the wild, but declined by four percentage points compared to 2024 data.<\/p>\n<\/p><\/div>\n

\"Source:
Source: eSentire, Year in Review & 2026 Threat Landscape Outlook Report, \u201cThe Industrialization of Cybercrime: Identities are Under Attack,\u201d January 2026<\/figcaption><\/figure>\n
\n

PHaaS Fueled Business Email Compromise<\/strong><\/h2>\n

The use of valid credentials to spread email-based malicious campaigns was the top initial access vector among incidents experienced by over 2000 of eSentire customers, rising from 37% to 55% of total security incidents year-over-year.<\/p>\n

Most of these attacks stemmed from operations enabled by phishing-as-a-service (PhaaS) kits, which accounted for 63% of all account compromise incidents.<\/p>\n

Additionally, the report noted that threat actors use PhaaS operations like Tycoon2FA, FlowerStorm and EvilProxy to carry out business email compromise (BEC) attacks.<\/p>\n

Spence Hutchinson, senior manager of TRU and lead investigator for the report, highlighted the sophistication of some PHaaS kits. \u201cThese PhaaS kits are not made up of simple templates; they are comprehensive, continuously updated offerings, designed to bypass modern security controls, such as multifactor authentication (MFA). It is the widespread availability and continuous evolution of these PhaaS kits that are fueling the account takeover epidemic that is impacting businesses.”<\/p>\n

While BEC represented less than 10% of malicious activity observed in 2025 \u2013 a 21-percentage point decline compared to 2024 \u2013 it continued to be a top threat for companies, the TRU researchers said.<\/p>\n

\u201cThe hackers can initiate BEC actions, such as creating inbox forwarding rules in as little as 14 minutes, after they have captured a target\u2019s corporate login credentials and session token and successfully entered the target\u2019s IT network,\u201d reads the report.<\/p>\n

Companies in real estate, finance, retail and construction are the sectors most targeted by BEC attacks.<\/p>\n

Key Highlights from eSentire\u2019s 2025 Threat Report<\/strong><\/h2>\n

Other key highlights from the eSentire report included:<\/p>\n