Account Compromise Surged 389% in 2025, Says eSentire

The eSentire 2025 Year in Review reveals a staggering 389 % jump in account compromise incidents, now representing more than half of all observed attacks. Credential theft has become the dominant technique, accounting for 75 % of malicious activity across the firm’s Threat Response Unit. This shift reflects attackers’ focus on harvesting valid login data rather than deploying traditional malware, a change driven by the high value of cloud‑based services such as Microsoft 365. Organizations that rely heavily on single‑sign‑on or weak password policies are especially exposed, prompting a reassessment of identity‑centric defenses.

At the heart of the credential surge is the rapid commercialization of Phishing‑as‑a‑Service (PHaaS). eSentire reports that PHaaS kits powered 63 % of account‑compromise cases, with tools like Tycoon2FA, FlowerStorm and EvilProxy specifically engineered to evade multifactor authentication. These turnkey services allow low‑skill actors to launch sophisticated business‑email‑compromise (BEC) campaigns within minutes, targeting sectors such as finance, real estate, retail and construction. Although BEC volume fell 21 points year‑over‑year, its high‑value payouts keep it a top concern for executives and auditors alike.

While credential theft surged, traditional malware slipped to 25 % of threats, a four‑point decline from 2024, indicating a partial shift in attacker economics. Nonetheless, certain vectors like the ClickFix lure surged 300 %, fueling new CastleLoader infections. Industry‑specific data shows software firms faced a 15 % rise in incidents, manufacturing a 32 % jump, while legal and hospitality sectors saw modest declines. The mixed landscape underscores the need for layered security—combining robust MFA, continuous phishing awareness training, and behavior‑based detection—to counter both credential‑focused and residual malware threats.