Attackers have made a decisive switch toward stealthy, identity-centric attacks. Forget breaking in – modern cybercriminals simply log in. And that should be a concern.
According to the IBM X-Force 2025 Threat Intelligence Index, nearly one-third of intrusions in 2024 were initiated not through sophisticated attacks, but through valid account exploitation.
Moreover, phishing-delivered infostealers surged, quietly harvesting credentials to fuel subsequent attacks, while slow patch cycles and unpatched public-facing applications continue to provide gateways for compromise. Let’s dive into that.
Exploitation of Valid Accounts
As noted, 30% of all intrusions in 2024 began with the use of valid account credentials, with public-facing application exploits emerging as the top initial attack vector.
These findings represent a significant shift away from previous, malware-centric attack techniques. Instead of relying on noisy malware, adversaries simply purchase or phish credentials and use them to blend into normal network traffic, allowing them to evade detection and deploy living-off-the-land techniques.
Once attackers have infiltrated the network, they can then leverage stolen credentials further to escalate privileges, move laterally, and exfiltrate sensitive data without triggering security alerts. According to the IBM report, the thriving “access-as-a-service” market plays a key role in this phenomenon, with cybercriminals offering turnkey phishing kits that intercept multi-factor authentication (MFA) codes and deliver adversary-in-the-middle (AITM) attacks that can bypass even the most hardened identity controls.
Fortra’s 2025 Email Threat Intelligence report offers further insight into these findings. It revealed that 49% of Q4 2024 credential theft email attacks targeted Microsoft 365 accounts, while only 1% of threats reaching users’ inboxes contained malware. The key takeaway? Traditional malware is old hat – nearly all threats rely on social engineering tactics or stolen credentials.
Surge in Phishing-Delivered Infostealers
As traditional malware becomes easier to detect, cybercriminals are moving towards phishing-delivered infostealer malware. IBM reports an 84% year-on-year increase in weekly infostealer distributions via phishing from 2023 to 2024, with early 2025 data suggesting a staggering 180% uptick.
For attackers, the primary benefit of infostealers is their stealthiness. They install them alongside or instead of persistent backdoors. Once executed, they siphon passwords, session tokens, and other credentials directly from victims’ browsers and applications, often before traditional endpoint detection and response (EDR) solutions can respond.
Fortra’s report reveals how attackers are delivering info stealers. Nearly one-third of phishing links are delivered via docuphishing, a technique that embeds malware in seemingly legitimate documents to evade detection. This, coupled with such a tiny proportion of phishing emails containing malware, drives home that small amounts of malware attacks are fueling credential-based attacks on a massive scale.
Vulnerabilities in Outdated Systems and Slow Patching
While identity-centric attacks are undoubtedly the key theme of the IBM report, we can’t ignore the significance of unpatched vulnerabilities in legacy systems and misconfigured public-facing applications. IBM found that 26% of attacks against critical infrastructure (CI) in 2024 exploited known vulnerabilities in internet-accessible applications, often because CI organizations lag in deploying patches or rely on outdated technology stacks.
According to IBM, over 300,000 unique CVEs have been cataloged since 1993, with nearly 65,000 of them having publicly available exploit codes. Even more alarming, 60% of the top 10 most-discussed CVEs on dark web forums had weaponized exploits available within two weeks of disclosure, giving attackers a significant head start on defenders.
Fortra’s findings drive home the urgency of proactive patch management: beyond identity theft, attackers are also abusing legitimate services, such as e-signature platforms and free developer tools, the latter of which saw a more than 200% increase in misuse in 2024, to stage phishing campaigns and host payloads on trusted domains.
How Fortra Can Help
Fortunately, Fortra offers a suite of solutions designed to help you combat the latest cybersecurity challenges and keep attackers at bay.
Fortra Suspicious Email Analysis
Fortra Suspicious Email Analysis combats phishing-delivered infostealers by gathering user-reported suspicious emails, automatically filtering and prioritizing threats, and applying expert human triage leveraging global threat feeds. Once confirmed, the solution extracts indicators - like URLs, hashes, and IPs – and immediately pushes them to security controls – like mail gateways, web proxies, and firewalls – to block infostealer payloads.
Fortra Security Awareness Training
What’s more, Fortra Security Awareness Training leverages engaging, interactive content, real-world phishing simulations, and data-driven optimization to ensure your staff are equipped to identify, avoid, and report potential phishing emails, so infostealers don’t enter your network in the first place.
Fortra Vulnerability Management
Fortra Vulnerability Management provides risk-based scanning across on-premises, cloud, and container environments, identifying exploitable CVEs and prioritizing remediation based on real-time threat intelligence. What’s more, it delivers highly accurate asset discovery and vulnerability assessment, paired with intuitive dashboards for streamlined patch planning.
At Fortra, our mission is to help organizations increase security maturity while decreasing operational burden. Our vision is a stronger, simpler future for cybersecurity.
Want to find out more about how we achieve that? Click here.
