eSentire Warns Businesses: Hackers are After Your Employees’ Account Credentials, as Account Compromise Threats Surge 389% in 2025

WATERLOO, Ontario--(BUSINESS WIRE)--Global cybersecurity solutions provider eSentire today released its 2025 YEAR IN REVIEW, 2026 THREAT LANDSCAPE OUTLOOK REPORT titled: “The Industrialization of Cybercrime: Identities are Under Attack.” One of the most alarming attack trends tracked by eSentire in 2025 was a 389% increase year over year in account compromise identity-based threats.

"Hackers have made it easy for inexperienced threat actors to compromise employees’ corporate accounts and ultimately their organizations, via sophisticated, turn-key criminal operations, such as PhaaS, Malware-as-a-Service, Ransomware-as-a-Service, etc."

Share

In the past year, the attempted theft of corporate account credentials, especially Microsoft 365 accounts, made up 50% of the attacks analyzed by eSentire's security research and elite threat hunting team, the Threat Response Unit (TRU).

Based on threat and incident data from eSentire's 2,000+ global customers, the findings highlight the dramatic rise of Phishing-as-a-Service (PhaaS) offerings as a primary attack vector. Email-initiated account compromises rose from 37% to 55% of total security incidents, with PhaaS-related threats accounting for 63% of all accounts compromised.

"These PhaaS kits are not made up of simple templates; they are comprehensive, continuously updated offerings, designed to bypass modern security controls, such as Multi-Factor Authentication," said Spence Hutchinson, Senior Manager of TRU and lead investigator for the report. "It is the widespread availability and continuous evolution of these PhaaS kits that are fueling the account takeover epidemic that is impacting businesses."

A Profitable End Game for Account Takeovers–Business Email Compromise

The report reveals that threat actors are using PhaaS operations like Tycoon2FA, FlowerStorm and EvilProxy to carry out Business Email Compromise (BEC) attacks. The hackers can initiate BEC actions, such as creating inbox forwarding rules in as little as 14 minutes, after they have captured a target’s corporate login credentials and session token and successfully entered the target’s IT network.

TRU found that companies in the real estate, finance, retail, and construction sectors regularly conduct large financial transactions and are perfect targets for BEC campaigns, where attackers intercept and divert legitimate fund transfers to fraudulent accounts.

BEC attacks continue to be a top threat for companies, as evident by the billions of dollars businesses are losing annually to this threat. The FBI's Internet Crime Complaint Center reported $2.8 billion in losses from BEC attacks in 2024 alone. However, there is progress being made in defending against these attacks.

In 2025, eSentire was able to reduce BEC threats for its customers by 21%. This was not luck; this was pure determination by eSentire’s security defenders to meet the BEC threat head on. eSentire dedicated substantial resources to tracing the BEC attacks back to their root cause and created detections for the different precursors leading to BEC attacks. As such, TRU has been able to successfully detect and shut down many BEC campaigns before the threat actors can even get a foothold into a customer’s network, resulting in a 21% decrease in BEC threats.

Key 2025 Report Findings

• Email bombing combined with IT Help Desk impersonation attacks increased 14x year over year, with companies in the legal industry most targeted.
• Ransomware remained a top threat, particularly targeting Business Services, Construction and Finance sectors, with Akira, RansomHub, Interlock, BlackBasta and Sinobi being the most active groups observed by TRU.
• The ClickFix lure, used as an initial access vector, increased nearly 300% and represents over 30% of all malware delivery cases.
• Malware-related threats continued to be constant, making up 25% of the cyber cases worked by TRU. Information stealer threats were the most prominent among them, increasing 30%, with 14% more distinct stealers detected.
• eSentire customers in the Software industry experienced the most threat cases, showing a 15% year over year increase, followed by Manufacturing with a 32% rise and Business Services with an 8% increase.
• eSentire’s Construction industry customers benefited from a 27% decrease in cyber incidents. They were primarily targeted by BEC, account compromise and credential phishing attacks. Because of the significant strides made by TRU in detecting and shutting down credential phishing and BEC campaigns, eSentire’s Construction industry clients benefited from the significant decrease in cyber incidents.
• Customers in the Legal sector also benefited from fewer cyber incidents in 2025. However, they faced elevated risk from email bombing combined with IT Help Desk impersonation attacks.

"Unfortunately, TRU does not see any of the top threats detailed in this report declining in 2026,” said Hutchinson. “Highly skilled hackers have made it far too easy for inexperienced threat actors to compromise employees’ corporate accounts and ultimately their organizations, via sophisticated, turn-key criminal operations, such as PhaaS, Malware-as-a-Service, Ransomware-as-a-Service, etc. Add these very accessible and easy-to-use services to the capabilities AI technologies can give a threat actor, especially in the areas of malware development, phishing campaigns and deep fakes, and the barrier to entry into the cybercrime business is frighteningly low.”

2026 Threat Landscape Outlook

• AI-produced malware, AI-enhanced phishing and vishing campaigns, and underground LLMs remain threats
• Stealc and Vidar compete to dominate the information stealer market, however they have competition from Cyber Stealer, Amatera Stealer, AMOS Stealer and DarkCloud
• Cyberthreats targeting critical infrastructure, including power grids and water treatment plants, expected to increase
• Recruitment of corporate insiders will accelerate

The full eSentire 2025 Annual Year in Review, 2026 Threat Landscape Outlook Report is available here.

About eSentire
eSentire, Inc., the Authority in Managed Detection and Response (MDR), protects the critical data and applications of 2000+ organizations in 80+ countries across 35 industries from known and unknown cyber threats by providing Continuous Threat Exposure Management, Managed Detection and Response and Incident Response services designed to build an organization's cyber resilience & prevent business disruption. Founded in 2001, eSentire protects the world's most targeted organizations, with 65% of its global base recognized as critical infrastructure, vital to economic health and stability. By combining AI-powered, open XDR platform technology, 24/7 threat hunting, and proven security operations leadership, eSentire's award-winning MDR services and team of experts help organizations anticipate, withstand and recover from cyberattacks. For more information, visit www.esentire.com and follow @eSentire.