Big Surge In Identity-Driven Cyber Threats

Uploaded on 2025-07-08 in NEWS-Cybersecurity News, FREE TO VIEW

A new report from eSentire, a leading Managed Detection and Response (MDR) provider, has revealed a staggering 156% increase in identity-driven cyber-attacks targeting employee credentials between 2024 and the first quarter of 2025.

The report, titled "Identity-Centric Threats: The New Frontier of Cybercrime," illuminates the growing sophistication of cybercriminals who are increasingly exploiting user identities to gain unauthorised access to critical business assets.

Drawing on data from eSentire’s Threat Response Unit (TRU), the report highlights the alarming rise of phishing-as-a-service platforms and infostealer malware, which have become key tools for threat actors. This article provides a comprehensive summary of the report’s findings, exploring the evolving threat landscape, the tactics employed by cybercriminals, and actionable recommendations for businesses to bolster their cybersecurity posture.

The Rise Of Identity-Driven Attacks

The eSentire report identifies identity-driven attacks as the dominant form of cyber threat in Q1 2025, accounting for 59% of all confirmed incidents handled by the company’s Security Operations Centre (SOC). This marks a significant shift from 2023, when such attacks were less prevalent.The 156% surge is attributed to the increasing accessibility of sophisticated tools like phishing-as-a-service platforms, notably Tycoon 2FA, which enable even low-skilled cybercriminals to bypass multi-factor authentication (MFA) protections. These platforms allow attackers to orchestrate large-scale phishing campaigns with minimal technical expertise, making identity compromise a low-effort, high-reward strategy.

Infostealer malware, another critical component of the threat landscape, has also seen a marked increase in use.

These malicious programs are designed to harvest sensitive credentials, such as login details and session cookies, which are then sold on dark web marketplaces or used to perpetrate further attacks. The report notes that the affordability and availability of these tools have democratised cybercrime, enabling a broader range of actors to target organisations of all sizes.

Key Threat Vectors & Tactics

The report details several prominent tactics employed by cybercriminals to exploit user identities. Phishing remains the primary method, with attackers crafting highly convincing emails and text messages that trick employees into revealing credentials or clicking malicious links. Tycoon 2FA, a phishing-as-a-service platform, has been particularly effective in circumventing MFA by using reverse proxy techniques to intercept authentication tokens in real time. This allows attackers to gain persistent access to compromised accounts, often without immediate detection.

Another concerning trend is the use of trojanized software, such as the incident involving a malicious version of SonicWall’s NetExtender VPN, identified by eSentire’s TRU in June 2025. Such attacks exploit trusted software to deliver malware, further complicating detection efforts. The report also highlights the exploitation of vulnerabilities in widely used systems, such as the critical Citrix NetScaler ADC and Gateway vulnerability (CVE-2025-6543, CVSS score: 9.2), disclosed on 25 June 2025. These vulnerabilities provide attackers with additional entry points to compromise identities and infiltrate networks.

Impact On Businesses

The consequences of identity-driven attacks are profound, often leading to data breaches, financial losses, and significant operational disruptions. The report cites real-world examples, including cases where attackers used stolen credentials to access sensitive systems, deploy ransomware, or exfiltrate proprietary data.

Small and medium-sized enterprises (SMEs) are particularly vulnerable, as they often lack the resources to implement robust cybersecurity measures. However, large organisations are not immune, with high-profile breaches demonstrating that even well-funded security teams can be outmanoeuvred by determined attackers.

The financial impact of these attacks is compounded by the reputational damage and regulatory penalties that often follow.

For instance, breaches involving personal data can lead to significant fines under regulations like the General Data Protection Regulation (GDPR). The report emphasises that the cost of remediation—encompassing incident response, system recovery, and legal fees - can cripple businesses that are unprepared for such incidents.

Recommendations For Mitigation

To counter the rising tide of identity-driven threats, eSentire provides a series of actionable recommendations for organisations. Central to these is the adoption of a multi-layered security approach that combines technology, processes, and employee training. Key recommendations include:

Strengthening Authentication Mechanisms
While MFA remains a critical defence, the report advises organisations to implement phishing-resistant MFA solutions, such as hardware-based tokens or biometrics, to counter advanced phishing techniques like Tycoon 2FA. Regular audits of authentication systems are also recommended to identify and address vulnerabilities.

Enhancing Employee Awareness
Human error remains a significant factor in identity-driven attacks, with phishing emails often exploiting employee trust. The report advocates for ongoing cybersecurity training to educate staff on recognising phishing attempts and adhering to best practices, such as avoiding suspicious links and verifying email senders.

Leveraging Advanced Threat Detection
eSentire’s report underscores the importance of 24/7 threat monitoring and response capabilities, such as those provided by MDR services. By integrating Artificial Intelligence (AI) and machine learning, eSentire’s SOC can detect and block threats in real time, minimising the window of opportunity for attackers. The company’s Atlas AI platform, embedded across its Security Operations, enhances threat detection by unifying data from multiple sources and accelerating response times.

Proactive Vulnerability Management
Regular patching and vulnerability management are critical to preventing exploitation of known weaknesses, such as the Citrix vulnerability cited in the report. Organisations should prioritise timely updates to software and systems, coupled with proactive threat hunting to identify potential risks before they are exploited.

The Role Of MDR In Modern Cybersecurity

The report positions MDR services as a cornerstone of effective cybersecurity in the face of identity-driven threats. eSentire’s MDR offerings, which include 24/7 SOC-as-a-Service, unlimited threat hunting, and incident response, provide businesses with the expertise and tools needed to stay ahead of cybercriminals.The integration of AI-driven analytics and human expertise ensures rapid identification and mitigation of threats, reducing the likelihood of business disruption.

Looking Ahead

The eSentire report serves as a stark reminder of the evolving nature of cyber threats and the critical importance of protecting user identities. As cybercriminals continue to refine their tactics, businesses must remain vigilant and proactive in their defence strategies. The 156% surge in identity-driven attacks signals a new frontier in cybercrime, where user credentials are the primary target.

By adopting robust authentication measures, investing in employee training, and partnering with MDR providers, organisations can better safeguard their assets and mitigate the risks posed by this growing threat.

In conclusion, the report highlights the need for a paradigm shift in cybersecurity, moving beyond traditional perimeter-based defences to a focus on identity protection. As eSentire’s TRU continues to monitor and analyse emerging threats, its findings provide a valuable roadmap for businesses seeking to navigate the increasingly complex cyber landscape. 

Image: ktsimage

You Might Also Read: 

IAM Failures: Lessons From 2025’s Biggest Breaches:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« An Organisation’s Responsibility Following A Data Leak
Unlocking AI’s Power In Cybersecurity »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Nordic IT Security

Nordic IT Security

Nordic IT Security is a cyber security business forum in Scandinavia bringing together the converging worlds of IT, Cyber and Information Security.

Panaseer

Panaseer

Panaseer is an enterprise cybersecurity automation and data analytics company that helps organizations stop preventable breaches by ensuring security controls are working effectively.

CISPA Helmholtz Center for Information Security

CISPA Helmholtz Center for Information Security

The CISPA Helmholtz Center for Information Security is a German national Big Science Institution within the Helmholtz Association. Our research encompasses all aspects of Information Security.

Internet Storm Center (ISC)

Internet Storm Center (ISC)

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with ISPs to fight back against the most malicious attackers.

Lynx

Lynx

Lynx provides high added value services in the area of information systems security and ICT infrastructure building.

Quokka

Quokka

Quokka (formerly Kryptowire) is the source for mobile security and privacy solutions, staying steps ahead of the threat and delivering peace of mind.

Zeguro

Zeguro

Zeguro provides complete cybersecurity risk assessment, mitigation and insurance, allowing you to easily manage your cyber risk.

Mvine

Mvine

Mvine's primary business is authoring and selling Cyber-Secure Platforms for Collaboration Portals and for Identity Management as well as delivering cloud support services.

Blockchain Reactor

Blockchain Reactor

Blockchain Reactor is a blockchain consultancy and implementation company providing cutting-edge blockchain solutions for start-ups and enterprises.

Kontron

Kontron

Kontron offers a combined portfolio of secure hardware, middleware and services for Internet of Things (IoT) and Industry 4.0 applications.

Cyber Tzar

Cyber Tzar

Cyber Tzar is a new approach at dealing with an old problem; assessing and managing risks to your IT estate.

Logically.ai

Logically.ai

Logically combines artificial intelligence with expert analysts to tackle harmful and manipulative content at speed and scale.

Muscope Cybersecurity

Muscope Cybersecurity

Muscope CYSR platform performs a risk assessment and offers a comprehensive overview of the potential cyber attack risks.

Oak9

Oak9

Oak9's Security as Code platform dynamically secures Infrastructure as Code (IaC) and deployed cloud workloads, automatically.

CR Group

CR Group

CR Group is a Swedish-owned, cyber-security company oriented towards the European market. We offer solutions for vital societal functions that are both easy-to-buy and easy-to-use.

Concentrix

Concentrix

Concentrix - the intelligent transformation partner. We help the world’s leading organisations to modernise technology, transform experiences, and solve their toughest business challenges.