SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Dark moody phishing laptop hooks snagging logins global breaches
#
Malware
#
Ransomware
#
MFA

Phishing services drive 389% surge in account breaches

Fri, 16th Jan 2026
Author image
By Mark Tarre, News Chief

eSentire has reported a sharp rise in account compromise as a source of cyber incidents in 2025, with email-led intrusions linked to credential theft taking a larger share of the cases it investigated.

The company's year-end research, based on anonymised security and incident data across more than 2,000 customers, found that account compromise made up 55% of attacks in 2025. The figure marked a 389% increase compared with 2024, according to the report.

eSentire said the attempted theft of corporate account credentials, with a focus on Microsoft 365 accounts, represented around half of the attacks it analysed. The research also pointed to a shift in how attackers gain initial access, with phishing services taking a more central role.

Phishing services

eSentire attributed much of the increase in account compromise to the growing availability of Phishing-as-a-Service offerings. It said email-initiated account compromises rose from 37% to 55% of total security incidents during the year. It also said PhaaS-related threats accounted for 63% of all accounts compromised.

"These PhaaS kits are not made up of simple templates; they are comprehensive, continuously updated offerings, designed to bypass modern security controls, such as Multi-Factor Authentication," said Spence Hutchinson, Senior Manager of TRU and lead investigator for the report.

"It is the widespread availability and continuous evolution of these PhaaS kits that are fueling the account takeover epidemic that is impacting businesses," said Hutchinson.

BEC shift

eSentire linked account takeover activity with Business Email Compromise, a fraud type where attackers use access to corporate mailboxes to divert payments or alter invoices. The company said threat actors use PhaaS operations including Tycoon2FA, FlowerStorm and EvilProxy in BEC campaigns.

It said attackers can begin BEC actions, such as creating inbox forwarding rules, within 14 minutes after capturing login credentials and a session token and gaining access to a network.

eSentire said firms in real estate, finance, retail, and construction face sustained exposure because they run frequent high-value transactions. BEC campaigns often target payment flows and attempt to redirect transfers to fraudulent accounts, it said.

The report cited law enforcement data as a reference point for the scale of the problem. The FBI's Internet Crime Complaint Centre reported USD $2.8 billion in losses from BEC attacks in 2024 alone, according to the document.

Despite that broader backdrop, eSentire said BEC threats affecting its customer base fell in 2025. It reported a 21% reduction year on year. The company attributed the change to operational work in tracing campaigns and building detections focused on precursors to BEC activity.

Success rates

The report also broke down "intrusion ratios", which it defined as how often an attack succeeds once initial access occurs. It found that supply chain attacks were the most likely to succeed, with an 85% success rate. It highlighted the Shai Hulud worm as an example of supply chain compromise late in the year.

Voice phishing also ranked as a successful technique in the data, with a 72% effectiveness rate, according to the findings.

Separately, eSentire reported a rise in the use of "valid credential" attacks. It said these attacks increased from 36.9% in 2024 to 54.8% in 2025.

The company also reported a change in how often those credential-based intrusions led to successful compromise. It said valid credential attacks were 100% effective in intrusion success in 2024. It said the figure dropped to 85% in 2025. It attributed the shift to improved tracking of account behaviour, which it said allowed defenders to stop attacks even when attackers logged in with legitimate credentials.

Other vectors

Beyond account compromise, the report described changes in several other attack patterns during the year. It said email bombing combined with IT helpdesk impersonation attacks increased 14 times year on year, with companies in the legal industry most targeted.

Ransomware remained a leading threat in the data, with business services, construction and finance sectors most targeted, according to the report. It listed Akira, RansomHub, Interlock, BlackBasta and Sinobi among the most active groups observed.

The report also flagged growth in malware delivery techniques. It said the ClickFix lure increased nearly 300% and represented more than 30% of all malware delivery cases in the dataset.

Malware-related threats held steady overall and accounted for 25% of the cases handled by eSentire's Threat Response Unit, according to the report. It said information stealer threats were the most prominent malware category and increased by 30% year on year. It also reported the detection of 14% more distinct stealers.

Sector patterns

eSentire said customers in the software industry saw the most threat cases, with a 15% year-on-year increase. It reported manufacturing at a 32% rise and business services at an 8% increase.

It also pointed to variations in incident levels by sector within its customer base. eSentire said its construction customers saw a 27% decrease in cyber incidents in 2025. It said BEC, account compromise and credential phishing were the main attack types targeting that sector.

The company also said customers in the legal sector experienced fewer incidents overall, but faced elevated risk from email bombing combined with IT helpdesk impersonation attacks.

2026 outlook

eSentire said it expects the main threats outlined in the report to continue into 2026. It also pointed to the role of criminal service models, including Malware-as-a-Service and Ransomware-as-a-Service, alongside phishing services.

"Unfortunately, TRU does not see any of the top threats detailed in this report declining in 2026," said Hutchinson. "Highly skilled hackers have made it far too easy for inexperienced threat actors to compromise employees' corporate accounts and ultimately their organizations, via sophisticated, turn-key criminal operations, such as PhaaS, Malware-as-a-Service, Ransomware-as-a-Service, etc. "Add these very accessible and easy-to-use services to the capabilities AI technologies can give a threat actor, especially in the areas of malware development, phishing campaigns and deep fakes, and the barrier to entry into the cybercrime business is frighteningly low."

The company's outlook also listed AI-produced malware, AI-enhanced phishing and voice phishing campaigns, and underground large language models as ongoing risks, alongside increased targeting of critical infrastructure and recruitment of corporate insiders.

Related stories
Andrea Gwynn honoured in Marquis Who’s Who listing
Object First triples growth on ransomware-proof backups
Telehouse Europe appoints Chris Lamb as Enterprise Director
Study finds 28,000 fake domains mimic top websites
Bitsight unveils dark web tool to secure supply chains

Top stories

Gigamon named 2026 public sector observability leader
FDATA appoints Kat Cloud to strengthen open finance security
SmarterMail flaw exploited in China-linked ransomware push
Hackers ditch noisy ransomware for stealthy data theft
CodeHunter pushes behavioural malware checks upstream