A new cybersecurity report has revealed a dramatic shift in how attackers are breaching corporate networks, with identity compromise now driving the vast majority of security incidents.
Field Effect's 2026 Cyber Threat Outlook, released March 10, found that more than 80% of incidents investigated by the company in 2025 stemmed from cloud identity compromise. The finding represents a fundamental change in cybercriminal tactics, moving away from traditional vulnerability exploitation.
"In many of the incidents we investigated in 2025, attackers didn't exploit a vulnerability. They logged in using valid credentials," said Earl Fischl, Director of Security Services at Field Effect. "Identity has effectively become the dominant attack surface. Once attackers gain access to trusted accounts, they can blend into normal activity and move through an organization much more easily."
%20(1)%20(1).webp)
The report, based on Field Effect's managed detection and response telemetry and frontline incident investigations, shows threat actors are increasingly abusing trusted identities, collaboration platforms and enterprise workflows to gain access.
Field Effect investigators documented multiple campaigns exploiting trusted enterprise tools as entry points. In one campaign tracked since September 2025, threat actors impersonated internal IT help desks through newly created Microsoft 365 tenants and used Microsoft Teams voice calls to convince employees to grant Quick Assist remote access.
Once access was granted, attackers executed PowerShell-based tooling to enumerate privileges and deploy additional malware. These identity-driven intrusions frequently led to credential harvesting, lateral movement and ransomware deployment.
The report also highlights artificial intelligence's growing role in accelerating cybercriminal operations. Threat actors used AI to produce convincing phishing content, automate reconnaissance and test exploit code more efficiently.
"AI did not necessarily introduce entirely new attack techniques," Fischl said. "What it did was dramatically accelerate the ones attackers were already using, making them faster and easier to scale."
Beyond identity compromise, Field Effect investigators observed persistent attacks targeting edge infrastructure such as VPN appliances, firewalls, and routers. One sustained campaign involved exploitation of SonicWall SSL VPN appliances, where attackers reused previously exposed credentials to authenticate directly into high-privilege systems.
In several cases, these credentials were later leveraged by Akira ransomware operators, demonstrating how attackers can combine credential reuse, delayed patching and exposed edge systems to bypass traditional defenses.
Geopolitical tensions continued to shape cyber activity throughout 2025, according to the report. State-aligned actors intensified espionage and access operations, while ransomware groups and hacktivists increasingly targeted critical infrastructure and public sector organizations.
These overlapping motivations are contributing to a threat landscape where financial, political and strategic objectives increasingly intersect.
"Organizations cannot control an attacker's intent or capabilities," Fischl said. "But they can reduce the opportunities attackers rely on by strengthening identity security, improving visibility across their environments and addressing exposed infrastructure."
The report's key findings include the convergence of geopolitical tensions shaping threats, with state-aligned actors, ransomware groups, and hacktivists increasingly overlapping in tactics and infrastructure. Edge infrastructure remained critical entry points for ransomware and credential-driven attacks.
Trusted platforms like Microsoft Teams, Zoom and Quick Assist were increasingly exploited by attackers to deliver malware and gain privileged access, while generative AI enabled faster phishing development, automated reconnaissance and quicker exploit validation.
The findings underscore the need for organizations to prioritize identity security and implement stronger authentication measures as the cybersecurity landscape continues to evolve around compromised credentials rather than traditional system vulnerabilities.