A new cybersecurity report has revealed a dramatic shift in how attackers infiltrate corporate networks, with identity compromise now driving the vast majority of successful cyber incidents.
Field Effect's 2026 Cyber Threat Outlook found that more than 80% of incidents investigated by the company in 2025 stemmed from cloud identity compromise. The findings highlight how cybercriminals are moving away from traditional vulnerability exploitation toward abusing legitimate user credentials.
"In many of the incidents we investigated in 2025, attackers didn't exploit a vulnerability. They logged in using valid credentials," said Earl Fischl, Director of Security Services at Field Effect. "Identity has effectively become the dominant attack surface. Once attackers gain access to trusted accounts, they can blend into normal activity and move through an organization much more easily."
%20(1)%20(1).webp)
The report, based on Field Effect's managed detection and response telemetry and frontline incident investigations, reveals that threat actors are increasingly targeting trusted identities, collaboration platforms, and enterprise workflows as their primary attack vectors.
Among the key findings, the report identified a concerning trend of attackers exploiting legitimate enterprise tools to gain initial access. Field Effect investigators tracked multiple campaigns where threat actors impersonated internal IT help desks through newly created Microsoft 365 tenants, using Microsoft Teams calls to convince employees to grant Quick Assist remote access.
Once access was granted, attackers executed PowerShell-based tooling to enumerate privileges and deploy additional malware. These identity-driven intrusions frequently escalated to credential harvesting, lateral movement, and ransomware deployment.
The report also highlighted the accelerating role of artificial intelligence in cybercrime operations. Threat actors leveraged generative AI to produce convincing phishing content, automate reconnaissance activities, and test exploit code more efficiently.
"AI did not necessarily introduce entirely new attack techniques," Fischl said. "What it did was dramatically accelerate the ones attackers were already using, making them faster and easier to scale."
Beyond identity compromise, Field Effect investigators documented persistent attacks targeting edge infrastructure, including VPN appliances, firewalls, and routers. One sustained campaign involved exploitation of SonicWall SSL VPN appliances, where attackers reused previously exposed credentials to authenticate directly into high-privilege systems.
In several cases, these compromised credentials were later leveraged by Akira ransomware operators, demonstrating how attackers combine credential reuse, delayed patching, and exposed edge systems to bypass traditional defenses.
The cybersecurity landscape in 2025 was also shaped by converging geopolitical tensions. State-aligned actors intensified espionage and access operations, while ransomware groups and hacktivists increasingly targeted critical infrastructure and public sector organizations.
These overlapping motivations are contributing to a threat environment where financial, political, and strategic objectives increasingly intersect, according to the report.
"Organizations cannot control an attacker's intent or capabilities," Fischl said. "But they can reduce the opportunities attackers rely on by strengthening identity security, improving visibility across their environments and addressing exposed infrastructure."
The findings underscore the urgent need for organizations to prioritize identity security measures and enhance monitoring capabilities across their digital environments. As traditional perimeter defenses become less effective, companies must adapt their security strategies to address the evolving threat landscape where trusted identities have become the primary target.