ESentire-observed account compromise surged 389% in 2025
Trend
Summary
Hide ▲
Show ▼
Account compromise surged 389% year over year in 2025, making it the dominant observed attack pattern and increasing credential theft and account takeover risk across business users. Microsoft 365 accounts were a prime target, and much of the activity was enabled by phishing-as-a-service (PhaaS) kits. The trend matters because it shows credential abuse is driving a large share of current malicious activity and sustaining BEC operations across multiple sectors.
Related Happenings
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
Campaign
H score37
First: 08.07.2026 19:47
Last: 08.07.2026 19:47
Sources 1
About this happening:
The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
CampaignAbout this happening: The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
Microsoft Azure CLI password-spray campaign using ROPC
Campaign
H score24
First: 01.07.2026 08:46
Last: 01.07.2026 08:46
Sources 1
About this happening:
A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...
Microsoft Azure CLI password-spray campaign using ROPC
CampaignAbout this happening: A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...
Enterprise browser users face a rising shadow AI, credential abuse, and browser-native attack trend
Trend
H score22
First: 05.06.2026 17:00
Last: 05.06.2026 17:00
Sources 1
About this happening:
**Enterprise users** are showing a sharp rise in **shadow AI**, **credential abuse**, and **browser-native attack exposure**, increasing risk at the browser layer. The trend matte...
Enterprise browser users face a rising shadow AI, credential abuse, and browser-native attack trend
TrendAbout this happening: **Enterprise users** are showing a sharp rise in **shadow AI**, **credential abuse**, and **browser-native attack exposure**, increasing risk at the browser layer. The trend matte...
CypherLoc phishing-led browser scareware campaign
Campaign
H score49
First: 20.05.2026 13:00
Last: 20.05.2026 13:00
Sources 1
About this happening:
The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...
CypherLoc phishing-led browser scareware campaign
CampaignAbout this happening: The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...
Storm-2949 Microsoft 365 and Azure data-theft campaign
Campaign
H score33
First: 19.05.2026 22:35
Last: 19.05.2026 22:35
Sources 1
About this happening:
The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
Storm-2949 Microsoft 365 and Azure data-theft campaign
CampaignAbout this happening: The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
Timeline
-
15.01.2026 02:00 2 articles · 5mo ago
eSentire reports 389% rise in account compromise
Initial DisclosureeSentire's 2025 Year in Review & 2026 Threat Landscape Outlook Report says account compromise rose 389% year over year in 2025, making up 55% of all attacks observed by the cybersecurity firm and 75% of the malicious activity tracked by its Threat Response Unit. The report says credential theft drove most of the activity, Microsoft 365 accounts were prime targets, and phishing-as-a-service kits such as Tycoon2FA, FlowerStorm and EvilProxy enabled account takeovers and business email compromise across sectors including real estate, finance, retail and construction.
Show sources
- Account Compromise Surged 389% in 2025, Says eSentire — www.infosecurity-magazine.com — 16.01.2026 13:40
- Account Compromise Surged 389% in 2025, Says eSentire — www.infosecurity-magazine.com — 16.01.2026 13:40