ESentire-observed account compromise surged 389% in 2025
Target Trend
Summary
Hide ▲
Show ▼
Account compromise surged 389% year over year in 2025, making it the dominant observed attack pattern and increasing credential theft and account takeover risk across business users. Microsoft 365 accounts were a prime target, and much of the activity was enabled by phishing-as-a-service (PhaaS) kits. The trend matters because it shows credential abuse is driving a large share of current malicious activity and sustaining BEC operations across multiple sectors.
Related Happenings
CypherLoc phishing-led browser scareware campaign
Campaign
First: 20.05.2026 13:00
Last: 20.05.2026 13:00
Sources 1
About this happening:
The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...
CypherLoc phishing-led browser scareware campaign
CampaignAbout this happening: The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...
Storm-2949 Microsoft 365 and Azure data-theft campaign
Campaign
First: 19.05.2026 22:35
Last: 19.05.2026 22:35
Sources 1
About this happening:
The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
Storm-2949 Microsoft 365 and Azure data-theft campaign
CampaignAbout this happening: The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
Campaign
First: 17.05.2026 17:43
Last: 17.05.2026 17:43
Sources 1
About this happening:
The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
CampaignAbout this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
QR code phishing surged across email threats in Q1 2026
Target Trend
First: 05.05.2026 09:35
Last: 05.05.2026 09:35
Sources 1
About this happening:
**Q1 2026** email-threat telemetry shows **QR code phishing** and **CAPTCHA-gated phishing** rising quickly, increasing the risk of **credential theft** across **organizations**....
QR code phishing surged across email threats in Q1 2026
Target TrendAbout this happening: **Q1 2026** email-threat telemetry shows **QR code phishing** and **CAPTCHA-gated phishing** rising quickly, increasing the risk of **credential theft** across **organizations**....
Code of conduct-themed Microsoft AiTM phishing campaign
Campaign
First: 05.05.2026 09:35
Last: 05.05.2026 09:35
Sources 1
About this happening:
A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
Code of conduct-themed Microsoft AiTM phishing campaign
CampaignAbout this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
Timeline
-
15.01.2026 02:00 2 articles · 4mo ago
eSentire reports 389% rise in account compromise
Initial DisclosureeSentire's 2025 Year in Review & 2026 Threat Landscape Outlook Report says account compromise rose 389% year over year in 2025, making up 55% of all attacks observed by the cybersecurity firm and 75% of the malicious activity tracked by its Threat Response Unit. The report says credential theft drove most of the activity, Microsoft 365 accounts were prime targets, and phishing-as-a-service kits such as Tycoon2FA, FlowerStorm and EvilProxy enabled account takeovers and business email compromise across sectors including real estate, finance, retail and construction.
Show sources
- Account Compromise Surged 389% in 2025, Says eSentire — www.infosecurity-magazine.com — 16.01.2026 13:40
- Account Compromise Surged 389% in 2025, Says eSentire — www.infosecurity-magazine.com — 16.01.2026 13:40