Account compromise accounted for more than 50% of all investigated cyber incidents in 2025, a 389% Year-over-Year (YoY) increase that shows how quickly identity has become the primary battleground for defenders.
According to eSentire’s 2025 Year in Review and 2026 Threat Outlook report, published today, attackers are no longer breaking in; they’re logging in, often with devastating speed.
The report, based on thousands of global incidents handled by eSentire’s Threat Response Unit (TRU), details how Phishing-as-a-Service (PhaaS) platforms have industrialized credential theft.
For as little as USD 200–300 per month, attackers can subscribe to services that bypass Multi-Factor Authentication (MFA), steal session tokens in real time, and hand off access to operators who move immediately to exploitation.
“These PhaaS kits are not made up of simple templates; they are comprehensive, continuously updated offerings, designed to bypass modern security controls, such as [MFA],” Spence Hutchinson, Senior Manager of Intelligence Research at eSentire told Expert Insights.
“It is the widespread availability and continuous evolution of these PhaaS kits that are fueling the account takeover epidemic.”
Speed, Scale, And Trust Drive Modern Intrusions
Email-initiated account compromise rose from 36.9% of cases in 2024 to 54.8% in 2025, with PhaaS platforms responsible for nearly two-thirds of those incidents.
Once attackers obtained valid credentials, they successfully progressed beyond initial access in 85% of cases, the highest intrusion rate of any access vector.
Intrusion Ratio by Access Vector. Credit: eSentire.
In an analysis of 100 Tycoon2FA incidents, exploitation began just 14 minutes on average after credential theft.
“One of the incidents we observed was when a threat actor […] captured a session token from a victim, relayed it to the Tycoon2FA server, and in minutes used the token […] to access the victim’s email account,” Hutchinson said. The attacker then immediately created inbox forwarding rules to launch a Business Email Compromise (BEC) scheme.
Social engineering amplified the impact. Combined email bombing and IT-impersonation attacks surged fourteenfold year over year, while browser-based techniques such as ClickFix grew nearly 300% and accounted for more than 30% of malware delivery cases.
“When attackers are able to phish valid employee account credentials and progress from initial access to active exploitation in minutes, rather than days, the window for detection and response has collapsed,” Hutchinson said. “These are the new deadlines that security teams must beat.”
