Infostealers blamed for surge in identity attacks

Advanced phishing kits and info-stealing malware have accounted for a 156 percent jump in cyberattacks targeting user logins.

A new report from cybersecurity company eSentire shows attackers are increasingly opting for obtaining login credentials and session cookies via phishing or malware. This then allows them to carry out Business Email Compromise (BEC) attacks, gain access to bank accounts, or steal cryptocurrency.

The use of phishing-as-a-service platforms, such as Typhoon 2FA, is making it easier to carry out attacks with minimal technical expertise and low cost. For around $200 to $300 per month the kits offer pre-made phishing pages for the major workplace platforms including Microsoft 365 and Google Workspace.

These platforms use sophisticated Adversary-in-the-Middle (AitM) architectures that provide real-time credential interception and authentication token capture. The platform captures all authentication credentials and session tokens, which can be replayed at a later point with the target service. This approach means threat actors can bypass multi-factor authentication by replaying captured tokens within their validity periods, often within minutes of the initial theft.

Infostealers are also available as a service and eSentire reckons they currently account for 35 percent of all detected malware threats in 2025. A prime target is passwords stored in browsers which many people use for convenience. Stolen details are sold on underground marketplaces through forums, markets, and chat rooms. The report notes that the infrastructure for these marketplaces has become quite sophisticated so threat actors can easily find the type of credentials they want.

Attacks involving the compromise of business email accounts have increased 60 percent year-on-year, accounting for to 41 percent of all attacks in the first quarter of this year.

The report’s authors conclude, “To adapt to the evolving threat landscape, organizations must prepare for continued development in identity-based attack techniques. The organizations that invest in comprehensive identity security architectures today will be best positioned to adapt to these future developments while maintaining effective protection against current threats.”

The report recommends that businesses adopt phish-resistant authentication methods such as FIDO2/WebAuthn and passkeys, which use cryptographic authentication that can’t be intercepted or replayed by adversaries. They should also adopt zero trust principle including checking for device compliance, geographic location and behavioral anomalies.

The full report is available from the eSentire site.

Image credit: Terrance Emerson/Dreamstime.com