Field Effect: Cloud Identity Drove Majority of 2025 Incidents
Context and Chronology
Field Effect, a global managed detection and response provider, reports that more than 80% of the incident-related alerts it investigated in 2025 followed cloud identity compromise. Their casework shows adversaries increasingly entering through legitimate accounts and blending with routine activity, which complicates detection and gives attackers noisy-free paths to privilege escalation. Attackers used tenant impersonation, voice-based vishing inside collaboration platforms, and abused remote‑support workflows to deliver PowerShell tooling and harvest credentials for lateral movement and persistence.
The vendor links a practical acceleration in attacker operations to widespread use of generative-model tooling: phishing and persona creation scaled, automated reconnaissance validated targets faster, and conversion times from contact to credential validation materially shortened. Rather than novel exploitation techniques, attackers are automating established social‑engineering playbooks to increase throughput and reduce operational friction for mid‑tier criminal groups.
Edge infrastructure and exposed management interfaces remained consequential vectors in Field Effect’s caseload: campaigns targeting VPNs, routers and SSL appliances repeatedly relied on credential reuse and late-applied patches to gain high‑privilege access. Specific casework cited authentication into SonicWall SSL VPNs with recycled secrets that were subsequently used to stage ransomware operations including activity linked to Akira.
Industry telemetry from peers provides a corroborating but broader view. CyberArk field data point to roughly 82 machine identities per human, with about 42% of those holding privileged access — underscoring how service accounts, API keys and tokens expand the adversary’s target set. IBM X‑Force observed a 44% year‑over‑year rise in attacks against public‑facing applications driven by automated discovery and credential validation, while CrowdStrike reported a large uptick in model‑assisted attacks and a median breakout interval measured in minutes (their field figures note an average near 29 minutes for high‑velocity incidents).
These cross‑industry signals help reconcile differences in percentages: Field Effect’s >80% figure reflects identity‑linked alerts within its MDR caseload and the contexts it triaged, whereas vendor‑wide studies aggregate across different telemetry domains and vertical mixes. Together they show a coherent operational pivot — identity and machine credentials are now primary enablers of access and escalation, while automation compresses the window defenders have to detect and contain intrusions.
Operational gaps compound risk. Multiple vendor surveys and field studies show playbooks routinely omit comprehensive handling of non‑human credentials during containment: teams reset human passwords but often fail to rotate service accounts, API keys and certificates, leaving trust chains intact and lengthening attacker dwell time. Discovery and governance remain immature in many organizations, producing invisible service accounts that attackers can reuse to sustain access.
For defenders the prescription is consistent across reports: elevate identity and access controls (hardware‑backed MFA where feasible, conditional access and attestation for agentic tools), adopt behaviour‑based detection that fuses endpoint, identity, cloud and browser signals, and make non‑human credential inventory, rotation and cross‑system revocation standard steps in containment playbooks. Field Effect’s Director of Security Services, Earl Fischl, emphasized that treating identity as an authentication checkbox is insufficient; organisations must instrument identity as an active control and shorten remediation windows.
Practically, this means pre‑incident machine‑identity inventories, automated rotation and revocation during incidents, tighter remote‑support workflows, and faster patching or compensating segmentation for appliance management planes. Industry examples — rapid weaponization of disclosed appliance bugs and automated campaigns that validated thousands of management interfaces — illustrate why these changes must be operationalized now.
Finally, the combined reporting highlights a broader economic shift: valid, curated access and session artifacts are becoming higher‑value assets for adversaries than ephemeral zero‑days because they are cheaper, more reliable and harder to detect. The net effect for 2026 will be less about new cyber‑primitives and more about faster, cheaper, and more convincing exploitation of existing weaknesses — pushing defenders toward telemetry fusion, identity‑first architectures and deterministic recovery planning.
Read Our Expert Analysis
Create an account or login for free to unlock our expert analysis and key takeaways for this development.
By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.
Recommended for you
Machine identities missing from ransomware playbooks
Enterprise ransomware playbooks commonly treat credential resets as a human-only control, leaving service accounts, API keys, tokens and certificates intact — a blind spot that accelerates lateral movement and drives recovery costs. Market shifts toward targeted, disruption-focused extortion and faster weaponization via agentic AI make that omission more dangerous: defenders must pair machine-identity governance with identity-first detection and quicker containment to blunt modern ransomware economics.
Google GTIG: Zero‑Day Exploits Shift Toward Enterprise Targets in 2025
Google’s GTIG logged 90 exploited zero‑days in 2025 and a record portion hit enterprise infrastructure; commercial spyware vendors and OS flaws drove much of the shift. Field cases — including a long‑running WinRAR exploit and rapid weaponization of disclosed appliance flaws — illustrate how automation and exploit brokerage compress the timeline from discovery to impact.
Dragos: Three New Threat Clusters Escalate ICS/OT Risk in 2025
Dragos identified three previously unreported threat clusters in 2025 that expanded industrial-targeting techniques and raised the active tracked groups to 11 of 26. Complementary industry signals show automation and synthetic-media-driven social engineering are compressing time-to-weaponization and amplifying the operational risk these new clusters pose, forcing defenders toward identity-first controls and faster, automated containment.
Telecom Carriers Face Identity Crisis from SIM Swaps
SIM swap attacks have turned phone numbers into a scalable route for account takeover, enabling interception of SMS-based MFA and recovery flows. Organizations must reduce reliance on phone-number possession, adopt phishing‑resistant authentication and identity‑first telemetry, and expect faster, automated attacker chains amplified by AI and exposed machine credentials.
Zero Trust in 2026: Identity, AI and the long, pragmatic climb from theory to practice
Zero trust has moved from slogan to operational pressure, with identity control now the linchpin and AI both amplifying attacks and offering detection gains. Recent work on agent identity fabrics — pairing human-readable discovery with cryptographic attestations and policy-as-code — shows how identity-first designs can harden autonomous workflows and materially reduce blast radius.
US and Global Outlook: AI Is Rewiring Malware Economics and Attack Paths for 2026
Advances in agentic and generative AI are accelerating attackers’ ability to discover vulnerabilities, craft tailored exploits, and scale precise intrusions, while high‑fidelity synthetic media amplifies social‑engineering at industrial scale. Organizations that rely solely on basic hygiene will be outpaced; defenders must combine rigorous fundamentals with identity‑first controls, behavioral detection, and governed AI playbooks to blunt this shift.
January 2026 Cybersecurity M&A Roundup: 34 Deals Spotlight Identity, API and Encryption Strategies
Thirty-four announced cybersecurity transactions in January 2026 show acquirers prioritizing identity, in-session/browser runtime protection, API hardening and encryption capabilities. These deal patterns align with shifting procurement priorities — including a marked push toward interoperable, certified solutions and cryptographic agility driven by defense funding and 'harvest-now, decrypt-later' threats — which is shaping strategic buy-and-build activity.
Massive 149M credential trove exposes risks from infostealer malware to crypto and government accounts
A researcher found a publicly accessible collection of roughly 149 million stolen logins harvested by credential-stealing malware, including hundreds of thousands tied to major crypto platforms and numerous government-related accounts. The exposure stems from infected end-user devices rather than platform breaches, but it raises urgent questions about account hygiene, phishing risk, and detection across the crypto and social-media ecosystems.