Identity-based attacks are emerging as the major attack vector for businesses of all kinds. According to cybersecurity company eSentire, Identity-driven threats have “skyrocketed”, with a 156 percent surge in identity-based attacks between 2023-2025.
“Identity-based attacks are not an emerging threat that should simply be monitored; they are the current dominant attack vector that require organizations to have a strong 24/7 threat detection and response defense strategy in place to prevent business disruption,” says eSentire.
The steep growth in cybercriminals using stolen IDs and log-in credentials is being driven by the rise of illicit phishing-as-a-service (PHaaS) platforms that enable even inexperienced cybercriminals to gain access to employees’ log-in details. One of the leading players in this field is Tycoon 2FA, a phishing-as-a-service (PhaaS) platform that sells Microsoft business account credentials and session cookies. Other players in this field include EvilProxy and Sneaky 2FA.
For as little as $200 a month, these subscription services offer convincing pre-made phishing pages for the major workplace platforms, such as Microsoft 365 and Google Workspace, as well as functions to steal session cookies and bypass multi-factor authentication. The services now being offered by these illegal services are also becoming increasingly sophisticated. Information stealer malware is no longer limited to basic credential theft; today’s PHaaS platforms extract browser credentials, password manager databases, and more. According to eSentire, the is now “a thriving black market” for stolen identities.
This marks a shift in the way cybercriminals are targeting companies in order to steal critical data and execute ransomware attacks. Rather than targeting technical vulnerabilities, modern threat actors are exploiting compromised user identities, gaining direct access to critical business assets with less effort and greater impact. This means that traditional security models built around perimeter defense and endpoint protection are fundamentally insufficient against adversaries who possess valid credentials.
