The global cyber threat landscape shifted in 2025, as attackers increasingly abandoned complex malware in favor of faster, more scalable tactics centered on identity compromise, AI-driven automation, and SaaS ecosystem abuse.
According to the CyberProof 2026 Global Threat Intelligence Report, attackers are no longer focused on breaking through network perimeters.
Instead, they are logging in using compromised identities and trusted platforms, turning legitimate access into a powerful weapon.
“Threat actors, particularly the group known as Scattered Spider, mastered the art of impersonating employees to convince help desks to reset Multi-Factor Authentication (MFA) tokens,” said Liora Ziv, threat intelligence researcher at CyberProof.
She added, “This technique allowed attackers to gain valid credentials and operate inside the network with the same privileges as legitimate administrators, rendering traditional anomaly detection tools less effective.”
Key Findings From the CyberProof Report
The report shows these evolving attack strategies have hit critical industries hardest, where even brief disruptions can quickly lead to financial losses and supply chain delays.
The retail sector, for example, experienced a sharp surge in ransomware activity during 2025.
According to the report, ransomware attacks targeting retailers increased 58% in the second quarter of the year, and 80% of retail organizations experienced at least one cyberattack over the course of 2025.
Many of these incidents disrupted logistics, payment, and inventory systems, creating ripple effects across suppliers, distribution networks, and customer services.
Manufacturing organizations faced even steeper growth in malicious activity. Attacks targeting the sector increased 61% compared to 2024, ultimately accounting for 26% of all global cyber incidents.
Because manufacturing environments rely heavily on operational technology (OT), enterprise resource planning (ERP) systems, and tightly synchronized production lines, attackers increasingly view downtime itself as leverage.
Ransomware campaigns targeted production scheduling systems and industrial control environments, forcing companies to halt operations while negotiating with attackers or restoring systems.
Identity Compromise Becomes the Top Attack Entry Point
At the center of many of these incidents is a fundamental shift in how attackers gain initial access.
The report highlights that identity compromise has become the most common entry point for modern cyberattacks.
Stolen or compromised credentials accounted for 22% of confirmed breaches in 2025, making identity abuse the leading initial access vector.
With valid credentials, attackers can bypass traditional controls such as firewalls, endpoint detection, and network segmentation.
Because they log in using legitimate accounts rather than exploiting software vulnerabilities, their activity often blends in with normal user behavior.
Groups such as Scattered Spider have demonstrated how attackers impersonate employees and contact IT help desks to request password or multi-factor authentication (MFA) resets.
If approved, the reset grants attackers legitimate access to enterprise systems with the same privileges as the compromised user.
From there, they can move laterally across cloud services, collaboration platforms, and SaaS applications while continuing to appear as trusted users.
AI Is Accelerating Cybercrime Operations
Beyond identity theft, attackers are increasingly leveraging automation and artificial intelligence (AI) to scale their operations and accelerate attack timelines.
The report estimates that approximately 80% of ransomware campaigns incorporated AI at some stage of the attack lifecycle in 2025.
AI is commonly used to generate highly convincing phishing emails, automate vulnerability scanning, and accelerate the development of malicious payloads.
By reducing the time and expertise required to launch attacks, AI enables cybercriminals to run campaigns at a much larger scale than in previous years.
ClickFix Social Engineering Attacks Surge
Another rapidly growing tactic involves browser-based social engineering attacks known as ClickFix campaigns.
These attacks trick users into executing malicious commands by presenting fake verification prompts within a web browser.
Victims may be instructed to copy and paste commands into system tools under the guise of completing a security check or software verification process.
According to the report, ClickFix activity increased more than 500% in 2025, accounting for nearly 8% of blocked attack attempts across monitored environments.
Cybercriminal Groups Are Collaborating to Scale Attacks
The threat landscape is also evolving through greater collaboration among cybercriminal groups.
Rather than operating as isolated organizations, many attackers now participate in loosely connected ecosystems that share tools, infrastructure, and operational tactics.
Alliances such as the Scattered LAPSUS$ Hunters collective and ransomware partnerships involving groups like LockBit, DragonForce, and Qilin illustrate how adversaries are pooling resources to increase the speed and scale of their operations.
By sharing payload frameworks, affiliate networks, and attack methodologies, these groups can quickly replicate successful campaigns across multiple industries.
Attackers Are Targeting SaaS Integrations and Supply Chains
At the same time, attackers are increasingly targeting interconnected cloud platforms and third-party integrations as a way to expand their reach.
Supply chain abuse has become a particularly effective tactic because compromising a single trusted integration can expose multiple organizations simultaneously.
One campaign highlighted in the report involved attackers targeting OAuth integrations within the Salesforce ecosystem rather than the platform itself.
By compromising connected third-party applications, attackers gained access to customer relationship management (CRM) environments and were able to exfiltrate massive volumes of sensitive data — without directly breaching Salesforce’s core infrastructure.
These attacks highlight a growing blind spot in many enterprise environments, where organizations often lack full visibility into the third-party applications, integrations, and APIs connected to their SaaS platforms.
As a result, attackers can exploit these trust relationships to move between systems and access sensitive data while bypassing traditional security controls.
How Organizations Can Reduce Identity Risk
As identity-driven attacks, SaaS abuse, and AI-enabled ransomware campaigns continue to rise, organizations must rethink how they approach cybersecurity defense.
Traditional perimeter controls alone are no longer enough when attackers can operate using legitimate credentials and trusted platforms.
- Strengthen identity access management by enforcing phishing-resistant MFA, implementing least-privilege access controls, and tightening identity verification procedures for help desk credential or MFA reset requests.
- Continuously monitor authentication activity using identity threat detection and response (ITDR) tools to identify suspicious behavior such as unusual logins, privilege escalation, impossible travel events, and abnormal MFA changes.
- Regularly audit OAuth integrations, API keys, and third-party SaaS connections to identify overprivileged applications, unused tokens, and shadow integrations that could provide attackers with unauthorized access.
- Improve visibility and security posture across cloud environments by identifying misconfigurations, securing APIs, and implementing cloud security posture management practices to reduce exposure from configuration errors.
- Restrict, inventory, and monitor the use of remote management and monitoring (RMM) tools and other administrative utilities to prevent attackers from abusing trusted software for persistent access.
- Accelerate vulnerability management by prioritizing rapid patching of internet-facing systems, identity services, and critical infrastructure, especially when newly disclosed vulnerabilities are actively being exploited.
- Conduct regular security awareness training and test incident response plans through tabletop exercises and simulations to ensure teams can quickly detect, contain, and recover from identity-based attacks and ransomware incidents.
Collectively, these steps help organizations reduce the potential blast radius of attacks and build resilience.
Cybercriminals Are Abusing Trusted Systems
The CyberProof report ultimately underscores a fundamental shift in cybersecurity: attackers are no longer focused solely on breaching systems but on abusing the identities, platforms, and integrations organizations already trust.
As AI accelerates attack speed and cybercriminal groups collaborate to scale operations, the line between legitimate activity and malicious behavior will continue to blur.
This shift is prompting organizations to use zero trust solutions that assume no user or system should be trusted by default.
