editorially independent. We may make money when you click on links
to our partners.
Learn More
Once largely associated with consumer credential theft, infostealer malware is increasingly impacting enterprises.
New research from Flare shows that a rising percentage of infections now expose enterprise Single Sign-On (SSO) and identity provider credentials, creating direct risk for corporate systems, cloud environments, and SaaS platforms.
“We’re seeing fewer infections overall, but far higher yield per compromise,” said Estelle Ruellan, cybersecurity researcher at Flare in an email to eSecurityPlanet.
She added, “Infostealers are increasingly landing on machines that already hold enterprise SSO credentials, turning a single infection into organization-wide access. That changes the economics of both attack and defense.”
Enterprise Identity Exposure Is Rising
Flare’s 2026 State of Enterprise Infostealer Exposure report analyzed 18.7 million infostealer logs collected throughout 2025 and found that enterprise identity compromise is already widespread — and accelerating.
More than one in ten infostealer infections contained enterprise identity credentials during the year, and that figure climbed to as high as 16% in late 2025, well above earlier projections.
The data indicates that infostealers are increasingly landing on systems that already hold high-value enterprise access.
Unlike traditional credential theft methods such as phishing campaigns or large-scale data breaches, infostealers give attackers a complete and current snapshot of a victim’s digital identity.
Once malware infects a machine, it systematically harvests browser-saved passwords, autofill data, stored logins, and active session cookies across every service the user has accessed.
This approach allows attackers to capture not just isolated credentials, but the full set of identities and sessions tied to that device at the moment of compromise.
In 2025 alone, Flare identified 2.05 million infostealer logs containing enterprise identity credentials. Microsoft Entra ID appeared in 79% of those logs, making it the most frequently exposed identity provider by a wide margin.
More than 18% of enterprise identity logs contained credentials for multiple identity providers, increasing the potential blast radius of a single infection and complicating incident response efforts.
The risk is further amplified by the presence of active sessions.
Over 1.17 million logs contained both enterprise credentials and session cookies, which can enable attackers to bypass multi-factor authentication (MFA) entirely and gain immediate access to enterprise systems without triggering login challenges.
Perhaps most telling, this growth in enterprise identity exposure occurred despite a roughly 20% year-over-year decline in total infostealer infections.
That divergence suggests a shift in attacker strategy: rather than maximizing infection volume, threat actors are prioritizing higher-value compromises.
Infostealers are increasingly deployed on machines likely to contain enterprise credentials, turning fewer infections into greater organizational impact.
How to Reduce Infostealer Risk
As infostealer malware increasingly targets enterprise identities rather than individual accounts, organizations need defenses that extend beyond traditional endpoint security.
Because a single compromised credential or session can unlock multiple systems at once, reducing identity exposure has become a critical part of risk management.
- Restrict enterprise identity access to managed, hardened devices and avoid use on personal or shared systems.
- Block unverified or pirated software and strengthen controls around common infostealer distribution channels.
- Enforce phishing-resistant MFA and conditional access policies to reduce the impact of stolen credentials and sessions.
- Limit session lifetimes and rotate credentials regularly to reduce the value of leaked passwords and tokens.
- Strengthen endpoint and browser protections on systems accessing SSO and IdP services, including monitoring for suspicious behavior.
- Continuously monitor for exposed credentials and session tokens across logs, dark web marketplaces, and messaging platforms.
- Test incident response plans for identity compromise scenarios, including credential revocation, session invalidation, and access review.
The measures focus on limiting where enterprise identities can be used, reducing the value of stolen credentials, and improving detection and response when compromise occurs.
Stolen Credentials Have Outsized Impact
Flare’s findings highlight how identity has emerged as a central focus of modern enterprise security, with infostealers increasingly providing a direct route to widespread organizational access.
As centralized identity platforms connect cloud services, SaaS applications, and internal systems, the impact of a single compromised credential or active session continues to increase.
Mitigating this risk requires organizations to treat identity exposure as a foundational security issue that spans endpoint protection, access controls, and incident response readiness.
As organizations rethink how they protect identities and access, many are turning to zero-trust solutions to reduce reliance on implicit trust and limit the blast radius of compromise.
