Darktrace’s latest Annual Threat Report has found that identity compromise is now the dominant entry point for cyber intrusions, even as publicly disclosed software vulnerabilities rose 20 percent year-on-year in 2025.
The Cambridge-based cybersecurity company said attackers are increasingly bypassing traditional exploit techniques in favour of credential abuse, targeting user accounts and cloud identities rather than infrastructure weaknesses.
According to the report, nearly 70 percent of incidents across the Americas began with stolen or misused accounts, reflecting what Darktrace describes as a global shift toward identity-led intrusions. In Europe, 58 percent of incidents started with compromised cloud accounts and email, overtaking traditional network-based breaches.
The findings suggest that while vulnerability disclosures continue to climb, exploitation of software flaws is no longer the primary route into organisations. Instead, attackers are focusing on accessing legitimate credentials and operating within trusted environments.
“Traditional perimeter defenses were built for a world where attackers had to break in,” said Nathaniel Jones, VP of Security and AI Strategy at Darktrace. “Today they simply log in.”
The report highlights several high-profile breaches over the past year, including incidents involving Jaguar Land Rover, Marks & Spencer and Salesforce, where compromised accounts rather than novel exploits were central to the intrusion chain.
Cloud and SaaS exposure intensifies
Cloud adoption continues to expand the attack surface. Darktrace reports that 94 percent of organisations worldwide now rely on cloud computing, increasing systemic exposure when identities are compromised.
Across observed malware samples, Microsoft Azure was the most targeted cloud provider, accounting for 43.5 percent of activity, compared with 33.2 percent for Google Cloud Platform and 23.2 percent for Amazon Web Services. By unique malicious IP addresses observed in honeypot environments, Docker deployments accounted for 54.3 percent of targeting activity, underscoring the growing focus on containerised infrastructure.
In the Americas, SaaS platforms and Microsoft 365 accounts were identified as common entry points, with some incidents escalating into double or triple extortion campaigns.
Phishing evolves with AI and evasion tactics
Email remains a key delivery vector. Darktrace said it detected 32 million phishing emails globally during 2025, with evidence of increasing sophistication and AI assistance.
Indicators of AI-assisted phishing rose year-on-year, with novel social engineering techniques increasing from 32 percent to 38 percent of analysed campaigns. Large, long-form phishing messages rose from 27 percent to 33 percent, suggesting a shift toward more personalised and credible-looking lures.
QR code-based phishing attacks increased by 28 percent, rising from 940,000 in 2024 to more than 1.2 million in 2025. The report notes emerging tactics including “splishing”, where a QR code is split into two images to evade scanning tools, and QR nesting, where a malicious code is embedded within a legitimate one to bypass filters.
More than 1.6 million phishing emails relied on newly created domains spun up specifically for malicious campaigns, reducing the effectiveness of reputation-based blocking. Notably, 70 percent of phishing emails passed DMARC authentication checks, enabling them to appear legitimate to automated controls and end users.
VIP targeting also intensified, with 8.2 million phishing emails directed at high-value individuals, representing more than a quarter of all phishing activity observed.
Critical infrastructure and geopolitical risk
The report also points to increased targeting of Critical National Infrastructure (CNI), shaped by geopolitical tensions and digital interdependence.
Darktrace observed cyber-physical activity linked to the Russia-Ukraine conflict targeting Western and Ukrainian energy infrastructure, with downstream impacts on healthcare and related sectors. Groups such as Salt Typhoon and Volt Typhoon were reported to have expanded operations into telecommunications and energy organisations to establish strategic access and pre-positioning for potential future disruption.
North Korea-linked actors were also observed blending financially motivated attacks with strategic intelligence objectives, including exploitation of vulnerabilities and deployment of trojanised malware within financial services environments.
A shifting security model
The overarching conclusion of the report is that identity now functions as the primary attack surface. With interconnected SaaS environments and cloud services, a single compromised account can enable rapid lateral movement while blending into legitimate activity.
As organisations continue to adopt AI-driven tools and cloud-based platforms, the report argues that security strategies must shift toward continuous behavioural monitoring capable of identifying deviations from normal user and system activity.
The data suggests that while vulnerability management remains critical, the frontline of cyber defence has moved decisively from the network perimeter to the identity layer — where attackers increasingly prefer to log in rather than break in.
You can read the full report here.
