The Industrialization of Cybercrime Marks a Turning Point for Global Businesses
Global cybersecurity solutions provider eSentire has released its highly anticipated 2025 Year in Review and 2026 Threat Landscape Outlook Report, titled “The Industrialization of Cybercrime: Identities are Under Attack,” delivering a stark warning to enterprises worldwide that identity-based threats have entered a new era of scale, speed, and sophistication. Drawing on threat intelligence collected from more than 2,000 global customers and analyzed by eSentire’s elite Threat Response Unit (TRU), the report paints a troubling picture of how cybercrime has evolved from isolated hacking efforts into highly organized, service-driven criminal ecosystems. Among the most alarming revelations is a 389% year-over-year surge in account compromise incidents during 2025, underscoring that employee identities have become the most valuable and vulnerable attack surface for modern organizations. According to eSentire, today’s attackers no longer need deep technical expertise to cause devastating damage, as turnkey cybercrime services now enable even inexperienced threat actors to successfully compromise corporate accounts and infiltrate enterprise networks with frightening ease.
Identity-Based Attacks Become the Primary Gateway for Cyber Intrusions
The report highlights that identity theft, rather than traditional malware exploitation alone, has emerged as the dominant entry point for cyberattacks. In 2025, attempted theft of corporate account credentials accounted for 50% of all attacks analyzed by TRU, with Microsoft 365 accounts representing a particularly lucrative target for attackers due to their central role in enterprise collaboration, communication, and document management. This shift reflects a broader transformation in attacker strategy, where compromising legitimate credentials allows threat actors to bypass many perimeter-based defenses and blend seamlessly into normal user activity. By leveraging stolen usernames, passwords, and session tokens, attackers can move laterally within networks, escalate privileges, and launch financially motivated attacks without immediately triggering security alerts. eSentire’s analysis confirms that identity-centric threats are no longer a secondary risk but have become the foundation upon which most modern cyber campaigns are built.
Phishing-as-a-Service Fuels the Explosion of Account Compromises
A key driver behind the dramatic increase in account compromise incidents is the rapid rise of Phishing-as-a-Service (PhaaS) platforms, which have transformed phishing into a scalable, subscription-based criminal business. According to the report, email-initiated account compromises rose from 37% of total incidents to 55% in just one year, while PhaaS-related activity accounted for 63% of all compromised accounts observed by TRU. Unlike traditional phishing attempts that relied on static templates and unsophisticated lures, modern PhaaS kits are professionally developed, continuously updated, and specifically engineered to bypass advanced security controls, including Multi-Factor Authentication. These platforms provide attackers with ready-made infrastructure, phishing pages, credential harvesting tools, session token capture capabilities, and even real-time dashboards, dramatically lowering the barrier to entry for cybercrime. As a result, phishing is no longer limited to opportunistic campaigns but has evolved into a precision-driven attack vector capable of targeting specific employees and departments within high-value organizations.
Advanced PhaaS Kits Redefine the Economics of Cybercrime
Spence Hutchinson, Senior Manager of eSentire’s Threat Response Unit and lead investigator for the report, emphasized that today’s PhaaS offerings represent a fundamental shift in how cybercrime operates. These platforms are not simplistic phishing templates but rather full-scale criminal toolkits designed to evolve alongside defensive technologies. By integrating features that dynamically adapt to security updates and user behavior, PhaaS kits enable attackers to maintain high success rates even as organizations invest heavily in cybersecurity controls. The widespread availability of these services has created what eSentire describes as an “account takeover epidemic,” where compromised credentials serve as the gateway to downstream attacks such as data theft, ransomware deployment, and financial fraud. The report warns that as long as these services remain accessible and affordable, organizations should expect identity-based attacks to continue rising in both frequency and impact.
Business Email Compromise Emerges as the Ultimate Monetization Strategy
While account compromise is often the initial step, the report reveals that Business Email Compromise (BEC) remains the most profitable end game for many attackers. Using PhaaS operations such as Tycoon2FA, FlowerStorm, and EvilProxy, threat actors can rapidly convert stolen credentials into financial gains. TRU investigators found that attackers are often able to initiate BEC activities, including creating malicious inbox forwarding rules or manipulating payment workflows, in as little as 14 minutes after successfully capturing a victim’s credentials and session token. Once inside a corporate email environment, attackers can monitor communications, impersonate trusted executives or vendors, and redirect legitimate fund transfers to fraudulent accounts with minimal risk of detection. This speed and efficiency highlight why BEC continues to be one of the most damaging cyber threats facing businesses today.
High-Value Industries Face Disproportionate BEC Risk
The report identifies real estate, finance, retail, and construction as particularly attractive targets for BEC campaigns due to their frequent handling of large financial transactions and complex vendor payment processes. In these sectors, attackers exploit routine activities such as property closings, invoice payments, and contract settlements to insert fraudulent payment instructions at critical moments. By intercepting legitimate email threads and subtly altering account details, attackers can divert substantial sums before victims realize something is wrong. eSentire’s findings reinforce that BEC is not merely a technical problem but a business process vulnerability, where trust, timing, and human behavior are weaponized to devastating effect.
The Financial Toll of BEC Continues to Mount
Despite increased awareness, BEC attacks continue to inflict enormous financial damage globally. According to the FBI’s Internet Crime Complaint Center, businesses lost $2.8 billion to BEC attacks in 2024 alone, making it one of the most financially destructive forms of cybercrime. These losses reflect not only direct financial theft but also the broader operational disruptions, legal costs, and reputational damage that often follow a successful attack. The persistence of BEC underscores the challenge organizations face in defending against threats that exploit legitimate credentials and trusted communication channels rather than obvious malware infections.
eSentire Achieves Measurable Progress Against BEC in 2025
Amid the concerning trends, the report highlights a notable success story in eSentire’s fight against BEC. In 2025, eSentire successfully reduced BEC threats for its customers by 21%, demonstrating that proactive detection and response strategies can make a meaningful difference. This achievement was driven by TRU’s focused efforts to trace BEC incidents back to their root causes and develop detections for early-stage indicators that precede full-scale attacks. By identifying credential phishing attempts, suspicious login behavior, and anomalous email rule creation, TRU was able to disrupt many BEC campaigns before attackers could establish a foothold within customer environments. This results-driven approach underscores the importance of combining advanced technology with dedicated human expertise in combating modern cyber threats.
Email Bombing and Help Desk Impersonation Attacks Surge Dramatically
Beyond phishing and BEC, the report documents a sharp increase in email bombing combined with IT Help Desk impersonation attacks, which rose 14 times year over year in 2025. These attacks overwhelm victims with massive volumes of emails while attackers pose as IT support personnel to trick employees into surrendering credentials or approving malicious actions. The legal industry emerged as the most heavily targeted sector for this tactic, reflecting attackers’ understanding of how operational pressure and urgency can be exploited to bypass normal verification procedures. This trend highlights how attackers are increasingly blending social engineering with technical noise to manipulate human behavior at scale.
Ransomware Remains a Persistent and Evolving Threat
Ransomware continued to rank among the top cyber threats in 2025, with Business Services, Construction, and Finance sectors facing the highest levels of activity. TRU observed sustained operations from prominent ransomware groups including Akira, RansomHub, Interlock, BlackBasta, and Sinobi, each employing evolving tactics to evade detection and maximize impact. While ransomware incidents often capture headlines, the report emphasizes that many ransomware attacks are preceded by identity compromise and credential theft, reinforcing the interconnected nature of modern cyber threats.
ClickFix and Malware Delivery Techniques Gain Momentum
The report also highlights a significant rise in the ClickFix lure, an initial access technique that increased nearly 300% year over year and now represents more than 30% of all malware delivery cases analyzed by TRU. Malware-related threats remained consistent overall, accounting for 25% of cyber cases, with information stealers emerging as the most prominent category. Information stealer activity increased 30%, with a 14% rise in distinct stealer variants, signaling intensified competition and innovation within the cybercriminal ecosystem.
Industry-Specific Threat Trends Reveal Uneven Impact
eSentire’s industry analysis shows that customers in the Software sector experienced the highest number of threat cases, with a 15% year-over-year increase, followed by Manufacturing at 32% and Business Services at 8%. Conversely, the Construction sector benefited from a 27% decrease in cyber incidents, largely due to improvements in detecting and shutting down credential phishing and BEC campaigns. Legal sector customers also saw fewer overall incidents but faced elevated risk from email bombing and help desk impersonation attacks, illustrating how threat patterns can vary significantly across industries.
2026 Threat Landscape Signals Escalating Risk
Looking ahead, eSentire warns that none of the major threats identified in the report show signs of declining in 2026. Instead, the continued commoditization of cybercrime services, combined with rapid advances in artificial intelligence, is expected to further lower the barrier to entry for attackers. AI-produced malware, AI-enhanced phishing and vishing campaigns, and underground large language models are poised to amplify the scale and realism of attacks. At the same time, competition among information stealer malware families such as Stealc, Vidar, Cyber Stealer, Amatera Stealer, AMOS Stealer, and DarkCloud is expected to intensify.
Critical Infrastructure and Insider Threats Gain Prominence
The report also forecasts an increase in cyberattacks targeting critical infrastructure, including power grids and water treatment facilities, as well as a rise in the recruitment of corporate insiders by threat actors. These trends reflect a broader shift toward high-impact targets and long-term infiltration strategies that extend beyond traditional financial motives. According to Hutchinson, the combination of accessible cybercrime services and AI-driven capabilities has made the cybercrime business more dangerous than ever, with consequences that extend far beyond individual organizations.
A Call to Action for Organizations Worldwide
eSentire’s 2025 Year in Review and 2026 Threat Landscape Outlook serves as a clear call to action for businesses to rethink how they defend against cyber threats in an era where identities are under constant attack. The findings underscore that traditional perimeter defenses are no longer sufficient and that organizations must adopt identity-centric security strategies, continuous monitoring, and rapid response capabilities to stay ahead of increasingly industrialized cybercrime operations. As attackers continue to innovate and collaborate, the report makes clear that resilience, vigilance, and proactive defense will define which organizations can withstand the next wave of cyber threats.
