Phishing platforms, infostealers blamed as identity attacks soar

July 7, 2025 TH Author

A rise in advanced phishing kits and info-stealing malware are to blame for a 156 percent jump in cyberattacks targeting user logins, say researchers.

Security shop eSentire says identity-based attacks have soared since last year, and now make up 59 percent of all investigations carried out by its experts. Organizations, it added, should be on high alert for financially motivated crimes.

It’s particularly worried about the increased likelihood that these identity attacks will lead to business email compromise (BEC) schemes and ransomware disasters.

Followers of the FBI’s stats will know that while BEC attacks don’t have the same degree of infamy attached to them as ransomware, they are more costly to organizations.

Figures from last year showed that BEC attacks, cases involving the impersonation of support staff a la Scattered Spider, and even investment fraud, all contributed to greater financial losses, deep into the 10-digit range.

Phishing-as-a-service platforms such as Tycoon 2FA are democratizing these kinds of attacks thanks to their sophisticated capabilities and relatively low cost.

For just $200-300 per month, these kinds of toolkits offer convincing pre-made phishing pages for the major workplace platforms, such as Microsoft 365 and Google Workspace, as well as adversary-in-the-middle (AitM) functions to steal session cookies and bypass MFA.

“The technical sophistication of these services rivals that of legitimate security tools, complete with user interfaces, customer support, and regular updates to counter defensive measures,” said eSentire in a report [PDF] shared with The Register ahead of publication.

Tycoon 2FA has emerged as the dominant phishing tool since hitting the shelves in 2023, thanks to its low price and robust capabilities, and the team behind it claims to have more than 2,000 monthly subscribers.

With BEC attacks, the Tycoon 2FA customer will typically identify their favored target for the phishing email in a given organization’s accounts receivable department, and then work with the platform’s team to craft and send a convincing phishing email, eSentire said.

The email is usually sent from a trusted source and contains a link to a phishing page, which silently captures the genuine credentials the duped target enters and relays them back to the Tycoon 2FA customer.

From there, the criminals will monitor the inbox and keep tabs on regular high-value payments made to the organization. After some time, they will intercept an invoice from a trusted vendor, for example, alter the details such as the sum to be paid and the destination account, and ensure the payment is made to the criminals instead of the real organization.

The number of attacks involving the compromise of business email accounts has increased 60 percent year over year, eSentire reckons, to 41 percent of all attacks in Q1 2025.

And for those who can’t afford the $200-300 outlay for Tycoon 2FA, that’s where infostealers come into play. As little as $10 can unlock access to various logs gathered by info-grabbing malware, offering a more hands-off approach to email compromise.

“Each log consists of the data stolen from one infected device, and this log can potentially contain dozens of account credentials from a corporate user or private individual,” said eSentire.

From the recently misreported 16 billion leaked passwords story to potentially failed Fed takedowns, infostealers have attracted much of the infosec limelight of late.

Using infostealer logs as the primary tool to launch a BEC or ransomware attack might be less successful as these logs are often being padded with old credentials to make them seem more attractive to buyers.

Being so old, these credentials end up being useless since most organizations will rotate them between the time they were stolen and later bought in a log containing hundreds of thousands of others like them.

However, it only takes one email compromise to infiltrate an organization, so some may view the infostealer route as more preferable than a sophisticated, costlier phishing campaign, albeit a less reliable one.

“The ROI for identity-based attacks far exceeds that of traditional malware or vulnerability exploitation, creating strong incentives for hackers to focus on stealing your employees’ credentials for their Microsoft business accounts, password manager databases, bank and credit card accounts, crypto wallets, and other valuable accounts,” eSentire said.

“Therefore, TRU does not expect to see identity-based attacks decline anytime soon and the Phishing-as-a-Service and Infostealer Malware-as-a-Service offerings continue to improve their ability to steal high-value credentials and not be detected.”

The security industry’s move toward pushing passkeys as the primary, new mainstream form of account authentication comes against this backdrop of rising email compromises.

Passkeys are being tipped as a phishing-resistant form of account authentication, and Microsoft customers will be well aware of them already, since they are now the default authentication method.

Passkeys rely on methods such as public key pairing and biometrics to replace passwords entirely, effectively nullifying the impact of infostealers and phishing pages, however sophisticated they may be.

Earlier forms of phish-resistant authentication protocols came in various forms, such as hardware-based FIDO keys. These would mean accounts couldn’t be accessed without having the physical key on the account holder’s person. Passkeys are more convenient.

In addition to deploying passkeys or anything else to prevent successful phishing attacks affecting employee accounts, eSentire said comprehensive monitoring capabilities should be up and running to detect identity attacks early on, and rapid incident response procedures should be ironed out.

“Looking toward the future, organizations must prepare for continued evolution in identity-based attack techniques,” the security shop’s report read. “The organizations that invest in comprehensive identity security architectures today will be best positioned to adapt to these future developments while maintaining effective protection against current threats.

“Organizations can either proactively transform their security architectures to address identity-centric threats, or they can continue operating with obsolete security programs until a successful attack forces reactive changes under crisis conditions.” ®