Table of Contents
A surge in identity-driven cyber-attacks targeting employee login credentials has been observed by cybersecurity researchers.
According to a new report by eSentire’s Threat Response Unit (TRU), between 2024 and the first quarter of 2025, 19,000 identity-related cyber investigations revealed a 156% increase in such threats compared to 2023.
These incidents now account for 59% of all confirmed threats across eSentire’s customer base of over 2000 organizations.
Phishing-as-a-Service Drives Credential Theft
One of the biggest enablers of this trend is Tycoon 2FA, a phishing-as-a-service (PhaaS) platform that helps cybercriminals steal Microsoft business account credentials and session cookies.
From January to May 2025, Tycoon 2FA emerged as the leading PhaaS tool, surpassing rivals like EvilProxy and Sneaky 2FA.
Renting the platform costs between $200 and $300 a month and includes:
-
Email templates spoofed to look like trusted sources
-
Advanced adversary-in-the-middle (AitM) capabilities to bypass MFA
-
Anti-debugging and evasion tools
-
Built-in credential exfiltration
-
Customer support and regular updates
Attackers use Tycoon 2FA to execute business email compromise (BEC) schemes by targeting employees in accounts receivable roles, harvesting their credentials and manipulating invoices to reroute payments to attacker-controlled bank accounts.
Infostealers Offer Cheaper, Scalable Alternatives
For attackers seeking low-cost options, infostealer malware offers a vast supply of credentials. Logs stolen using tools like Lumma Stealer are sold on underground markets for as little as $10.
Each log may include dozens of credentials from:
-
Email and banking services
-
Password manager databases
-
Crypto wallets and browser extensions
-
VPNs, FTP clients and local files
Read more on Lumma Stealer’s international takedown efforts: Global Law Enforcers and Microsoft Seize 2300+ Lumma Stealer Domains
Operating since 2022, Lumma Stealer is known for its automation, which includes built-in filters to identify high-value data. This reduces the time needed to exploit stolen credentials and speeds up resale on markets like Russian Market.
Credential Theft Offers High Payoff for Threat Actors
The FBI confirmed that it has tracked over 300,000 BEC incidents globally since 2013, resulting in $55 billion in losses.
With infostealers accounting for 35% of all malware threats disrupted by eSentire in Q1 2025, identity-based attacks now offer a higher return than traditional exploits.
eSentire’s TRU expects these threats to persist and urges organizations to adopt phishing-resistant authentication, zero-trust strategies and real-time access monitoring.
