Identity-based attacks surge 159% amid boom in phishing kits and info-stealing malware

A new report by cybersecurity firm eSentire reveals a staggering 159% rise in identity-based cyberattacks, driven by the growing popularity of advanced phishing kits and low-cost info-stealing malware. These attacks now account for nearly 60% of all incidents investigated by the company, signaling a dangerous shift toward credential-focused threats that could lead to business email compromise (BEC) and ransomware.

Among the most popular toolkits is Tycoon 2FA, a phishing-as-a-service (PhaaS) platform that is available for as little as $200–300 a month. The platform allows cybercriminals to easily bypass multi-factor authentication (MFA) by using Adversary-in-the-Middle (AitM) tactics to steal session cookies and user credentials from convincing fake login pages mimicking Microsoft 365, Google Workspace, and other enterprise platforms.

“The technical sophistication of these services rivals that of legitimate security tools,” eSentire warned in its report. “They come with user interfaces, support teams, and regular updates designed to outpace defenders.”

BEC: Costlier than ransomware

While ransomware often makes headlines, the FBI reports that BEC attacks cause far more financial damage. These scams frequently involve attackers impersonating trusted employees or vendors to hijack invoice payments.

Tycoon 2FA customers, for example, typically target an organization’s accounts receivable team, send well-crafted phishing emails, and then quietly monitor inboxes for opportunities to reroute funds.

According to eSentire, BEC-related intrusions increased 60% year-over-year and now represent 41% of all attacks in Q1 2025.

Info-stealers: The cheaper alternative

Not every cybercriminal can afford Tycoon 2FA. For those on a tighter budget, info-stealing malware offers a cheaper route. For just $10, attackers can buy logs of stolen credentials from infected devices, sometimes containing dozens of login details per victim.

These logs, however, are often outdated or padded with junk data. Still, it only takes one valid credential for an attacker to gain a foothold.

“Compared to exploiting software vulnerabilities, stealing employee credentials offers a far greater return on investment,” eSentire noted. “This reality fuels the cybercrime economy and will likely keep identity-based attacks on the rise.”

All eyes on passkeys

In response, major tech players are turning to phishing-resistant authentication solutions like passkeys, which use public-private key cryptography and biometrics to eliminate traditional passwords. Microsoft has already made passkeys the default authentication method for its users, marking a significant shift in the battle against identity fraud.

Earlier solutions like hardware-based FIDO keys offered similar protection but were cumbersome to scale. Passkeys promise more convenience without sacrificing security, nullifying threats posed by phishing kits and info-stealers alike.

The path forward: Proactive defense

eSentire recommends that organizations urgently invest in identity-centric security strategies. These include:

Enforcing phishing-resistant authentication like passkeys or FIDO2 keys

Deploying real-time identity monitoring solutions

Establishing rapid incident response protocols

“Organizations must prepare for continued evolution in identity-based attack techniques,” the report concluded. “You can either build resilience now, or wait until an identity breach forces you to react under pressure.”