The past several years have seen a dramatic rise in identity-based attacks, a concerning trend in the threat landscape that puts many individuals and organizations in danger. Identity-based attacks have emerged as one of the most significant threat vectors in modern digital environments. The growing popularity of remote and hybrid working, bring-your-own-device setups, and cloud infrastructure has made it so that compromising user identities is often easier and more successful than more traditional attacks taking advantage of technical vulnerabilities.
The Phishing-as-a-Service Economy
Threat research carried out by eSentire’s Threat Response Unit (TRU) on identity-related security incidents has recently been compiled and analyzed in the report Identity-Centric Threats: The New Reality. The threat data shows a 156% increase in identity-driven threats since 2023, with these threats now making up 59% of threat cases in Q1 2025.
A major factor in this increase is the growth of phishing-as-a-service (PhaaS). Phishing kits like Typhoon 2FA empower threat actors to carry out credential harvesting with the ability to bypass multi-factor authentication (MFA) measures. These are highly effective tactics that enable cybercriminal activity with little upfront investment of time and effort—some PhaaS platforms can cost as little as $200-300 USD per month for enterprise-grade phishing services.
Business Email Compromise Goes Mainstream
The dominant threat noted in the report is business email compromise (BEC), demonstrating a 60% increase year-over-year, from comprising 25.6% of identity-related incidents in 2024 to 41% of total cases in Q1 2025. These BEC campaigns have developed more sophisticated execution timelines and social engineering tactics in order to exploit credentials for financial gain, fraud, and other nefarious purposes.
While BEC is not a new or extremely sophisticated type of attack, it retains effectiveness even in the face of many traditional security measures. The use of social engineering and deception enables attackers to obtain their targets’ trust and often bypass security technology. By impersonating a trusted figure in the target’s life, these attacks leverage human weaknesses to compromise important accounts and data.
Adversary-in-the-Middle: Bypassing MFA
PhaaS often contains adversary-in-the-middle (AitM) functionality that helps attackers to circumvent MFA with real-time interception of credentials and tokens. These phishing platforms capture not only credentials, but session tokens, which attackers can replay later in the process to evade MFA.
“The significant increase in Adversary-in-the-Middle (AitM) attacks demonstrates how reliant many organizations are on weaker non-phishing resistant forms of MFA that are vulnerable to session hijacking or worse, use no MFA at all,” says James Maude, Field CTO at BeyondTrust, highlighting the risks of leaving these fundamental security gaps. “The real danger is often the privileges and access the compromised identity has, as one identity could have access to dozens of systems or accounts, each with their own privileges and risks.”
The Rise of Infostealers-as-a-Service
According to the report, infostealers are a major part of the threat landscape and the cybercrime-as-a-service ecosystem. In 2025, infostealers account for 35% of all disrupted malware threats, demonstrating their popularity and success in gathering intelligence for bad actors to use in their attacks. The growth of these cybercriminal services empowers attackers to carry out effective attacks using infostealers without the need for specific expertise or skill in that area.
Browser-stored passwords, while a convenient aid for countless users, are prime targets for these attacks, as infostealers are able to extract many passwords from the same source. This endangers credentials from all sites, including those used for personal and business purposes. Cybercriminals have built up a sophisticated marketplace for stolen and compromised credentials available on the dark web.
The Browser Becomes the Battleground
Menlo Security’s recent State of Browser Security report features alarming statistics regarding browser-based security incidents. The report is based on over 752,000 browser-based phishing attacks in the span of one year. Browser-based attacks remain popular and continue to grow more sophisticated in an effort to develop more effective methods. Many of these attacks utilize evasive, browser-specific techniques to increase success.
The browser is the center of many essential operations in personal and business use, from social media accounts to sensitive email communications. With attackers increasingly targeting browsers, including browser-stored passwords that can grant access to many of the target’s accounts at once, it is as important as ever to take steps to secure internet browsers against threats.
Rethinking Identity Security
With these advanced attacks growing in popularity and granting attackers the ability to bypass traditional security measures like MFA, it is crucial for organizations and individuals to look beyond these tactics to effectively protect themselves. Browser security, identity threat detection, and continuous authentication are necessary for preventing browser-based and identity-based attacks. Security awareness remains a vital part of any strategy, and companies are encouraged to look into newer tools with the ability to defend against advanced attacks.
Protecting Identity in the New Threat Landscape
In a digital landscape where bad actors continue to evolve their tactics to launch more successful attacks at higher volumes, it is essential to prioritize proactive identity and browser defense. Organizations and individuals alike should be aware of the risks of identity-based attacks and take steps to protect against them.
