Enterprise Credential Crisis Looms as Infostealers Target SSO

MONTREAL, QC – February 02, 2026 – A chilling new report warns that the nature of cybercrime is undergoing a fundamental and dangerous transformation, with attackers rapidly shifting their focus from widespread consumer data theft to high-value corporate credentials. Research released today by threat exposure management firm Flare predicts that if current trends hold, one in five infostealer malware infections could expose sensitive enterprise login credentials as early as the third quarter of 2026.

The firm's "2026 State of Enterprise Infostealer Exposure" report, based on an analysis of 18.7 million malware logs from 2025, reveals a dramatic acceleration in the compromise of corporate identities. The findings show that more than one in ten infostealer infections last year already contained credentials for enterprise Single Sign-On (SSO) or Identity Provider (IdP) systems. In total, 2.05 million distinct malware logs exposed corporate identity credentials, granting cybercriminals a potential key to unlock everything from internal systems and cloud infrastructure to sensitive SaaS platforms.

A Structural Shift in Attacker Economics

Perhaps the most alarming trend highlighted in the report is a strategic pivot in cybercriminal operations. Despite a 20% year-over-year decline in the total volume of infostealer infections detected in 2025, the rate of enterprise identity exposure more than doubled, climbing from approximately 6% in early 2024 to nearly 14% by the end of 2025. Preliminary data from the final months of the year showed this figure surging to 16%, outpacing predictive models and signaling a rapid escalation.

This divergence points to a structural shift in attacker economics. Cybercriminals are increasingly prioritizing quality over quantity, recognizing that a single compromised set of enterprise credentials is far more lucrative than thousands of consumer logins. This "less is more" approach means that while overall infection numbers may fall, the impact of each successful breach is magnified exponentially. A single infected machine on a corporate or personal network can now serve as a direct gateway into the heart of an enterprise, drastically reducing the time between initial compromise and significant business impact.

This evolution reflects the high value of corporate access on dark web marketplaces. Initial access brokers (IABs) leverage infostealer logs to gain footholds in corporate networks, which are then sold to the highest bidder—often ransomware gangs or state-sponsored threat actors—for tens of thousands of dollars.

Centralized Identity: A Double-Edged Sword

The report underscores how the widespread enterprise adoption of centralized identity platforms has inadvertently created a highly concentrated and valuable target. Systems like Microsoft Entra ID, Okta, and AWS IAM Identity Center are designed to streamline access and improve usability by allowing employees to log in to multiple applications with a single set of credentials. While this consolidation enhances baseline security in many ways, it also funnels immense risk into a single point of failure.

According to Flare's data, Microsoft Entra ID (formerly Azure Active Directory) is the most impacted provider by a significant margin, appearing in a staggering 79% of all analyzed logs containing enterprise identity credentials. This dominance reflects its vast market share, making it a primary target for attackers seeking the broadest possible access from a single compromise.

“Centralized identity has become the control plane of the modern enterprise,” said Estelle Ruellan, a cybersecurity researcher at Flare, in the report's announcement. “What this data shows is that attackers understand that shift very well. When an infostealer infection succeeds today, it’s increasingly likely to deliver direct access to the systems organizations depend on most.”

The risk is compounded by interconnected systems. The report found that over 18% of the compromised enterprise identity logs exposed credentials for multiple identity providers, dramatically increasing the potential blast radius of a breach and complicating incident response efforts for security teams.

Bypassing the Guards: How Session Cookies Undermine MFA

For years, Multi-Factor Authentication (MFA) has been championed as a critical defense against credential theft. However, modern infostealers have evolved to circumvent this protection by stealing not just passwords, but active session cookies. When a user successfully authenticates with MFA, their browser stores a session token, or cookie, that keeps them logged in.

Infostealer malware is explicitly designed to find and exfiltrate these cookies from an infected machine. An attacker can then inject this stolen cookie into their own browser, effectively hijacking the authenticated session and gaining access to the user's accounts without needing a password or an MFA prompt. The system recognizes the valid session token and grants access, rendering the MFA check moot.

Flare's analysis found that this is not a theoretical threat. A massive 1.17 million of the collected logs contained both enterprise credentials and the session cookies needed to bypass MFA, enabling immediate and unauthorized access. This technique is a primary method for gaining entry into secure corporate environments and is a direct contributor to the rise of major ransomware and data exfiltration incidents.

Fortifying the Gates in a New Era of Threats

In response to this escalating threat, security experts are urging organizations to move beyond traditional defenses and adopt a multi-layered, "assume breach" mentality. The focus must shift from merely preventing intrusion to rapidly detecting and containing compromises when they inevitably occur.

Key mitigation strategies include deploying advanced Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) solutions. These tools can identify the behavioral indicators of infostealer malware—such as unusual process activity or network connections—and block the threat before it can exfiltrate data.

On the identity front, while no single solution is foolproof, a stronger posture is essential. This includes enforcing the use of phishing-resistant MFA, such as FIDO2 security keys, which are less susceptible to the social engineering attacks that often deliver infostealers. Furthermore, security teams are advised to implement adaptive authentication policies that continuously monitor user sessions for anomalous behavior. Binding sessions to specific device and network attributes, shortening session lifetimes, and requiring re-authentication for sensitive actions can help invalidate stolen session cookies.

Ultimately, the trends identified in the report signal the need for a fundamental move toward a Zero Trust architecture, where trust is never assumed and every access request is continuously verified. As attackers become more targeted and sophisticated, enterprises must evolve their defenses to protect the new corporate crown jewels: the digital identities that unlock the entire organization.