Your Login is Their Payday: How Cybercrime Services Are Fueling a Surge in Attacks

WATERLOO, Ontario – January 15, 2026 – A stunning new report reveals a tectonic shift in the cyber threat landscape, as identity-based attacks targeting corporate account credentials skyrocketed by an alarming 389% in 2025. The analysis, published by global cybersecurity provider eSentire, paints a grim picture of an industrialized criminal ecosystem where employee logins have become the primary target, turning the very identities of a company's workforce into the new gold for hackers.

According to the firm's “2025 YEAR IN REVIEW, 2026 THREAT LANDSCAPE OUTLOOK REPORT,” the attempted theft of corporate account credentials, particularly for ubiquitous platforms like Microsoft 365, comprised half of all attacks its security teams analyzed over the past year. This dramatic rise isn't the work of lone-wolf hackers but is instead fueled by a burgeoning black market of sophisticated, ready-to-use criminal toolkits that make launching devastating attacks more accessible than ever.

The New Gig Economy: Phishing-as-a-Service

The primary engine driving this account takeover epidemic is the proliferation of Phishing-as-a-Service (PhaaS) offerings. These are not rudimentary scam kits; they are subscription-based criminal enterprises. The report found that email-initiated account compromises soared from 37% to 55% of all security incidents, with PhaaS-related threats directly responsible for an astonishing 63% of all compromised accounts.

Platforms like Tycoon2FA, FlowerStorm, and EvilProxy operate like illicit cloud software companies, offering turnkey solutions for cybercriminals. They provide everything needed to mount a convincing attack: professionally designed phishing pages, hosting, and, most critically, reverse-proxy technology designed to defeat modern security controls. This technique allows attackers to intercept communications in real-time, capturing not only usernames and passwords but also the one-time session tokens generated by Multi-Factor Authentication (MFA), rendering a key defense layer ineffective.

"These PhaaS kits are not made up of simple templates; they are comprehensive, continuously updated offerings, designed to bypass modern security controls, such as Multi-Factor Authentication," said Spence Hutchinson, Senior Manager of eSentire's Threat Response Unit (TRU) and the report's lead investigator. "It is the widespread availability and continuous evolution of these PhaaS kits that are fueling the account takeover epidemic that is impacting businesses."

This trend aligns with broader industry analyses, such as the Verizon 2024 Data Breach Investigations Report, which consistently identifies the "human element" and stolen credentials as a factor in the vast majority of security breaches.

The Multi-Billion Dollar Payday: Business Email Compromise

The ultimate goal for many of these account takeovers is Business Email Compromise (BEC), one of the most financially destructive forms of cybercrime. Once attackers gain access to a corporate email account using PhaaS-acquired credentials, they can move with breathtaking speed. The eSentire report reveals that threat actors can establish persistence, such as by creating malicious inbox forwarding rules to monitor communications, in as little as 14 minutes after the initial compromise.

From there, they lie in wait, studying communication patterns and financial transactions to strike at the opportune moment. The FBI's Internet Crime Complaint Center (IC3) reported staggering losses of $2.8 billion from BEC attacks in 2024, a figure that other security analysts suggest has since climbed. Industries that regularly handle large financial transactions—such as real estate, finance, retail, and construction—are prime targets for attackers looking to intercept and divert legitimate fund transfers into their own fraudulent accounts.

However, the report also offers a glimmer of hope. By focusing on the precursor activities to these attacks, eSentire states it was able to reduce BEC threats for its customers by 21% in 2025. This was achieved by dedicating resources to trace attacks back to their source and developing new methods to detect and shut down phishing campaigns before they could secure a foothold in a client's network.

A Broadening Battlefield

While account compromise dominated the threat landscape, the report details a variety of escalating tactics across different sectors. Attacks combining "email bombing"—flooding an inbox with thousands of junk emails to hide a critical alert—with IT Help Desk impersonation calls surged 14-fold, with the legal industry bearing the brunt of this highly disruptive tactic.

Meanwhile, ransomware remains a persistent and damaging threat, with groups like Akira, RansomHub, and BlackBasta actively targeting sectors from Business Services to Construction. Malware, in general, accounted for a quarter of all cyber cases investigated by the TRU, with information-stealing malware variants like Stealc and Vidar showing a 30% increase as they compete for dominance in the criminal underground.

The industry-specific data reveals a nuanced battlefield. While software companies experienced a 15% rise in threat cases and manufacturing saw a 32% jump, the construction industry benefited from a 27% decrease in incidents, largely attributed to successful mitigation of the BEC and phishing campaigns that primarily target it.

The AI Arms Race and the 2026 Outlook

Looking ahead, the report forecasts an even more challenging environment as Artificial Intelligence enters the fray. Researchers anticipate a rise in AI-produced malware, which can change its code to evade detection, and AI-enhanced phishing campaigns that use generative AI to craft perfectly tailored, error-free emails that are nearly indistinguishable from legitimate correspondence. The potential use of deepfake audio and video to impersonate executives in BEC scams adds another frightening dimension to the threat.

"Highly skilled hackers have made it far too easy for inexperienced threat actors to compromise employees’ corporate accounts and ultimately their organizations, via sophisticated, turn-key criminal operations," warned Hutchinson. He noted that when combined with the capabilities of AI, "the barrier to entry into the cybercrime business is frighteningly low."

The 2026 outlook also predicts an increase in cyberthreats targeting critical infrastructure, such as power grids and water treatment plants, and an acceleration in the recruitment of disgruntled or financially motivated corporate insiders to help facilitate attacks. As the tools of cybercrime become industrialized, the defense must become more intelligent, adaptive, and relentless than ever before.