Infostealer Attacks Increasingly Target Enterprise Credentials, Flare Warns
Event summary
- Flare's 2026 report reveals 1 in 10 infostealer infections in 2025 contained enterprise SSO or IdP credentials, up from 6% in early 2024.
- 2.05 million infostealer logs in 2025 exposed enterprise identity credentials, with late 2025 data showing a surge to 16% of infections.
- Microsoft Entra ID appears in 79% of enterprise identity logs, making it the most impacted identity provider.
- 1.17 million logs contained both enterprise credentials and session cookies, enabling immediate access and potential MFA bypass.
The big picture
As enterprises consolidate authentication around centralized identity platforms, infostealers are increasingly targeting these high-value credentials. The trend reflects a structural shift in attacker behavior, prioritizing fewer but more impactful infections. This poses significant risks, as a single compromised credential can unlock access to multiple connected systems, reducing the time between initial compromise and enterprise impact.
What we're watching
- Attacker Economics
- How the shift to fewer but higher-impact infostealer infections will affect cybersecurity strategies.
- Identity Centralization
- Whether the concentration of enterprise identity providers will continue to increase breach impact.
- Enterprise Preparedness
- The pace at which organizations can adapt to the rising threat of infostealer-driven credential theft.
Related topics