Field Effect's 2026 Cyber Threat Outlook report reveals that more than 80% of incidents investigated in 2025 originated from cloud identity compromise, marking a major shift where attackers increasingly rely on abusing trusted credentials rather than exploiting vulnerabilities.
Quick Intel
Field Effect's annual 2026 Cyber Threat Outlook, based on managed detection and response telemetry and frontline incident investigations from 2025, underscores a fundamental evolution in cyber attack patterns. Threat actors have shifted away from traditional vulnerability exploitation toward credential abuse, turning identity into the primary attack surface.
"In many of the incidents we investigated in 2025, attackers didn't exploit a vulnerability. They logged in using valid credentials," said Earl Fischl, Director of Security Services at Field Effect. "Identity has effectively become the dominant attack surface. Once attackers gain access to trusted accounts, they can blend into normal activity and move through an organization much more easily."
Cloud identity compromise accounted for more than 80% of incident-related alerts, often initiated via phishing that led to account takeovers. Once inside, attackers leveraged legitimate enterprise tools for persistence and escalation. Campaigns observed since September 2025 involved impersonating IT help desks through new Microsoft 365 tenants, conducting vishing via Microsoft Teams, and tricking employees into granting Quick Assist remote access. This enabled PowerShell-based privilege enumeration and malware deployment, frequently resulting in credential harvesting, lateral movement, and ransomware deployment.
Generative AI played a growing role in scaling adversary efficiency. While not introducing novel techniques, AI dramatically sped up phishing development, reconnaissance automation, and exploit testing—allowing attackers to execute operations faster and at larger scale.
"AI did not necessarily introduce entirely new attack techniques," Fischl said. "What it did was dramatically accelerate the ones attackers were already using, making them faster and easier to scale."
Edge infrastructure continued to serve as a high-value entry point. Persistent campaigns exploited devices like SonicWall SSL VPN appliances, where attackers reused previously exposed credentials for direct high-privilege access. In multiple instances, these footholds were later utilized by Akira ransomware operators, illustrating the dangers of credential reuse, delayed patching, and internet-facing systems.
Geopolitical factors further shaped the threat landscape in 2025. State-aligned actors ramped up espionage and access operations, while ransomware groups and hacktivists converged on similar tactics and targets, particularly critical infrastructure and public sector entities. This overlap blurred lines between financial, political, and strategic motivations.
"Organizations cannot control an attacker's intent or capabilities," Fischl said. "But they can reduce the opportunities attackers rely on by strengthening identity security, improving visibility across their environments and addressing exposed infrastructure."
The report emphasizes proactive measures—robust identity protections, comprehensive monitoring, and timely remediation of edge vulnerabilities—to mitigate these dominant threat vectors.
The Field Effect 2026 Cyber Threat Outlook draws on investigations and telemetry collected by Field Effect's global security teams throughout 2025.
About Field Effect
Field Effect is a global cybersecurity company delivering managed detection and response (MDR) to help organizations detect, prevent and respond to cyber threats. Through a combination of advanced technology, AI-driven analytics, expert-led threat intelligence, and human-centered security delivery, Field Effect enables customers and partners to reduce risk and strengthen cyber resilience.
TechIntelPro empowers B2B technology decision-makers with the latest industry trends, deep insights, leadership perspectives and actionable intelligence to drive both organizational and professional milestones—and thrive on the tech pulse.