The cybersecurity battlefield has fundamentally shifted. Attackers are no longer breaking into systems through software vulnerabilities; instead, they're simply logging in using stolen or compromised credentials. This represents a seismic change in how organizations should think about defense, moving away from traditional perimeter security toward protecting the identities that grant access to cloud services and business applications. Why Are Attackers Abandoning Exploits for Credential Theft? For decades, cybersecurity focused on patching software vulnerabilities and defending network perimeters. But that world no longer exists. "Traditional perimeter defenses were built for a world where attackers had to break in," explained Nathaniel Jones, vice president of security and AI strategy at Darktrace. "Today they simply log in. Stopping identity-led intrusions requires the ability to recognize when legitimate accounts begin to behave in ways that do not align with normal activity, and that means moving beyond static controls toward security that understands context and intent". The numbers tell the story. Across the Americas, nearly 70% of incidents began with stolen or misused accounts, according to Darktrace's 2026 Annual Threat Report. In Europe, 58% of incidents started with compromised cloud accounts and email, overtaking traditional network breaches at 42%. This shift reflects how cloud and SaaS adoption have fundamentally changed where the real vulnerability lies: not in infrastructure, but in the user identities that control access to it. High-profile breaches over the past year demonstrate this pattern. Jaguar Land Rover, Marks & Spencer, and Salesforce all suffered major incidents that began not with sophisticated exploits, but with compromised identities. Once inside, attackers used trusted accounts and existing permissions to operate in plain sight, accelerating their impact while evading traditional security controls. How Are Attackers Stealing High-Value Credentials? Attackers aren't targeting random employees. They're strategically hunting for privileged accounts that unlock broader access. More than 8.2 million phishing emails targeted VIPs in 2025, amounting to over a quarter of all phishing activity identified in that period. This reflects a deliberate effort to compromise executive and administrative accounts that can unlock access across entire cloud and SaaS ecosystems. The primary weapon for stealing these credentials is AI-generated phishing. Attackers now use advanced generative AI models like GPT-4 and specialized tools such as "WormGPT" or "FraudGPT" to craft highly personalized, believable scams at unprecedented speed. The U.S. FBI has officially warned that criminals are "leveraging AI to orchestrate highly targeted phishing campaigns," producing messages tailored to individual recipients with perfect grammar and style. The scale of this threat is staggering. One report noted a 1,265% surge in phishing attacks linked to generative AI trends. In an experiment by IBM security researchers, AI needed only 5 prompts and 5 minutes to build a phishing attack as effective as one that took human experts 16 hours. What once required days of manual work now takes seconds. What Makes AI-Generated Phishing So Effective? Traditional phishing emails were often easy to spot: poor grammar, generic greetings, and obvious urgency tactics. AI-powered phishing eliminates these red flags. Attackers use generative AI to perform several critical tasks simultaneously: - Data Harvesting: AI tools scrape social media, LinkedIn profiles, and public company data to build detailed profiles of each target, including their role, contacts, recent projects, and even writing style. - Hyper-Personalization: Generative models insert specific context into each email, such as mentioning a recent purchase, upcoming business deal, or colleague names, making messages feel uniquely relevant rather than templated. - Flawless Content: Language models ensure phishing messages are grammatically perfect and match corporate writing styles or an individual's email voice, removing telltale errors that once exposed scams. - Multimedia Deepfakes: Attackers synthesize voice and video deepfakes to impersonate executives or trusted vendors in real time, with chilling authenticity for phone calls or video meetings. - Polymorphic Variation: AI automatically generates thousands of unique email variants with slight differences in subject lines, greetings, and sender aliases, making detection nearly impossible for traditional filters. Analysis of 32 million phishing emails detected across Darktrace's global network shows clear evidence of rising sophistication. Novel social engineering techniques increased from 32% to 38% year-over-year, while large text, long-form messages rose from 27% to 33%. These shifts signal a deliberate move toward more personalized and credible-looking lures designed to slip past traditional email filters. Attackers are also deploying new evasion tactics. QR code-based phishing accelerated sharply, with a 28% increase from 940,000 attacks in 2024 to more than 1.2 million in 2025. Attackers now use techniques like "splishing," where a QR code is divided into two separate images, and "QR code nesting," in which a legitimate code conceals a malicious one. Both are designed to evade link scanning tools. How to Defend Against AI-Powered Credential Theft Traditional email filters and static security controls are no longer sufficient. Organizations need a fundamentally different approach to identity protection and threat detection: - Behavioral Analysis: Deploy security systems that understand normal user behavior and flag deviations, even when emails appear legitimate at first glance. This requires continuous visibility into how users and systems actually behave across cloud and SaaS environments. - AI-Native Detection: Use AI-powered security platforms that combine large language model detection, deep behavior analysis, and automated threat simulations to identify sophisticated phishing attempts that traditional filters miss. - Identity-Focused Monitoring: Prioritize monitoring of high-value accounts and privileged users, since attackers deliberately target executives and administrators whose compromised credentials unlock broader access. - Continuous User Training: Implement ongoing security awareness programs that teach employees to recognize subtle social engineering tactics, especially those that reference real projects, colleagues, or recent business events. - Multi-Factor Authentication: Enforce strong authentication beyond passwords, since stolen credentials alone are less useful if additional verification is required to access sensitive systems. The cloud infrastructure itself requires special attention. With 94% of organizations worldwide now relying on cloud computing, the risk is widespread. Azure was the most targeted cloud platform, drawing 43.5% of observed malware samples, compared with 33.2% for Google Cloud Platform and 23.2% for Amazon Web Services. Additionally, 70% of phishing emails passed DMARC authentication checks, allowing them to appear legitimate to both users and automated security controls. What Does This Mean for Your Organization? The shift from exploit-driven breaches to credential-based intrusions represents a fundamental change in cyber risk. Attackers have realized that stealing a password or compromising an account is far easier and faster than finding and exploiting a software vulnerability. Once inside with legitimate credentials, they can move laterally, escalate privileges, and operate in plain sight using trusted tools and existing permissions. "Phishing has become far more convincing and far more targeted," Jones noted. "Attackers are using AI to craft messages that look authentic, exploit human trust, and slip past traditional email filters. Defenders need technology that can identify subtle signs of abnormality even when an email appears legitimate at first glance". The bottom line: your login credentials are now the primary target. Organizations that continue relying on perimeter defenses and legacy email filters will find themselves increasingly vulnerable. The future of cybersecurity belongs to those who can detect and respond to identity abuse across highly distributed cloud environments, recognizing when legitimate accounts begin behaving in suspicious ways. In 2026, protecting identities is protecting everything.
