Do Son 
Credential theft has surpassed email phishing as the most prevalent initial access vector in 2024. For the first time in recorded history, compromised login credentials have become the second most common entry point for threat actors, according to the M-Trends 2025 report.
Where phishing once reigned supreme due to its mass deployment, a quieter and more efficient tactic has now taken precedence—the exploitation of already stolen credentials. A Mandiant spokesperson emphasized that an entire cybercriminal ecosystem thrives on the trade and misuse of these stolen credentials. Threat actors procure them en masse from underground forums, extract them from data breaches, or harvest them via infostealers—malware designed to siphon off usernames, passwords, cookies, and other sensitive data.
In 2024 alone, Mandiant observed that 16% of all breaches stemmed from the use of compromised credentials—a notable rise from 10% in 2023. Meanwhile, phishing has continued its downward trend for the third consecutive year, dropping to 14% from 22% in 2022. The report also revealed that 55% of all documented attacks in 2024 were financially motivated. Espionage-related incidents declined to 8%, signaling a shift toward extortion, data theft, and the commodification of access.
Primary targets included financial services firms (17.4%), business services (11.1%), high-tech enterprises (10.6%), government agencies (9.5%), and healthcare institutions (9.3%). While vulnerabilities remain the most exploited attack vector overall, cloud environments present a different picture—phishing (39%) and stolen credentials (35%) dominate these spaces.
For instance, brute-force attacks remain the leading method of entry in ransomware campaigns, accounting for 26% of cases, followed by compromised credentials at 21%. Techniques include password guessing for remote desktop services, reuse of default VPN credentials, and mass login attempts on corporate applications.
The high-profile Snowflake incident serves as a vivid example of this threat’s relevance. The UNC5537 group leveraged hundreds of stolen credentials—originally harvested via popular infostealers such as VIDAR, REDLINE, and RACCOON. Remarkably, many of these credentials dated back to 2020, yet remained valid due to organizations failing to update passwords over the years.
A critical detail noted in the report is that many of the stolen credentials originated from contractors’ and employees’ personal devices, which lacked corporate-grade protection, monitoring, or antivirus measures. Browser synchronization between work and home environments often resulted in sensitive corporate credentials being stored on vulnerable systems.
The report also highlights the Triplestrength group, which exploits RACCOON logs to infiltrate cloud accounts across platforms like Google Cloud, AWS, and Linode. Beyond conducting attacks, the group monetizes their efforts by selling access to already compromised servers.
Of particular concern is the dwell time—the duration intruders remain undetected within a system. In 2024, the median dwell time rose to 11 days (up from 10 in 2023). If an external party issued the alert, adversaries lingered for an average of 26 days. In cases where attackers themselves issued a ransom demand, the time dropped to 5 days. If the organization detected the breach internally, dwell time averaged 10 days.
Mandiant also draws attention to operations involving DPRK nationals masquerading as remote IT specialists to earn foreign currency for the regime. The report notes a surge in activity from Iranian hackers targeting Israeli entities and a growing number of assaults on centralized cloud authentication systems such as SSO portals. Interest in the Web3 space has also intensified—cryptocurrencies, blockchains, and DeFi platforms now serve as fertile grounds for theft, money laundering, and the financing of illicit operations.
The authors conclude with a series of universal recommendations for organizations across industries:
- Enforce the principle of least privilege
- Conduct continuous vulnerability management
- Implement multi-factor authentication
- Maintain active monitoring practices
- Engage in proactive threat hunting
- Audit and secure cloud environments
They especially underscore the importance of stringent access control policies and the vetting of remote personnel—an imperative measure in an era marked by stealthy attacks involving third-party contractors.
