The traditional concept of a network perimeter continues to evolve, shifting defensive focus toward identity verification and authenticated sessions. Data from the 2025 threat cycle indicates a change in how unauthorized parties gain and maintain access to enterprise environments. Rather than relying on technical vulnerabilities to bypass firewalls, malicious actors are frequently utilizing stolen credentials and active session cookies to authenticate directly. Recent intelligence suggests that as organizations improve their recovery capabilities and decline ransom payments, threat groups are industrializing credential theft and refining techniques focused on evasion through normalcy.
Recent analysis from Recorded Future indexed nearly two billion credentials sourced from malware-driven lists throughout 2025. The volume of compromised data accelerated as the year progressed, with the fourth quarter seeing a 90% increase in exposed credentials compared to the beginning of the year. This increase correlates with a mature malware-as-a-service ecosystem and AI-assisted social engineering. Notably, about 31% of these compromised records. Roughly 276 million—contained active session cookies. Because these cryptographic tokens allow unauthorized parties to take over a user's session and resume activity without a password, they effectively bypass standard multifactor authentication (MFA) and reveal a gap in modern identity-based defenses.
The industrialization of identity theft aligns with changes in extortion economics. With ransomware payment rates reaching an all-time low. Only 20% of affected organizations chose to pay in late 2025—threat groups are adjusting their operational models. Intelligence from Google’s Threat Intelligence Group (GTIG) shows that malicious actors are moving away from easily detectable custom tooling like Cobalt Strike, which appeared in only 2% of incidents last year, down from 60% a few years ago. Instead, they are utilizing native Windows utilities and legitimate administration tools to blend into daily network traffic. This evasion through normalcy allows threat actors to move laterally using Remote Desktop Protocol (RDP), PowerShell, and SMB, complicating the ability of security teams to distinguish unauthorized actions from routine system administration.
A recent campaign aimed at an executive at the security firm Outpost24 demonstrates this focus on evasion. The operation utilized a seven-stage redirect sequence designed to route an unsafe link through high-reputation domains. The sequence began with a JP Morgan-themed lure sent via Amazon’s Simple Email Service to pass authentication checks. It then routed through Cisco Secure Web infrastructure and Nylas link-tracking services to establish trust before landing on a credential phishing page protected by Cloudflare’s anti-bot services. This layering prevents automated security scanners and sandboxes from analyzing the final destination, ensuring only the targeted individual reaches the phishing page. Such campaigns show that threat actors are building complex delivery pipelines that leverage the inherent trust granted to major SaaS providers.
After obtaining access, groups like Warlock (also tracked as Water Manaul) are exhibiting resilient post-compromise tradecraft. While Warlock continues to target unpatched Microsoft SharePoint servers, leveraging vulnerabilities such as CVE-2025-49706 and CVE-2025-49704—their internal operations prioritize stealth. In recent incidents, the group maintained a presence inside networks for up to 15 days before deploying ransomware. During this dwell time, they utilized bring-your-own-vulnerable-driver (BYOVD) techniques, specifically taking advantage of the NSecKrnl.sys driver to terminate security products at the kernel level. To maintain persistence, they deploy legitimate tools like TightVNC and the Yuze reverse-proxy, tunneling unauthorized traffic through common ports like 443 and 53.
For defensive teams, these developments indicate that visibility into identity and behavior provides essential context alongside perimeter telemetry. Because session takeover allows unauthorized parties to bypass standard MFA, we recommend evaluating a transition toward phishing-resistant authentication methods like FIDO2. Furthermore, the use of native tools by threat actors requires an emphasis on behavioral baselining. Security teams benefit from the ability to identify when an administrator's account performs anomalous queries, such as using PowerShell to enumerate Active Directory for user group memberships—even if the credentials used are technically valid.
Protection efforts should prioritize Tier-0 assets, including Identity and Access Management (IAM) portals, VPNs, and security tooling like SIEMs. Malicious actors specifically target these systems because they offer broad access and the ability to disable defensive telemetry. We advise implementing strict segregation, credential vaulting, and real-time monitoring for exposed credentials. Extending this monitoring beyond corporate contexts to include personal accounts used on corporate devices provides critical visibility into the spread of infostealer-sourced data.
The convergence of generative AI and automated phishing frameworks like the Kratos kit suggests that the volume of highly tailored, evasive campaigns will likely increase. The decline in ransomware payments represents a clear defensive victory, though it has consequently driven threat actors to professionalize their operations and refine their evasion methods. Effective security strategies now operate on the assumption that valid credentials will eventually be compromised. The defensive goal is to ensure that a stolen password or a compromised session cookie does not automatically grant extensive access to the environment.
While security researchers have gained significant clarity on the TTPs of groups like Warlock and the mechanics of multi-stage phishing, the total volume of session cookies currently available on underground markets remains difficult to measure precisely. The speed at which malicious actors can operationalize a cookie before it expires presents an ongoing challenge in mapping the timeline including credential compromise and system access. Security teams can best protect their environments by focusing on the context of every login and monitoring the behavior of legitimate administrative tools.