Cybersecurity Incidents Surge As Identity Attacks Dominate 2026 – Sophos Report

by

Estimated reading time: 7 minutes

Credential Abuse, Off-Hours Ransomware, And Rapid Active Directory Targeting Drive Global Risk

Cybersecurity incidents rooted in identity abuse now dominate the global threat landscape, according to the newly released 2026 Sophos Active Adversary Report. Sophos analyzed 661 incident response and managed detection cases across 70 countries. The data covers November 1, 2024, through October 31, 2025. The findings paint a stark picture for cyber insurance brokers and security leaders. Attackers log in rather than break in. “The dominance of identity-related root causes for successful initial access. Compromised credentials, brute-force attacks, phishing, and other tactics leverage weaknesses that can’t be addressed by simple patch hygiene. Organizations must take a proactive approach to identity security,” said John Shier, Field CISO.

Identity Attacks Lead Global Cybersecurity Incidents

Sophos found that 67% of cybersecurity incidents started with identity-related issues, such as compromised credentials, brute-force attempts, phishing, and stolen authentication tokens. Attackers used valid accounts more often than software exploits.

Shier stated, “Attackers aren’t breaking in, they’re logging in.” That trend now defines modern cyber risk.

Brute-force attacks made up 15.6% of root causes, while exploited vulnerabilities were at 16%. Phishing accounted for 6.35%. Many other cases were grouped under ‘compromised credentials.’ Investigators often did not have enough logs to find out how credentials were stolen.

Gaps in multifactor authentication (MFA) contributed to these breaches. Sophos found that 59% of cases did not have MFA set up correctly. Some organizations thought MFA was active when it was not, others set it up incorrectly, and some chose not to use it at all.

For cyber insurers, this means higher underwriting risks related to identity controls. Checking and auditing MFA setup is now more important than ever.

Attackers Move Faster And Strike After Hours

The median time attackers stayed in systems dropped to three days. This change was driven by both attackers and defenders. Sophos MDR environments detected threats faster, while incident response cases took longer to resolve.

Attackers are reaching Active Directory servers faster than before. The median time to reach AD is now 3.4 hours, a 70% increase in speed compared to last year.

Ransomware attacks mostly happened outside of regular business hours. Sophos found that 88% of ransomware was deployed after hours, and nearly 79% of data theft also took place during these times.

See also  Cybersecurity Report Highlights Middle Market Firms' Growing Cyber Insurance and Persistent Ransomware Threats

Data was often stolen less than two hours before it was detected. Nearly half of ransomware cases included confirmed data theft, and public leaks often happened about 19.5 days later.

For cyber insurance carriers, attacks outside business hours make it harder to prepare for incidents. Policies now need to require 24/7 monitoring.

Check Out The Cyber Insurance On Non-Human Identity: The 45:1 Cyber Insurance Risk

Threat Groups Proliferate As Ransomware Brands Multiply

Sophos reported the highest number of active threat groups ever. In 2025, there were 51 ransomware brands, including 24 new ones.

Akira, also known as GOLD SAHARA, was responsible for 22% of ransomware incidents. Qilin accounted for 11%. Other active brands included SafePay, Inc, and Play.

LockBit, Medusa, Phobos, and BitLocker abuse have continued for several years. While law enforcement disrupted some groups, the growing number of groups has increased competition.

Shier noted, “We are seeing a raft of other groups vying for dominance.” Attribution grows more complex. Underwriters face a diversified threat ecosystem.

Data Exfiltration And Business Email Compromise Rise

Data exfiltration reached 12.71% of cases. That marks the highest percentage since 2021. Attackers often stole data even when ransomware failed. They sought future extortion leverage.

Attempts to compromise business email accounts increased fourfold. Many incidents involved hacked Microsoft 365 accounts, which attackers used to send phishing emails within organizations.

In one case, attackers launched three phishing campaigns in a single week. They took advantage of weak MFA and long-lasting session tokens, affecting more than 20% of employees.

Sophos summed up the risk: “All it takes is one user missing from MFA setup.” This highlights a widespread vulnerability.

Missing Logs Undermine Investigations

Gaps in telemetry doubled compared to last year. Many firewalls kept logs for only 7 days, and some systems stored them for just 24 hours. This often left investigators without enough forensic data.

Missing logs were the second biggest contributing factor. The report warns against cutting costs by reducing data retention, as not having enough telemetry can make claims more severe.

Sophos stressed the importance of prevention. The report says, “Prevention still beats detection.” Strengthening identity security and keeping logs are the top defense strategies.

See also  Shield Capital Closes $186 Million Inaugural Venture Capital Fund

Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!

AI Adds Noise But Not Revolution

Despite all the industry hype, AI did not change how attackers behaved in 2025. Sophos did not see any fully autonomous AI-driven attacks in its 661 cases.

Generative AI made phishing emails look better and arrive faster. It improved grammar and made fake branding more convincing, allowing attacks to reach more people. Still, attackers mostly used their usual tools and methods.

Sophos confirmed one case involving a deepfake. The victim reported it quickly, and it did not turn into a larger incident.

Shier concluded, “AI is adding scale and noise but not yet replacing attackers.”

For cyber insurance markets, concerns about AI risks may be greater than the current evidence supports. Traditional security controls are still essential.

Defensive Recommendations For Organizations

Sophos recommends using phishing-resistant MFA and ensuring it is set up correctly.

  • Patch edge vulnerabilities promptly.
  • Ensure 24/7 monitoring through MDR or equivalent services.
  • Keep logs for longer than the default retention period.

Blocking unnecessary tools can help. Python use increased because of Impacket abuse, so organizations should limit Python to systems used for development only. These steps match best practices for underwriting.

Frequently Answered Questions
What Does The Sophos Report Mean By “Identity-Related” Cybersecurity Incidents?

Sophos uses the term for attacks that abuse accounts and login systems. Attackers use stolen passwords, brute force, phishing, or token theft. They often avoid malware-heavy tactics. They rely on valid access.

Why Do Cybersecurity Incidents Succeed Even When Companies Patch Systems?

Attackers bypass patched systems by logging in with real credentials. Patching lowers exploit paths. Identity abuse still works when MFA is missing or weak. Attackers target the easiest path every time.

How Big Is The MFA Problem In These Cybersecurity Incidents?

Sophos found MFA was missing or not properly configured in 59% of cases. Some firms thought they enabled MFA. Others misconfigured it. Some avoided MFA due to user friction.

Why Do Ransomware Crews Deploy After Hours?

Attackers want less resistance. They hit when staffing runs thin. Sophos found 88% of ransomware payloads ran during non-business hours. Sophos also found 79% of exfiltration actions occurred off-hours.

How Fast Do Attackers Reach Active Directory In These Cybersecurity Incidents?

Sophos measured a median of 3.4 hours to reach Active Directory after initial access. Attackers move quickly once inside. They target identity control planes early.

What Is The Most Common Initial Access Method In The Report?

Sophos reported brute force at about 15.6% and exploitation at about 16%. Compromised credentials dominate overall root causes. Sophos also noted many cases lacked enough logs for a precise call.

Did AI Change Cybersecurity Incidents In 2025?

Sophos saw no major AI-driven shift in attacker techniques. Attackers used GenAI to improve phishing quality and scale. Sophos confirmed one verified deepfake event. The victim reported it quickly.

Why Do Missing Logs Make Cybersecurity Incidents Worse?

Logs help teams confirm entry points and timelines. Missing logs slow investigations. Sophos saw retention issues double year over year. Firewall logs often defaulted to seven days or less.

Which Ransomware Brands Appeared Most Often?

Sophos observed Akira as the top brand in its dataset. Qilin ranked second. Sophos also tracked many other brands. The report recorded 51 unique ransomware brands.

What Should Organizations Do First To Reduce Cybersecurity Incidents?

Start with phishing-resistant MFA. Validate configuration and coverage. Protect Active Directory and identity systems. Keep security logs longer. Add 24/7 monitoring for faster containment.

Martin Hinton

Martin Hinton is the Executive Editor and Publisher of Cyber Insurance News and Information. With over three decades of journalism experience across six continents, his work encompasses investigative reporting, documentaries, and coverage of cultural, political, and business news. To learn more about his career, click on his name to visit his LinkedIn page.


Leave a Comment

×