Darktrace: 32 Million Phishing Emails Targeted Identities in 2025
▼ Summary
– Darktrace detected over 32 million high-confidence phishing emails in 2025, indicating a major rise in identity-driven cyber threats.
– Phishing attacks heavily targeted VIPs (over 8.2 million emails) and increasingly used new domains, QR codes, and novel social engineering techniques.
– A majority (70%) of these phishing emails successfully passed DMARC authentication, bypassing a key email security check.
– Identity compromise, like using stolen credentials, has surpassed vulnerability exploitation as the primary method for attackers to gain initial access.
– In the Americas, SaaS and Microsoft 365 account takeovers were responsible for nearly 70% of incidents, with manufacturing being a frequent target for ransomware.
The sheer volume of identity-based cyber attacks reached unprecedented levels in 2025, with security firm Darktrace detecting a staggering 32 million high-confidence phishing emails targeting its global customer base. This massive figure underscores a dramatic shift in the threat landscape, where attackers increasingly prioritize stealing and misusing legitimate credentials over traditional methods of breaching defenses. The year was characterized by rapid automation, the merging of different attack techniques, and a significant increase in the speed at which adversaries operate.
A closer look at the data reveals a clear focus on high-value targets. Over 8.2 million phishing attempts were directed at VIPs, representing more than a quarter of all observed phishing activity. Attackers also leveraged fresh infrastructure and modern lures, with 1.6 million emails sent from newly created domains and another 1.2 million incorporating malicious QR codes to bypass traditional email filters. Perhaps most concerning is the sophistication of these campaigns: 70% of phishing emails successfully passed DMARC authentication, 41% were classified as targeted spear-phishing, and 38% employed novel social engineering tactics designed to evade detection.
The report makes a critical distinction about how breaches now commonly begin. Identity compromise has definitively overtaken vulnerability exploitation as the primary entry point for attackers. While the number of documented Common Vulnerabilities and Exposures (CVEs) grew by roughly 20% year-over-year, adversaries are increasingly bypassing these flaws entirely. They are instead logging in directly using stolen credentials, hijacked session tokens, and abused permissions, allowing them to move laterally through networks under a veil of legitimate activity.
This trend highlights a fundamental change in defensive strategy. As Shane Barney, CISO at Keeper Security, explains, “Identity has become the attacker’s skeleton key. Instead of forcing their way through a firewall, adversaries are logging in with stolen credentials, hijacked tokens and abused permissions, then moving laterally under the cover of legitimacy.” When an organization’s identity controls are disjointed or too permissive, attackers do not need to discover new software flaws; they simply need access that appears routine and authorized.
The regional impact was particularly pronounced in the Americas, which accounted for nearly half of all global security events tracked by Darktrace. In this region, SaaS and Microsoft 365 account takeovers were responsible for almost 70% of incidents. The manufacturing sector was disproportionately affected, representing 17% of all cases and a striking 29% of ransomware incidents. This data points to a concentrated assault on cloud-based productivity platforms and critical industrial infrastructure, with stolen identities serving as the universal key for intrusion.
(Source: InfoSecurity Magazine)
