Cybercriminals have found in the theft of credentials one of their most effective tactics. And, the number of attacked companies that had not activated multifactor authentication (MFA) shot 22% in 2022 to 63% in 2024. This increase is directly related to the fact that the compromised credentials were the main cause of attacks in 41% of cases per second consecutive year.
This is highlighted by the “Active Adversary Report 2025” report from Sofoswhere it is also revealed that in 71% of the incidents analyzed, the attackers accessed business networks through external remote services such as Firewalls and VPN, and in 79% of these cases they used credentials committed to achieve it.
In addition to the ease with which the attackers manage to infiltrate the networks, the speed with which they can advance within an organization. In cases of ransomware, exfiltration and data extortion, the average time between the initial intrusion and the filtration of information was only 72.98 hours (just over three days). Even more alarming is the fact that the average time from the exfiltration to the detection of the attack was just 2.7 hours, leaving companies with an extremely reduced reaction window.
John Shier, Field Ciso de Sophos, emphasizes the importance of active surveillance: «Passive security is no longer enough. Although prevention is essential, the quick response is fundamental. Companies must actively monitor the networks and act quickly to the observed telemetry. The coordinated attacks of motivated adversaries demand a coordinated defense. For many companies, this means combining the specific knowledge of the business with the detection and response directed by experts ».
Committed credentials were the main cause of attacks (in 41 % of cases) for the second consecutive year
Sophos Active Adversary Report 2025: theft of credentials
Other outstanding conclusions of the “Active Adversary Report 2025” include:
- Rapid system commitment: Cybercriminals can control a system in just 11 hours. This is the average time between the initial action of the attackers and their first (often successful) attempt to break the active directory (AD), one of the most important assets of any Windows network.
- Predominant ransomware: Akira was the most frequently found ransomware group in 2024, followed by Fog and Lockbit, the latter despite its dismantling by the government at the beginning of the year.
- Reduction of permanence time: The time of permanence, that is, the time that elapses from the beginning of an attack until it is detected, decreased from 4 days to only 2 in 2024. This reduction is greatly attributed to the incorporation of cases of MDR to the data set.
- Permanence time in cases of going: The permanence time remained stable in 4 days for ransomware attacks and in 11.5 days for cases where said cyber attack had not been detected.
- Permanence time in MDR cases: In MDR investigations, the time of permanence was only 3 days for ransomware and only 1 day cases for cases where there was no ransomware activity, suggesting that MDR teams are able to detect and respond more quickly to attacks.
- Attack schedules of ransomware groups: In 2024, 84% of Ransomware binary files launched out of local work hours, indicating a preference to attack during the night.
- Abuse of the remote desktop protocol (RDP): The RDP was involved in 84% of cases of detection and response managed services (MDR)/Incident response (IR), which makes it the Microsoft tool that is most abused.
The report also indicates a significant increase in the abuse of trust applications by the attackers. Compared to 2023, there was an increase of 51% in the use of binary “living off the land” (Lolbins). Since 2021, this increase has been 83%. Among the unique Lolbins of Microsoft detected in the first half of the year, the most abused application was the remote desktop protocol (RDP). Of the almost 200 cases of going analyzed, the attackers abused RDP in 89% of them.
These findings highlight the critical need for organizations to implement proactive and robust security measures, such as multifactor authentication and the continuous supervision of the network, to quickly detect and respond to emerging threats.
