56% of Cyberattacks Bypass Security with Legitimate Logins — Report
A newly released 2025 Sophos Active Adversary Report reveals that more than half of cyberattacks in 2024 bypassed traditional security defenses by using legitimate login credentials instead of exploiting system vulnerabilities.
The report, which analyzed over 400 cases of Managed Detection and Response (MDR) and Incident Response (IR), found that 56 percent of cyberattacks were carried out by attackers simply logging in using stolen credentials, rather than relying on brute-force tactics or system exploits.
This marks a concerning trend in cybercrime, as attackers increasingly favor stolen or compromised credentials to gain undetected access to corporate networks. According to the report, compromised credentials have now been the leading cause of cyber intrusions for two consecutive years, accounting for 41 percent of all attacks. This was followed by exploited vulnerabilities (21.79 percent) and brute-force attacks (21.07 percent).
The stealthiness of credential-based attacks makes them especially dangerous. Once inside, attackers can move quickly to exfiltrate data or deploy malicious activities. In cases involving ransomware, data exfiltration, and extortion, the report found that the median time from initial access to data exfiltration was just 3.04 days (72.98 hours). Once data was stolen, organizations had a median of only 2.7 hours before the attack was detected.
“When attackers use stolen credentials, they blend in with legitimate network traffic, making detection much harder,” explained John Shier, the field CISO at Sophos. “Organizations need to shift from passive security to active, continuous monitoring. Attackers are evolving, and so must our defense strategies.”
The report also revealed troubling trends in attacker behavior. For example, attackers took a median of just 11 hours from initial access to attempt breaching Active Directory (AD), a critical network asset. Ransomware continued to be a major threat, with Akira being the most frequently encountered ransomware group in 2024, followed by Fog and LockBit.
Additionally, the report noted that the median time from the start of an attack to detection fell from four days in 2023 to just two in 2024. Remote Desktop Protocol (RDP) was a significant weakness, used in 84 percent of cases, making it the most exploited Microsoft tool. Moreover, attackers often work overnight, with 83 percent of ransomware deployments occurring outside of normal business hours, allowing cybercriminals to maximize damage before detection.
Given the rising use of legitimate credentials to bypass security systems, businesses must now prioritize identity protection alongside traditional cybersecurity defenses. Sophos recommended organizations close exposed RDP ports to limit attack surfaces, implement phishing-resistant multi-factor authentication (MFA) to reduce the risk of credential theft, and regularly update and patch vulnerable systems, especially those facing the internet.
“Organizations should also deploy Endpoint Detection and Response (EDR) or Managed Detection and Response (MDR) with 24/7 proactive monitoring and establish and test a comprehensive incident response plan to react quickly to potential intrusions,” the report advised.
As traditional security measures focus on preventing break-ins, attackers are adapting by walking through the front door with stolen credentials. The 2025 Sophos report serves as a stark reminder that strong passwords alone are no longer sufficient. Businesses must adopt continuous monitoring, proactive defense strategies, and multi-layered security to keep pace with the evolving cyber threat landscape.
