Stolen Logins Drive 56% of Cyber Attacks as Hackers Ditch Exploits

Samuel Mobolaji

More than half of cyberattacks in 2024 bypassed traditional security measures by simply logging in with stolen credentials, rather than exploiting software flaws, according to the newly released 2025 Sophos Active Adversary Report.

The report, which examined over 400 cases of Managed Detection and Response (MDR) and Incident Response (IR), revealed that 56 per cent of attacks involved adversaries accessing systems using legitimate login details. This marks a growing shift in attacker behaviour away from brute-force tactics and towards stealthier credential-based intrusions.

Compromised credentials remained the top entry point for cyber intrusions for the second consecutive year, accounting for 41 per cent of all incidents. Exploited vulnerabilities and brute-force attacks followed at 21.79 and 21.07 per cent respectively.

“These attacks are especially dangerous because they blend in with normal user activity,” said John Shier, Field CISO at Sophos. “Attackers are evolving and organisations must move beyond passive defences to active, round-the-clock threat monitoring.”

The report found that once inside a network, attackers acted quickly. In ransomware-related cases, the median time from initial access to data theft was just over 72 hours. Even more alarming, it typically took only 2.7 hours from the moment data was stolen for organisations to detect an attack.

Attackers also moved swiftly to compromise key systems. The median time from gaining access to attempting a breach of Active Directory—a vital part of corporate infrastructure—was just 11 hours.

Ransomware continues to be a major threat, with Akira identified as the most active group in 2024, followed by Fog and LockBit. The report also noted that the median detection time for attacks dropped from four days to two, indicating both an increase in attack speed and a modest improvement in response efforts.

Remote Desktop Protocol (RDP) emerged as the most exploited Microsoft tool, used in 84 per cent of cases. Most ransomware deployments (83 per cent) occurred outside regular business hours, enabling attackers to cause maximum disruption before being discovered.

To counter the trend of credential-based attacks, Sophos recommends closing exposed RDP ports, deploying phishing-resistant multi-factor authentication, and applying regular patches to internet-facing systems. With attackers increasingly disguising themselves as legitimate users, identity protection must now take centre stage in cybersecurity strategy.