As a leading IT professional with deep expertise in artificial intelligence and machine learning, Dominic Jainy has a unique perspective on the evolving landscape of cyber threats. He joins us to dissect the latest trends in cybercrime, focusing on the dramatic rise of identity-based attacks, the industrialization of phishing, and the specific industries feeling the heat. We’ll explore how attackers are bypassing modern defenses, the critical speed at which they operate, and what organizations must do to adapt to this new reality.
Given that account compromise surged to become the majority of all attacks in 2025, what specific shifts in attacker strategy are driving this? Please share some examples of the key defensive blind spots you see in organizations that make them vulnerable to credential theft.
The shift is monumental. We’re not just seeing a small increase; we’re witnessing a 389% year-over-year explosion in account compromise, which now constitutes 55% of all incidents we track. The strategy has shifted from trying to break down the castle walls with malware to simply walking in the front door with stolen keys. Attackers have realized that compromising an identity is far more efficient. The biggest blind spot for organizations is a false sense of security. They focus on perimeter defenses while attackers are targeting the human element, with credential access making up a staggering 75% of the malicious activity we observed. Companies are simply not prepared for the scale and sophistication of modern phishing operations that are laser-focused on harvesting credentials.
We’ve seen how sophisticated Phishing-as-a-Service kits can now bypass multi-factor authentication. Could you walk us through the mechanics of how these tools work and what concrete steps companies must take beyond standard MFA to secure environments like Microsoft 365?
It’s a chillingly effective process. These PhaaS kits—services like Tycoon2FA or EvilProxy—are not just static templates; they are comprehensive, constantly updated platforms. They deploy a proxy between the victim and the real login page, like Microsoft 365’s. When the user enters their credentials and the MFA code, the kit captures it all in real-time and, most importantly, hijacks the session token. This token allows the attacker to bypass MFA entirely and access the account as if they were the legitimate user. Just implementing standard MFA isn’t enough anymore. Companies need to look at conditional access policies that scrutinize login context—like location and device health—and employ advanced threat detection within their cloud environments to spot anomalous behavior after a successful login.
An attacker can reportedly weaponize a compromised account, such as by setting up inbox forwarding rules, in under 15 minutes. Considering this speed, how should incident response plans change, and what are the critical first actions a team must take upon detecting a takeover?
That 14-minute timeframe changes everything. It means your incident response can no longer be a slow, deliberative process that takes hours. By the time you’ve assembled a conference call, the attacker has already established persistence and exfiltrated data. Response plans must become automated and immediate. The moment a takeover is suspected, the first critical action should be to initiate a “kill switch” for that account—forcefully terminating all active sessions and immediately resetting credentials. The second action, happening in parallel, is to hunt for persistence mechanisms. You have to assume they’ve created inbox rules, granted permissions to malicious apps, or set up other backdoors, and you must find and eradicate them before restoring access.
While overall malware incidents reportedly saw a slight decline, specific lures like ClickFix grew by 300%. What does this tell us about the evolution of social engineering, and how should security awareness training adapt to address these highly successful, targeted malware delivery tactics?
It tells us that attackers are favoring precision over volume. The slight four-point decline in overall malware is deceptive; threat actors are simply getting smarter. Instead of blasting out generic malware, they’re using highly effective, socially-engineered lures like ClickFix, which saw a 300% spike and now accounts for over 30% of all malware delivery cases we see. This is a move toward quality over quantity. Security awareness training has to evolve accordingly. It’s no longer enough to say, “Don’t click on suspicious links.” Training must now use real-world simulations of these sophisticated, context-aware lures to teach employees to question the legitimacy of requests, even when they seem to come from a trusted source or service.
The software and manufacturing industries experienced significant increases in security incidents last year. Could you elaborate on the unique vulnerabilities or high-value targets within these sectors that are attracting this increased attention from cybercriminals? Please provide some specific examples.
These sectors are incredibly attractive targets, and the numbers bear that out, with incidents in software up 15% and manufacturing up a massive 32%. For the software industry, the high-value targets are source code, customer data, and the software supply chain itself. Compromising a software company can lead to a widespread attack on all of its customers. In manufacturing, the vulnerabilities are often a mix of valuable intellectual property, like proprietary designs, and the increasing convergence of IT and Operational Technology (OT) networks. A successful attack can not only lead to data theft but also to the disruption of physical production lines, causing immense financial and reputational damage.
Attack methods combining email bombing with IT Help Desk impersonation have seen a fourteen-fold increase. Can you describe how this multi-stage attack typically unfolds and explain why it is proving to be so effective, particularly against industries like the legal sector?
This is a clever and disruptive tactic. The attack starts with an “email bomb,” where the target’s inbox is flooded with thousands of subscription emails and spam. This creates chaos and acts as a smokescreen. Amid this confusion, the attacker, impersonating the company’s IT Help Desk, calls or emails the overwhelmed employee, offering to help “fix” the problem. Because the user is already stressed and distracted by the flood of emails, they are far more likely to trust the “helper” and provide their credentials or grant remote access. It’s so effective because it combines a technical nuisance with psychological manipulation. The legal sector is a prime target because of the high-value, sensitive client information they hold, making them a lucrative prize for attackers who succeed with this method.
What is your forecast for the evolution of identity-based cyberattacks?
I believe we are at the very beginning of the identity-based attack era. The focus will continue to shift away from breaking systems and toward manipulating people and an organization’s web of trust. We’ll see PhaaS kits become even more sophisticated, integrating AI to craft hyper-realistic, personalized phishing lures in real time, making them nearly indistinguishable from legitimate communications. The next frontier will be the deep integration of these stolen identities into business email compromise schemes that don’t just ask for a wire transfer but manipulate entire supply chains by impersonating trusted partners. Defending against this will require a fundamental shift toward a Zero Trust architecture, where no user or device is trusted by default, and identity is continuously verified.