Identity-based attacks dominate the cyber threat landscape (and headlines). Is this an entirely new trend, or is only this emphasis on identity-based attacks new?
Security researcher and host of Leaky Weekly Nick Ascoli spoke with Mike Iaconianni, Identity Security Expert at Flare, about the 2025 Microsoft Digital Defense Report and their questions about it.
In this Leaky Weekly recap we cover:
- Is identity really that big of an issue?
- Security that accounts for AI agents and non-human identities
- Increase in password sprays and token theft
- The role of initial access brokers in cybercrime
- Gaming modifications (mods) as an unexpected vector of attack
- Questioning Microsoft’s reporting on infostealer attacks
Tune in to this story on Spotify, Apple Podcasts, YouTube (below), and/or keep reading this article for the highlights.
Is Identity Security a New Topic of Discussion?
Over the last two years, there’s been an emphasis on protecting identities. This is possibly because there’s been a shift from sensitive regulated data being on premises and shifting to sitting on a SaaS app. In addition, the SaaS app may be taken over with one login or a cookie.
About a decade ago, threat actors had to have skills in internal pivoting and hacking, while now they are able to much more confidently find working credentials through stealer logs and hammering a login portal.
To add to this shift in attack method, threat actors are now automating brute-force attempts with AI agents.
Our conclusion: Identity has become a bigger talking point in the last few years as data storage and login methods have changed, and threat actors’ methods with them.
AI Agents and Non-Human Identities: The Next Frontier
One of Microsoft’s most forward-looking findings focuses on non-human identities: accounts used by services, apps, and AI agents.
For every human, there may soon be ten AI agents acting on their behalf. If those agents have wide API permissions or access to sensitive data lakes, that’s a huge security blind spot.
But AI isn’t just part of the problem, it’s also part of the solution. Microsoft urges security teams to leverage AI for large-scale log analysis, identity governance, and anomaly detection to outpace automated attacks.
The Explosion of Password Sprays and Token Theft
Microsoft’s telemetry shows threat actors rotating IP addresses to evade detection. Increasingly, these campaigns are AI-assisted, with agents automatically feeding credential lists into identity portals. Nick points out: “If you feed an AI agent a list of credentials and ask it to log into 50 portals, it’ll do it. That’s not theoretical, that’s happening.”
At Flare, we are seeing more chatter from threat actors on token theft, and infostealer malware is targeting the ESTSAUTHPERSISTENT cookie that enables threat actors to bypass MFA.
Security teams can also incorporate automation and AI to fight password spraying to detect credential abuse and enforce adaptive MFA policies across cloud and SaaS environments.
Initial Access Brokers and their Specialized Skillset
Microsoft’s report dedicates a section to initial access brokers (IABs), who are threat actors who specialize in selling entry points into corporate environments.
The data shows that 80% of initial access vectors used by access brokers begins with credential-based compromise. These credentials are often harvested by infostealer malware and sold on dark web marketplaces.
This can be tracked against a ransomware infection against a company that may have stealer logs circulating around. The Verizon DBIR stated a relatively confident indicator that infostealers are leveraged by ransomware operators. The report pointed out that the median time between ransomware victim disclosure and detection of related stolen credentials was two days.
ClickFix and Gaming Mods: The Unexpected Infection Vectors
Among the most surprising insights from Microsoft’s telemetry was the rise of the ClickFix social engineering attack: victims are instructed to type malicious commands into Windows’ Run prompt under the guise of troubleshooting.
Microsoft attributes nearly half of initial access events (47%) linked to infostealer infections to ClickFix-style deception.
Even more surprising? Fake Roblox and Minecraft mods remain powerful infection vectors. As Mike notes: “They’re probably behind some of the biggest breaches of the last two years — and that’s not a joke.”
Lumma Stealer Dominates the Infostealer Market
The report identifies Lumma Stealer as the most prevalent info stealer in 2025, responsible for 51% of all observed infections, followed by Atomic Stealer (21%).
But one data point stood out to our researchers: Russia ranks second worldwide in “infected” devices. Since most infostealers are coded not to execute on Russian systems, Microsoft’s data likely reflects blocked or unexecuted payloads, not successful exfiltration.
Nick summarizes: “These logs probably aren’t circulating — they’re being detected before execution. But it’s fascinating telemetry nonetheless.”
Key Takeaways for Your Security Team
Mike’s closing advice is practical and urgent
- Enable MFA universally, especially for cloud and SaaS apps
- Audit service accounts and non-human identities
- Restrict OAuth app permissions and monitor token use
- Train your people, as people are the first line of defense
Organizations that prioritize identity protection, whether human or machine, are going to be the best prepared to evolve with AI.
Leaky Weekly and Flare Academy
Leaky Weekly is brought to you by Flare, Threat Exposure Management solution and industry-leading dataset on cybercrime that integrates into your security program in 30 minutes. Check out what’s on the dark web (and more) about your organization with a free trial.
Check out Flare Academy:
- Our free training series led by experts on critical topics such as threat intelligence, operational security, and advanced investigation techniques (earn CPE credits towards cybersecurity certifications)
- Our Discord community is a space to learn from and with cybersecurity professionals and students, check out previous training resources, and keep up with upcoming training
