More than half of cyberattacks in 2024 bypassed traditional security defenses by using legitimate login credentials, rather than exploiting system vulnerabilities, a newly released 2025 Sophos Active Adversary Report revealed.
The report, which analysed over 400 cases of Managed Detection and Response (MDR) and Incident Response (IR), revealed that 56 percent of cyberattacks were executed by adversaries simply logging in rather than breaking in.
The findings underscore a growing trend in cybercrime, noting that attackers are moving away from brute-force tactics and system exploits, instead relying on stolen or compromised credentials to access corporate networks undetected.
According to Sophos, compromised credentials were the leading cause of cyber intrusions for the second consecutive year, accounting for 41 percent of all attacks.
This was followed by exploited vulnerabilities (21.79 percent) and brute force attacks (21.07 percent).
The invisibility of credential-based attacks makes them particularly dangerous. Once inside, attackers move quickly.
In cases involving ransomware, data exfiltration, and extortion, the report found that the median time from initial access to data exfiltration was just 3.04 days (72.98 hours).
After data was stolen, organisations had a median of only 2.7 hours before the attack was detected.
“When attackers use stolen credentials, they can blend in with legitimate network traffic, making detection much harder. Organizations need to shift from passive security to active, continuous monitoring. Attackers are evolving, and so must our defense strategies,” the field CISO at Sophos, John Shier explained.
The report also highlighted alarming trends in attacker behaviour. For instance, attackers took a median of just 11 hours from initial access to their first attempt at breaching Active Directory (AD), a critical network asset.
“Ransomware remains a top threat, as Akira was the most frequently encountered ransomware group in 2024, followed by Fog and LockBit.
“Other findings revealed that the median time from an attack’s start to its detection fell from four days to just two in 2024. Remote Desktop Protocol (RDP) is a major weakness, as it was used in 84 percent of cases, making it the most exploited Microsoft tool.
“Attackers also work overnight, as 83 percent of ransomware deployments happened outside normal business hours, allowing cybercriminals to maximize damage before detection,” the report disclosed.
With attackers increasingly using legitimate credentials to bypass security, businesses must prioritise identity protection alongside traditional cybersecurity defenses, even as Sophos recommends that organizations should close exposed RDP ports to limit attack surfaces; implement phishing-resistant MFA to reduce the risk of credential theft and regularly update and patch vulnerable systems, especially internet-facing devices.
“Organisations should also deploy Endpoint Detection and Response (EDR) or Managed Detection and Response (MDR) with 24/7 proactive monitoring and establish and test a comprehensive incident response plan to react quickly to potential intrusions,” Sophos recommended.
As traditional security measures focus on preventing break-ins, attackers are adapting by simply walking through the front door with stolen credentials.
The 2025 Sophos report serves as a warning that strong passwords alone are no longer enough.
Businesses must embrace continuous monitoring, proactive defense strategies, and multi-layered security to keep pace with evolving cyber threats.
