Skip to content
Breachfolio
THREAT RESEARCH NEWS

Identity Attacks Overtake Exploits as Top Ransomware Cause

3 min read Breachfolio · Editorial desk

Email attacks have overtaken software exploits as the leading root cause of ransomware incidents, according to newly published research. The most uncomfortable number in the report: multifactor authentication was deployed in 97% of credential-based attacks — and the victims were compromised anyway.

Why it matters

For years the reflex answer to account takeover has been "turn on MFA". This data says attackers have adapted: the fight has moved from whether you have a second factor to which kind and how it can be bypassed. A push notification a tired employee approves at 2 a.m., or a phishing page that silently proxies the whole login — session token included — defeats conventional MFA without ever cracking it.

It also reframes patching priorities. Exploited vulnerabilities still matter, but if the front door for most ransomware is now a mailbox and a stolen login, an identity-hardening hour probably buys more risk reduction than another scanner cycle.

What actually moves the needle

  • Phishing-resistant MFA (FIDO2 security keys, passkeys) for admins and finance first — these bind authentication to the real site and can’t be relayed by a proxy page.
  • Conditional access: block legacy protocols, require managed devices for sensitive apps, and alert on impossible-travel sign-ins.
  • Treat identity telemetry as detection gold — new MFA device enrolments, mailbox rule creation and consent grants are early ransomware indicators, not IT noise.

If you're building out detection around this, our explainer on how a SOC turns signals into response covers where these alerts should land.

Identity is the new perimeter

Step back from the individual numbers and the report describes a structural shift the industry has been circling for years: the network edge is no longer where attacks are won or lost — the login is. As workloads moved to SaaS and remote access became the norm, the firewall stopped being the thing standing between an attacker and your data. A valid session token now does what a network foothold used to, and it arrives through a mailbox rather than an exploit.

That reframes what "defense in depth" should mean in 2026. The layers worth investing in are increasingly identity-centric: strong, phishing-resistant authentication, tight control over who can grant application consent, and monitoring that treats identity events as security telemetry rather than help-desk noise. Organizations still spending disproportionately on perimeter tooling while treating identity as an IT convenience are defending the wrong door — and the attackers, this data suggests, already know which door that is.

Source

This is our own summary and analysis. The original reporting is at darkreading.com →

Frequently asked questions

Does this mean MFA is useless?
No — it means conventional push or code-based MFA is no longer sufficient against phishing kits that proxy logins or bombard users with prompts. Phishing-resistant factors like FIDO2 keys and passkeys bind the login to the legitimate site and still hold up.
Why did email overtake exploits as the top cause?
Exploiting software requires a vulnerable, reachable system; phishing only requires a person. As patch cycles improved and exploit prices rose, stolen credentials became the cheaper, more reliable way in — and they blend into normal traffic once used.
What are early warning signs of a credential-based intrusion?
Sign-ins from unusual locations or impossible travel, sudden MFA device enrolments, new mailbox forwarding rules, and OAuth consent grants nobody remembers. Those events deserve alerting on par with malware detections.