Identity Attacks Overtake Exploits as Top Ransomware Cause
Email attacks have overtaken software exploits as the leading root cause of ransomware incidents, according to newly published research. The most uncomfortable number in the report: multifactor authentication was deployed in 97% of credential-based attacks — and the victims were compromised anyway.
Why it matters
For years the reflex answer to account takeover has been "turn on MFA". This data says attackers have adapted: the fight has moved from whether you have a second factor to which kind and how it can be bypassed. A push notification a tired employee approves at 2 a.m., or a phishing page that silently proxies the whole login — session token included — defeats conventional MFA without ever cracking it.
It also reframes patching priorities. Exploited vulnerabilities still matter, but if the front door for most ransomware is now a mailbox and a stolen login, an identity-hardening hour probably buys more risk reduction than another scanner cycle.
What actually moves the needle
- Phishing-resistant MFA (FIDO2 security keys, passkeys) for admins and finance first — these bind authentication to the real site and can’t be relayed by a proxy page.
- Conditional access: block legacy protocols, require managed devices for sensitive apps, and alert on impossible-travel sign-ins.
- Treat identity telemetry as detection gold — new MFA device enrolments, mailbox rule creation and consent grants are early ransomware indicators, not IT noise.
If you're building out detection around this, our explainer on how a SOC turns signals into response covers where these alerts should land.
Identity is the new perimeter
Step back from the individual numbers and the report describes a structural shift the industry has been circling for years: the network edge is no longer where attacks are won or lost — the login is. As workloads moved to SaaS and remote access became the norm, the firewall stopped being the thing standing between an attacker and your data. A valid session token now does what a network foothold used to, and it arrives through a mailbox rather than an exploit.
That reframes what "defense in depth" should mean in 2026. The layers worth investing in are increasingly identity-centric: strong, phishing-resistant authentication, tight control over who can grant application consent, and monitoring that treats identity events as security telemetry rather than help-desk noise. Organizations still spending disproportionately on perimeter tooling while treating identity as an IT convenience are defending the wrong door — and the attackers, this data suggests, already know which door that is.
This is our own summary and analysis. The original reporting is at darkreading.com →