Introduction
The Mandiant M-Trends 2025 Report highlights a significant shift in cybercriminal tactics, with a decline in phishing as a method of initial access and a rise in credential theft and vulnerability exploitation. This trend underscores the evolving strategies of threat actors and the increasing importance of robust cybersecurity measures.
Description
Phishing has been on a steady decline as a method of initial access, decreasing from 22% in 2022 to 17% in 2023 [1] [4], and further to 14% in 2024, according to Mandiant’s M-Trends 2025 Report [4]. This decline positions phishing behind credential theft and vulnerability exploitation [1], with the latter emerging as the most common method of infiltration in 2024 [1], accounting for 33% of cases [4], despite a decrease from 38% in 2023.
Stolen credentials have risen to become the second most prevalent technique for initial access, increasing from 10% in 2023 to 16% in 2024. This notable trend in credential theft is particularly concerning, as it often involves noncorporate systems like personal computers, which typically lack robust security measures.
The report attributes the decline in phishing and the rise in stolen credentials to the enhanced capabilities of threat actors in acquiring user login information through various means [4], including purchasing leaked or stolen credentials on underground forums [4], mining large data dumps [3] [4], and deploying malware such as keyloggers and infostealers. Infostealers [2] [3] [4] [5], which collect a range of private user information, including credentials and browser cookies [3], have seen a resurgence, underscoring a growing focus on harvesting and abusing user credentials [2].
This trend highlights a continued shift in tactics among cybercriminals, with an increased emphasis on credential theft and the exploitation of vulnerabilities, particularly when users disable antivirus software to install unlicensed software [2]. The report analyzed data from over 450,000 hours of incident response engagements conducted worldwide during 2024 [2], revealing that threat actors motivated by financial gain represented 55% of all cyber actors [2], up from 52% in 2023 and 48% in 2022 [2].
Conclusion
The decline in phishing and the rise in credential theft and vulnerability exploitation necessitate a reevaluation of cybersecurity strategies. Organizations must prioritize the protection of user credentials and the implementation of robust security measures to mitigate these evolving threats. As cybercriminals continue to adapt, staying informed and proactive in defense strategies will be crucial in safeguarding against future attacks.
References
[1] https://ciso2ciso.com/vulnerability-exploitation-and-credential-theft-now-top-initial-access-vectors-source-www-infosecurity-magazine-com/
[2] https://www.cybersecuritydive.com/news/financial-majority-cyber-threat-activity/746128/
[3] https://londontribune.co.uk/who-needs-phishing-when-your-logins-already-in-the-wild/
[4] https://www.infosecurity-magazine.com/news/vulnerability-credential-initial/
[5] https://undercodenews.com/mandiants-m-trends-2025-key-shifts-in-cyberattack-methods-and-their-impact-on-security-in-2024/
