Vulnerability Exploitation and Credential Theft Now Top Initial Access

Phishing has declined as a method of initial access in 2024 and is now behind credential theft and vulnerability exploitation, according to Mandiant’s M-Trends 2025 Report.

This continues a trend observed over several year, with email phishing falling from 22% to 14% for initial access from 2022 to 2024.

Vulnerability exploitation was the most common method of infiltrating targets in 2024, making up 33% of cases. However, this marks a significant decline from 38% in 2023.

The use of stolen credentials for initial access jumped from 10% to 16% from 2023 to 2024, making it the second most common technique.

Mandiant noted that the fall in phishing and rise in stolen credentials is largely due to the growing ability of threat actors to obtain credentials in a variety of ways. This includes:

• Purchasing leaked or stolen credentials on underground forums
• Mining large data leaks for credentials
• Infecting users with keyloggers and infostealers

Another notable initial access trend was insider threats, making up 5% of vectors. The researchers highlighted a surge in fake North Korean IT worker campaigns as a major contributor to this trend.

Read now: North Korea’s Fake IT Worker Scheme Sets Sights on Europe

Infostealers Leading to Surge in Stolen Credentials

The report highlighted a renewed focus by threat actors on infostealers – malware designed to collect and steal sensitive user data such as credentials, browser data and cookies, email data and cryptocurrency wallets.

Infostealers create unique challenges for organizations as they can collect wide swaths of user data and credentials from a single host. This is unlike techniques such as phishing and credential stuffing, which target credentials for a specific system.

Additionally, when employees or contractors leverage personal devices for work purposes, infostealers can fall outside the scope enterprise security and detection measures.

A major example of the use of infostealers was during the compromise of multiple Snowflake customers in a campaign starting in April 2024. Snowflake is a cloud data warehousing platform.

These credentials were primarily obtained from infostealer malware campaigns that infected the work or personal computers of employees and contractors who accessed Snowflake customer instances.

Prominent infostealer variants used last year included Vidar, Resepro, Redline, Raccoon stealer, Lumma and Metastealer.

Phishing the Biggest Driver of Cloud Compromises

Despite the overall reduction in email phishing for initial access, this technique was the most common initial infection vector for cloud environments, at 39%.

This was followed by stolen credentials (35%), SIM swapping (6%) and voice phishing or vishing (6%).

In terms of objectives, data theft occurred in around two-thirds (66%) of cases.

The researchers noted that the prevalence of phishing, especially in cloud attacks, underscored the importance of adversary-in-the-middle (AiTM)-resistant multifactor authentication (MFA), such as hardware security keys or mobile authenticator apps.

Steady Rise in Financially Motivated Attacks

Of the active threat groups tracked by Mandiant in 2024, 55% were financially motivated. This marks a steady increase from 52% in 2023 and 48% in 2022.

The proportion of threat actors motivated by espionage fell slightly from 10% in 2023 to 8% in 2024.

The industry most frequently targeted by threat actors last year was financial, at 17.4%. This was followed by business and professional services (11.1%), high tech (10.6%), government (9.5%) and healthcare (9.3%).

Mandiant noted that these figures are consistent with prior years.