More than 32 million high-confidence phishing emails were detected by Darktrace in 2025, showcasing a substantial escalation in identity-driven cyber threats.
The data was collected by Darktrace from incidents across its global customer base and points to a year defined by automation, convergence and accelerating attacker speed.
Over 8.2 million phishing emails targeted VIPs, accounting for more than 25% of all observed phishing attempts.
Meanwhile, 1.6 million phishing emails originated from newly created domains and 1.2 million incorporated malicious QR codes.
Notably, 70% of phishing emails successfully passed DMARC authentication, 41% were classified as spear-phishing and 38% contained novel social engineering techniques. One-third exceeded 1000 characters.
Identity Compromise Dominant Entry Vector
The Darktrace report also showed how identity compromise has overtaken vulnerability exploitation as the dominant entry vector. Common Vulnerabilities and Exposures (CVE) increased by approximately 20% year-on-year (YoY), with exploitation often occurring before public disclosure.
"Identity has become the attacker's skeleton key. Instead of forcing their way through a firewall, adversaries are logging in with stolen credentials, hijacked tokens and abused permissions, then moving laterally under the cover of legitimacy," commented Shane Barney, CISO at Keeper Security.
"When identity controls are fragmented or overly permissive, attackers don't need novel exploits. They just need access that looks routine."
Read more on credential theft: Have Your Users' Credentials Been Leaked on The Dark Web?
Across the Americas, SaaS and Microsoft 365 account takeovers accounted for nearly 70% of incidents. Manufacturing represented 17% of recorded cases and 29% of ransomware incidents in the region. About 47% of all global security events tracked by Darktrace in 2025 originated in the Americas alone.
Regional and Sector Trends Reveal Expanding Attack Surface
The Darktrace report also highlighted how regional patterns reflect differing levels of digital maturity and geopolitical pressure.
In Latin America, 44% of cases involved malware spreading after credential theft or phishing. Education was the most impacted sector at 18%, with Brazil, Mexico and Colombia reporting the highest volumes over the past three years.
Europe recorded 58% of incidents linked to cloud and email compromise, compared with 42% involving network-based attacks.
Meanwhile, Africa experienced a 60% YoY rise in ransomware and saw 76% of compromises classified as network-based.
In Asia-Pacific and Japan, 84% of organizations said AI-powered threats are already impacting them, yet only 42% reported having formal policies governing safe AI use.
"Identity is no longer about perimeter-based defense. The rise in AI-based agents and the massively accelerating threat landscape has rendered that approach inadequate, and prompted a shift towards identity as the critical element to enterprise security," SailPoint CEO, Mark McClain, said.
"This report's findings demonstrate that there is now a need for real-time, intelligent, and dynamic identity security, built to govern and secure not just 'who,' or in the case of AI agents, 'what,' has access to the enterprise, but what data they can access and what they are able to do once inside."
Additional findings, regional breakdowns and sector-specific analysis from the report are available on Darktrace's website.