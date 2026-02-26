More than 32 million high-confidence phishing emails were detected by Darktrace in 2025, showcasing a substantial escalation in identity-driven cyber threats.

The data was collected by Darktrace from incidents across its global customer base and points to a year defined by automation, convergence and accelerating attacker speed.

Over 8.2 million phishing emails targeted VIPs, accounting for more than 25% of all observed phishing attempts.

Meanwhile, 1.6 million phishing emails originated from newly created domains and 1.2 million incorporated malicious QR codes.

Notably, 70% of phishing emails successfully passed DMARC authentication, 41% were classified as spear-phishing and 38% contained novel social engineering techniques. One-third exceeded 1000 characters.

Identity Compromise Dominant Entry Vector

The Darktrace report also showed how identity compromise has overtaken vulnerability exploitation as the dominant entry vector. Common Vulnerabilities and Exposures (CVE) increased by approximately 20% year-on-year (YoY), with exploitation often occurring before public disclosure.

"Identity has become the attacker's skeleton key. Instead of forcing their way through a firewall, adversaries are logging in with stolen credentials, hijacked tokens and abused permissions, then moving laterally under the cover of legitimacy," commented Shane Barney, CISO at Keeper Security.

"When identity controls are fragmented or overly permissive, attackers don't need novel exploits. They just need access that looks routine."

Across the Americas, SaaS and Microsoft 365 account takeovers accounted for nearly 70% of incidents. Manufacturing represented 17% of recorded cases and 29% of ransomware incidents in the region. About 47% of all global security events tracked by Darktrace in 2025 originated in the Americas alone.