Cybercriminals are increasingly relying on stolen credentials and legitimate user accounts rather than malware to breach organizations, according to a new report from cybersecurity firm Kaspersky.
In its “2025 Anatomy of a Cyber World” report, Kaspersky said password guessing and valid account misuse were among the most effective attack techniques observed by its security teams, reflecting a shift toward identity-based attacks that are harder to detect.
The report draws on data collected through Kaspersky’s Managed Detection and Response (MDR), Incident Response (IR), Compromise Assessment, and Security Operations Center (SOC) Consulting services during 2025.
Among the attack techniques analyzed, password guessing recorded the highest conversion rate into confirmed malicious incidents at 34.8%.
Kaspersky said attackers continue to exploit weak or reused passwords by systematically trying different password combinations until they gain access.
Local account creation ranked second at 34.7%, with attackers commonly creating new user accounts after compromising a system to maintain access even if the original entry point is discovered and removed.
The report also found that abuse of valid accounts accounted for a 34.5% conversion rate. Rather than deploying malware that may trigger endpoint security tools, attackers increasingly use stolen credentials to log in as legitimate users, making their activities more difficult to identify.
Other commonly observed techniques included account manipulation (32%), where attackers alter existing accounts by enabling disabled users, changing group memberships, or escalating privileges, and network service discovery (31.2%), in which attackers scan networks to identify accessible systems before moving laterally.
Kaspersky said the rankings are based on how often observed attacker behavior ultimately led to confirmed malicious incidents.
While the MITRE ATT&CK framework documents hundreds of adversary techniques, the company said security teams should prioritize detecting behaviors most likely to indicate real attacks while minimizing false positives.
“Threat actors do not always need sophisticated malware to achieve their objectives. In many cases, legitimate administrative tools and compromised accounts remain the fastest and most effective way to move inside an organization while avoiding detection,” said Sergey Soldatov,” head of security operations center at Kaspersky.
“The continued popularity of these techniques shows that organizations need deep visibility into attacker behavior and the ability to correlate suspicious activity across different stages of an attack. To address these challenges, companies can enhance their security with our solutions: Kaspersky Managed Detection and Response and Incident Response which cover the entire incident management cycle – from threat detection to continuous protection and remediation,” he added.
