Kaspersky has indicated in a report that cybercriminals continue to favor low-tech, high-impact methods centered on stealing and misusing credentials. A global analysis from Kaspersky Security Services underscores this reality: in 2025, techniques involving password guessing and the abuse of valid accounts proved among the most successful tactics for breaching organizations.
The research report, titled “Anatomy of a Cyber World,” draws on extensive data from Kaspersky’s Managed Detection and Response (MDR), Incident Response (IR), Compromise Assessment, and SOC Consulting engagements throughout 2025.
It examines real-world adversary behaviors, tools, and the conversion rates of various Indicators of Attack (IoAs) — essentially measuring how often suspicious activities turned into confirmed malicious incidents.
Topping the list is password guessing, with a conversion rate of 34.8%. Attackers methodically test common or weak passwords across accounts, capitalizing on poor password hygiene and reuse habits that persist in many organizations.
Close behind is local account creation at 34.7%. Once inside a network, intruders often establish new local accounts to secure persistent access, even if their initial entry point is detected and neutralized.
These backdoors can remain undetected without proper telemetry and monitoring.
Valid account abuse follows at 34.5%. Rather than deploying noisy malware that might trigger endpoint protections, adversaries log in with stolen or compromised credentials and operate quietly, mimicking legitimate user behavior.
This blending-in approach complicates detection efforts. Similarly, account manipulation (32%) involves modifying existing accounts — re-enabling disabled ones, changing group memberships, or elevating privileges — to strengthen their foothold using the target’s own systems.
Network service discovery (31.2%) rounds out the prominent techniques. Before expanding their reach, attackers scan for accessible services and systems, setting the stage for lateral movement and deeper exploitation.
Early detection of such reconnaissance offers security teams a vital opportunity to disrupt the attack chain.
These research findings highlight a clear strategic pivot by threat actors. Instead of relying on malware that risks setting off alarms, they increasingly leverage legitimate tools and compromised identities to navigate environments stealthily.
This approach aligns with broader trends toward “living off the land” tactics, where native system features and administrative utilities become weapons.
Sergey Soldatov, Head of Security Operations Center at Kaspersky, said:
“Threat actors do not always need sophisticated malware to achieve their objectives. In many cases, legitimate administrative tools and compromised accounts remain the fastest and most effective way to move inside an organization while avoiding detection.”
He stressed the need for deep visibility, behavioral correlation across attack stages, and comprehensive incident management capabilities.
The research report serves as a reminder that while organizations invest heavily in advanced protections, human factors and identity management weaknesses remain critical vulnerabilities.
Kaspersky further explained that effective defense requires prioritizing high-probability malicious behaviors per frameworks like MITRE ATT&CK, reducing alert fatigue from false positives, and maintaining strong visibility into user and account activities. Kaspersky has concluded that industry professionals now recommend strengthening password policies, implementing multi-factor authentication rigorously, monitoring for anomalous account behavior, and leveraging managed detection services for more proactive threat hunting.