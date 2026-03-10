More than 80% of incident-related alerts tied to cloud identity abuse, new threat outlook shows

OTTAWA, ON, March 10, 2026 /PRNewswire/ - Field Effect has released its 2026 Cyber Threat Outlook, revealing that more than 80% of incidents investigated by the company in 2025 stemmed from cloud identity compromise. The finding highlights a major shift in how attackers gain access to corporate environments.

Based on Field Effect's managed detection and response telemetry and frontline incident investigations, the report shows that threat actors are increasingly bypassing traditional exploits by abusing trusted identities, collaboration platforms and enterprise workflows.

"In many of the incidents we investigated in 2025, attackers didn't exploit a vulnerability. They logged in using valid credentials," said Earl Fischl, Director of Security Services at Field Effect. "Identity has effectively become the dominant attack surface. Once attackers gain access to trusted accounts, they can blend into normal activity and move through an organization much more easily."

Key findings from the 2026 Cyber Threat Outlook

Identity compromise dominates: More than 80% of incident-related alerts observed by Field Effect involved compromised cloud identities, often tied to phishing driven account takeover.

Trusted platforms exploited: Attackers increasingly abused legitimate collaboration and remote support tools such as Microsoft Teams, Zoom and Quick Assist to deliver malware and gain privileged access.

AI accelerating attacks: Generative AI enabled faster phishing development, automated reconnaissance and quicker exploit validation.

Edge infrastructure targeted: VPNs, routers and other internet facing systems remained critical entry points for ransomware and credential driven attacks.

Geopolitical tensions shaping threats: State aligned actors, ransomware groups, and hacktivists increasingly overlapped in tactics and infrastructure.

Collaboration platforms used as entry points

Field Effect investigators observed multiple campaigns exploiting trusted enterprise tools to gain initial access.

In one campaign tracked since September 2025, threat actors impersonated internal IT help desks through newly created Microsoft 365 tenants and used Microsoft Teams vishing calls to convince employees to grant Quick Assist remote access. Once access was granted, attackers executed PowerShell based tooling to enumerate privileges and deploy additional malware.

These identity driven intrusions frequently led to credential harvesting, lateral movement and ransomware deployment.

AI accelerating adversary operations

The report also highlights the growing operational role of generative AI in cybercrime. Threat actors used AI to produce convincing phishing content, automate reconnaissance and test exploit code more efficiently.

"AI did not necessarily introduce entirely new attack techniques," Fischl said. "What it did was dramatically accelerate the ones attackers were already using, making them faster and easier to scale."

Edge devices remain high value targets

Beyond identity compromise, Field Effect investigators observed persistent attacks targeting edge infrastructure such as VPN appliances, firewalls, and routers.

One sustained campaign involved exploitation of SonicWall SSL VPN appliances, where attackers reused previously exposed credentials to authenticate directly into high privilege systems. In several cases, these credentials were later leveraged by Akira ransomware operators.

The campaign demonstrated how attackers can combine credential reuse, delayed patching and exposed edge systems to bypass traditional defenses.

Converging cyber threats

The report also found that geopolitical tensions continued to shape cyber activity throughout 2025. State aligned actors intensified espionage and access operations, while ransomware groups and hacktivists increasingly targeted critical infrastructure and public sector organizations.

These overlapping motivations are contributing to a threat landscape where financial, political and strategic objectives increasingly intersect.

"Organizations cannot control an attacker's intent or capabilities," Fischl said. "But they can reduce the opportunities attackers rely on by strengthening identity security, improving visibility across their environments and addressing exposed infrastructure."

The Field Effect 2026 Cyber Threat Outlook draws on investigations and telemetry collected by Field Effect's global security teams throughout 2025.

The full report is available here.

About Field Effect

Field Effect is a global cybersecurity company delivering managed detection and response (MDR) to help organizations detect, prevent and respond to cyber threats. Through a combination of advanced technology, AI-driven analytics, expert-led threat intelligence, and human-centered security delivery, Field Effect enables customers and partners to reduce risk and strengthen cyber resilience.

SOURCE Field Effect