Identity attacks are exploding, and organizations are scrambling to keep up. In the CrowdStrike 2025 Global Threat Report, adversaries were described as more “enterprise-like” than ever. They're fast, organized, and laser-focused on breaching your environment through the weakest link: identity. According to the report, “the fastest breakout time we observed dropped to a mere 51 seconds,” illustrating how quickly attackers move once they seize someone’s credentials.

As an access platform dedicated to eliminating identity-based attacks, we aren’t surprised. Modern adversaries bypass superficial MFA with vishing (voice phishing) schemes, AI-generated phishing, and help desk impersonations. Below, we break down the key findings from CrowdStrike’s report and outline practical steps for securing identity in a zero-trust world.

Key findings from the CrowdStrike 2025 Global Threats Report

1. MFA under fire

According to CrowdStrike, hands-on keyboard, human-driven intrusions soared in 2024 which hinge on identity compromise. CrowdStrike reports that "attacks related to initial access boomed, accounting for 52% of vulnerabilities observed by CrowdStrike in 2024".

Moreover, the report calls out that “79% of detections in 2024 were malware-free” suggesting that attackers are prioritizing the paths of least resistance that bypass traditional endpoint defenses entirely.

• Social Engineering on the Rise: With vishing attacks up “442% between the first and second half of 2024”, adversaries are increasingly adept at manipulating users into giving up credentials or approving fraudulent MFA requests.
• Help desk fraud: Attackers exploit poorly configured MFA (e.g., SMS or push notifications) by tricking users or IT staff into approving unauthorized access. Hackers call IT support, impersonate legitimate employees, and demand password or MFA resets. When successful, this tactic yields quick network access.
• Malware-Free Intrusions: “79% of detections in 2024 were malware-free, up from 40% in 2019” demonstrating that threat actors prefer stolen credentials and direct OS-native commands, bypassing antivirus tools.

2. AI as a threat “force multiplier”

Whether it’s scripting advanced phishing campaigns or churning out deepfake voice calls, generative AI helps threat actors accelerate every component of their attacks from reconnaissance to persuasion. There are no signs that this will slow down in the given years -- in fact, organizations must consider generative AI defense as part of their defense plan given its demonstrated acceleration.

• Adversary Use of LLMs: CrowdStrike cites that “highly effective adversaries… have become early and avid adopters [of generative AI]” specifically to generate convincing phishing messages, create deepfake calls, and scale up credential stuffing attempts.
• Tailored Attacks: AI-driven social engineering yields highly believable lure emails and fraudulent phone calls, making phishing defense increasingly difficult if not impossible. If users will click no matter how much training they get, then it's not a matter of if but when a company will be breached by phishing.

3. Device security and the expanding attack surface

Attackers show a preference for devices in the network periphery to gain footholds in enterprise environments. This perimeter extends to laptops, phones, and tables that your employees, contractors, and partners rely on especially in the wake of distributed work and bring-your-own-device (BYOD) policies.

• Device-Centric Exploits: CrowdStrike reports that adversaries “target devices in the network periphery” including BYOD, or unmanaged, endpoints that may not meet corporate security standards.
• Cloud & SaaS Lateral Movement: Valid account abuse is common in the cloud, where once an attacker owns the device or account, they can pivot into SaaS tools and enterprise resources.

4. Other notable takeaways

• Breakout Time: At 48 minutes on average and as fast as 51 seconds adversaries move laterally at incredible speeds. Once they breach a single account or endpoint, they waste no time.
• Access Broker Market: Access brokers are thriving; some are specifically selling credentials to big game hunting (BGH) ransomware operators.

Key mitigation strategies to defend against modern threats

1. Adopt identity threat protection as a company priority

Go beyond detection and response to eliminate the risk of identity threats before they cause havoc in your environment. Key characteristics of an access solution that delivers identity threat prevention are:

• Phishing-resistant MFA with device-bound credentials with universal operating system support and never falls back to weak factors.
• Adaptive access policies based on user and device risk, assessed in real-time prior to access and continuously during active sessions.
• Integrated risk telemetry that delivers risk signals from security tools like MDMs, EDRs, ZTNA, and more to help organizations make fully informed access decisions
• Continuous authentication that ensure that even if a user or their device drifts out of compliance during an active session, there's a mechanism to instantly revoke access or prompt for added security via step-up authentication

2. Mandate BYOD security

It's not just the user that logs in, it's also their device. The consequences of an insecure device include malware, data loss, data theft, and credential theft. However, most organizations do not have visibility or control over unmanaged devices for employees, contractors, and partners. Here's a pragmatic strategy to enforce BYOD security across your entire workforce:

• Real-time risk posture evaluation to ensure that devices are properly configured prior to granting access. Key risk signals to evaluate include jailbroken or rooted status, number of registered devices, local biometric availability, and disk encryption.
• Precise access controls based on device risk posture across unmanaged devices to defend against data loss on personal devices

3. Implement generative AI defense

Today’s adversaries leverage large language models (LLMs) and deepfakes to craft highly believable lures. This makes traditional detection and response strategies too slow or ineffective altogether as the models used for detection can just as easily be used to train deepfake generators. Some key technology considerations include:

• Take the burden of security off of humans by replacing phishable credentials like one-time codes, push notifications, and passwords with device-bound phishing-resistant MFA
• Hardware-backed attestations of identity and device security to deliver assurances for the legitimacy of the user and their endpoint
• Adaptive risk policies to continuously enforce security policies and respond immediately when a user or device falls out of compliance

Conclusion: Identity is (still) the biggest gap

The CrowdStrike 2025 Global Threat Report proves identity remains a giant hole in many organizations’ defenses. Attackers exploit weak MFA, outdated OSs, and vulnerable help desk procedures. But you can stop them by unifying device posture and user verification, deploying universal phishing-resistant MFA, adopting continuous authentication across the credential lifecycle, and implemented integrated adaptive risk policies.