Darktrace Annual Threat Report 2026 finds shift from exploit-driven breaches to faster, AI-enabled credential abuse - Industrial Cyber

News Vendors Darktrace Annual Threat Report 2026 finds shift from exploit-driven breaches to faster, AI-enabled credential abuse February 27, 2026 Darktrace, vendor of AI for cybersecurity, announced on Thursday the findings of its Annual Threat Report 2026, a comprehensive assessment of the global cyber threat landscape and the trends shaping cyber risk in 2026. Among its key findings, the report highlights a 20% year‑over‑year increase in publicly disclosed vulnerabilities, even as attackers increasingly bypass these weaknesses in favor of credential abuse and identity‑led intrusions. The cyber threat environment in 2025 was defined by acceleration, convergence, and complexity. Adversaries are no longer relying solely on traditional exploits; they are adopting new technologies and techniques that allow them to move faster and operate with greater precision. This shift has enabled attackers to conduct more targeted, adaptive intrusions that are significantly harder for traditional defenses to detect. “Traditional perimeter defenses were built for a world where attackers had to break in,” said Nathaniel Jones, vice president of security and AI strategy at Darktrace. “Today they simply log in. Stopping identity‑led intrusions requires the ability to recognize when legitimate accounts begin to behave in ways that do not align with normal activity, and that means moving beyond static controls toward security that understands context and intent.” Identity‑driven compromise has now become the dominant path into organizations. Darktrace’s findings show that, across the Americas, nearly 70% of incidents in the region began with stolen or misused accounts, underscoring how cloud and SaaS adoption have shifted the frontline of cyber defense from the network to the user. As organizations increasingly rely on interconnected cloud services, attackers are targeting the identities that govern access to them, rather than the infrastructure itself. The findings reinforce a shift that has been reflected in real world headlines across the past 12 months. High‑profile incidents at Jaguar Land Rover, Marks & Spencer, and Salesforce over the past year demonstrated how quickly attackers can move once they gain access to legitimate accounts. In each case, the breach did not begin with a sophisticated software exploit, but with compromised identity. Once inside, attackers used trusted accounts and existing permissions to operate in plain sight, accelerating impact while evading traditional security controls. The trend is reinforced by attackers’ growing focus on stealing high‑value identities. More than 8.2 million phishing emails targeted VIPs in 2025, amounting to over a quarter of all phishing activity identified in that period, reflecting a deliberate effort to compromise privileged accounts that can unlock broader access across cloud and SaaS ecosystems. Once inside, attackers use legitimate tools and permissions to disguise their attack as normal activity, making lateral movement fast and difficult to detect. Detecting and responding to identity abuse across these highly distributed environments has become one of the hardest problems in cybersecurity. Cloud compromise has become the main entry point for cyber-attacks on both sides of the Atlantic. In Europe, 58% of incidents began with compromised cloud accounts and email, overtaking traditional network breaches at 42%. In the Americas, attackers most often break in through SaaS applications and Microsoft 365 accounts, with many of these breaches escalating into double or even triple extortion campaigns. With 94% of organizations worldwide now relying on cloud computing, the risk is widespread. Across cloud providers, Azure was the most targeted, drawing 43.5% of observed malware samples, compared with 33.2% for Google Cloud Platform (GCP) and 23.2% for Amazon Web Services (AWS). When measured by unique malicious IP addresses, Docker environments accounted for 54.3% of honeypot targeting, underscoring the growing appeal of containerized cloud infrastructure for large scale attacks. Analysis of the 32 million phishing emails detected across Darktrace’s global fleet shows a clear trend: email attacks grew significantly more sophisticated in 2025, with AI‑assisted content, evasive payloads, and identity‑targeting techniques all increasing year-over-year. Several indicators point to a clear rise in attacker sophistication. Evidence of AI assisted phishing grew year over year, with novel social engineering techniques increasing from 32 percent to 38 percent and large text, long form messages rising from 27 percent to 33 percent. These shifts signal a move toward more personalized and credible looking lures designed to slip past traditional email filters. QR code based phishing also accelerated sharply. Darktrace observed a 28 percent increase, climbing from 940,000 attacks in 2024 to more than 1.2 million in 2025. Beyond higher volumes, attackers adopted new tactics such as splishing, where a QR code is divided into two separate images, and QR code nesting, in which a legitimate code conceals a malicious one. Both techniques are designed to evade link scanning tools and funnel victims through multi stage redirects. Attackers also relied heavily on newly registered infrastructure. More than 1.6 million phishing emails leveraged freshly created domains established specifically for malicious campaigns, undermining reputation based defenses. At the same time, 70 percent of phishing emails passed DMARC authentication checks, allowing them to appear legitimate to users and automated security controls alike. “Phishing has become far more convincing and far more targeted,” Jones comments. “Attackers are using AI to craft messages that look authentic, exploit human trust, and slip past traditional email filters. Defenders need technology that can identify subtle signs of abnormality even when an email appears legitimate at first glance.” The convergence of geopolitical tensions and rapid digital transformation has made Critical National Infrastructure a strategic target for both state aligned and criminal actors. Darktrace observed three recurring trends shaping CNI risk in 2025. First, disruption of national services intensified. Cyber physical attacks linked to the Russia Ukraine conflict targeted Western and Ukrainian energy infrastructure, with cascading effects on healthcare and other dependent sectors. Second, strategic access and pre positioning expanded beyond traditional espionage. Groups such as Salt Typhoon and Volt Typhoon infiltrated telecommunications and energy organizations to support intelligence collection and establish footholds that could enable future disruption. Third, the use of proxy and hybrid actors became more pronounced. State sponsored groups, particularly those affiliated with Democratic People’s Republic of Korea, blended financially motivated operations with strategic objectives. In 2025, Darktrace observed DPRK linked activity exploiting vulnerabilities and deploying trojanized malware in financial services environments to advance broader intelligence goals. “The speed and scale of modern attacks demand continuous visibility into how users and systems behave. Identity has become the most reliable path for attackers, and cloud interconnectivity means a single compromised account can have far‑reaching consequences. Behavioral AI gives defenders the ability to detect small deviations early, before they develop into major incidents,” Jones concludes. Industrial Cyber News Desk Industrial Cyber News Desk Error, group does not exist! Check your syntax! (ID: 20) Error, group does not exist! Check your syntax! (ID: 20) Related EU Council to examine cybersecurity package focused on ENISA, NIS2 simplification, and supply chain security Global ransomware activity rises modestly in May as Qilin, The Gentlemen, and DragonForce lead attacks CISA and partners urge operators to secure automatic tank gauge systems against ongoing cyber threats Owl Cyber Defense, Trihedral integrate data diode technology with VTScada to strengthen OT data security Trump signs executive order advancing AI innovation, cybersecurity modernization, and frontier AI protections CISA advances ChemLock information request to support security consultations, onsite assessments, risk reduction activities Industrial cyber risk demands new governance approaches as operational environments become more interconnected Privilege-escalation flaws in Phoenix Contact PLCnext controllers could enable attackers to gain root access HSCC publishes AI Cyber Governance guide to help healthcare providers manage emerging AI threats DHS opens public comment period as CISA begins review of state and local cybersecurity grant program