Compromised credentials remain leading cause of breaches
Cyberattacks are evolving, and so must defenses: that’s the overarching message found in Sophos’ 2025 Active Adversary Report. Based on data from over 400 incident response and managed detection cases in 2024, the report reveals a marked increase in the use of stealthy, hands-on attack techniques - from the exploitation of living-off-the-land binaries to the rising wave of ransomware launched remotely.
With compromised credentials still driving a significant portion of breaches, and outdated infrastructure remaining a persistent risk, the report makes one thing clear: security teams need to be faster, smarter, and more proactive than ever before.
Compromised credentials & the need for MFA
One of the standout findings from the 2025 Sophos Active Adversary Report is the continued dominance of compromised credentials as a primary attack vector - responsible for 39% of investigated breaches. While this marks a decline from 56% in the previous year, it remains the most common entry point for attackers.
This persistence highlights a critical security gap: many organizations still lack strong identity and access controls. Sophos underscores the urgent need for widespread adoption of multi-factor authentication (MFA), which can significantly reduce the risk of credential-based attacks. By adding a second layer of verification, beyond just a username and password, MFA can stop attackers even when credentials are leaked or stolen, turning what could have been a full-blown breach into a blocked attempt.
Awareness on the importance of MFA has not reached all organizations yet, the report shows. In 2022, Sophos observed 22% of victims did not have MFA configured. That proportion nearly tripled to 63% in 2024.
Abuse of LOLBins grows
The report also highlights a sharp rise in the abuse of Living-off-the-Land Binaries (LOLBins): legitimate system tools that attackers repurpose to carry out malicious actions while evading detection. Usage of LOLBins increased by 51% compared to 2023, with Remote Desktop Protocol (RDP) being leveraged in a staggering 89% of cases.
By exploiting these built-in utilities, adversaries can move laterally within networks, exfiltrate data, and deploy malware without triggering traditional security alarms. This approach makes it harder for defenders to distinguish between normal system activity and active attacks. Sophos stresses the importance of advanced behavioral detection, network segmentation, and tight control over administrative tools to counter this growing threat.
Dwell time falls
Dwell time, or the duration attackers remain undetected in a system, saw a significant reduction in 2024, according to the report. The median dwell time for incident response (IR) cases dropped to eight days, while Managed Detection and Response (MDR) cases had an even shorter median of just one day.
This sharp contrast illustrates the impact of active, continuous monitoring in identifying and stopping threats quickly. Shorter dwell times mean attackers have less opportunity to escalate privileges, steal data, or deploy ransomware. Sophos attributes this improvement largely to the growing adoption of MDR services, which provide around-the-clock threat detection and response. Still, the report warns that any delay in detection can be costly - making speed and visibility essential components of modern cybersecurity strategy.
Remote ransomware on the rise
Another emerging threat spotlighted in the report is the rise of remote ransomware attacks: incidents where adversaries execute ransomware from outside the victim's network without establishing a prolonged internal presence. This tactic allows attackers to bypass traditional perimeter defenses and quickly encrypt systems with minimal warning. Unlike conventional ransomware campaigns that rely on lateral movement and extended dwell time, remote ransomware is fast, direct, and often devastating.
The report notes a growing trend of threat actors exploiting exposed remote services and weak authentication mechanisms to gain access and launch attacks. Sophos emphasizes the need for organizations to harden their external attack surfaces, enforce strong access controls, and maintain up-to-date backups, as these rapid attacks leave little time for reaction once underway.
Gaps to close
While improvements like shorter dwell times reflect progress in threat detection and response, the surge in LOLBin abuse, remote ransomware, and attacks fueled by compromised credentials show that many organizations still have critical gaps to close. Multi-factor authentication, better network segmentation, real-time monitoring, and proactive patching are no longer optional - they’re essential. As attackers continue to adapt their methods, cybersecurity strategies must be equally agile, prioritizing both prevention and rapid response to stay ahead of the curve.
