Darktrace has reported the detection of over 32 million high-confidence phishing emails in 2025, highlighting a significant rise in identity-driven cyber threats.
This data was gathered from incidents across Darktrace's global customer base, illustrating a year characterized by automation, convergence, and an increase in the speed of attackers.
Among these phishing attempts, more than 8.2 million were directed at VIPs, representing over 25% of all observed phishing activities.
Additionally, 1.6 million phishing emails came from newly created domains, while 1.2 million featured malicious QR codes.
Remarkably, 70% of these phishing emails managed to bypass DMARC authentication. Furthermore, 41% were classified as spear-phishing, and 38% employed new social engineering techniques. Notably, one-third of the emails exceeded 1000 characters in length.
Identity Compromise as the Leading Entry Vector
The report from Darktrace also reveals that identity compromise has surpassed vulnerability exploitation as the primary method of entry into systems. The number of Common Vulnerabilities and Exposures (CVE) increased by approximately 20% year-on-year, with many exploitations occurring before they were publicly disclosed.
Shane Barney, CISO at Keeper Security, commented, "Identity has become the attacker's skeleton key. Instead of forcing their way through a firewall, adversaries are logging in with stolen credentials, hijacked tokens, and abused permissions, then moving laterally under the cover of legitimacy."
He added, "When identity controls are fragmented or overly permissive, attackers do not require novel exploits. They only need access that appears routine."
In the Americas, takeovers of SaaS and Microsoft 365 accounts accounted for nearly 70% of incidents. The manufacturing sector represented 17% of recorded cases and 29% of ransomware incidents in the region. Notably, about 47% of all global security events tracked by Darktrace in 2025 originated from the Americas.
