- Registered software vulnerabilities rose 20% in 2025, even as attackers increasingly shifted toward credential abuse over traditional exploitation
- 32 million phishing emails detected globally with a 28% increase in QR code-based attacks as email attacks continue to grow in sophistication
- Nearly 70% of incidents in the Americas begin with stolen or misused accounts, reflecting the global shift toward identity‑led intrusions.
- Azure the most targeted cloud provider as cloud compromises accelerate
CAMBRIDGE, UK – Darktrace, a global leader in AI for cybersecurity, today announced the findings of its Annual Threat Report 2026, a comprehensive assessment of the global cyber threat landscape and the trends shaping cyber risk in 2026. Among its key findings, the report highlights a 20% year‑over‑year increase in publicly disclosed vulnerabilities, even as attackers increasingly bypass these weaknesses in favor of credential abuse and identity‑led intrusions.
The cyber threat environment in 2025 was defined by acceleration, convergence, and complexity. Adversaries are no longer relying solely on traditional exploits; they are adopting new technologies and techniques that allow them to move faster and operate with greater precision. This shift has enabled attackers to conduct more targeted, adaptive intrusions that are significantly harder for traditional defenses to detect.
Identity Is the New Perimeter
Identity‑driven compromise has now become the dominant path into organizations. Darktrace’s findings show that, across the Americas, nearly 70% of incidents in the region began with stolen or misused accounts, underscoring how cloud and SaaS adoption have shifted the frontline of cyber defense from the network to the user. As organizations increasingly rely on interconnected cloud services, attackers are targeting the identities that govern access to them, rather than the infrastructure itself.
The findings reinforce a shift that has been reflected in real world headlines across the past 12 months. High‑profile incidents at Jaguar Land Rover, Marks & Spencer, and Salesforce over the past year demonstrated how quickly attackers can move once they gain access to legitimate accounts. In each case, the breach did not begin with a sophisticated software exploit, but with compromised identity. Once inside, attackers used trusted accounts and existing permissions to operate in plain sight, accelerating impact while evading traditional security controls.
The trend is reinforced by attackers’ growing focus on stealing high‑value identities. More than 8.2 million phishing emails targeted VIPs in 2025, amounting to over a quarter of all phishing activity identified in that period, reflecting a deliberate effort to compromise privileged accounts that can unlock broader access across cloud and SaaS ecosystems.
Once inside, attackers use legitimate tools and permissions to disguise their attack as normal activity, making lateral movement fast and difficult to detect. Detecting and responding to identity abuse across these highly distributed environments has become one of the hardest problems in cybersecurity.
“Traditional perimeter defenses were built for a world where attackers had to break in,” said Nathaniel Jones, VP of Security and AI Strategy at Darktrace. “Today they simply log in. Stopping identity‑led intrusions requires the ability to recognize when legitimate accounts begin to behave in ways that do not align with normal activity, and that means moving beyond static controls toward security that understands context and intent.”
Cloud and SaaS Environments Are Driving Systemic Risk
Cloud compromise has become the main entry point for cyber-attacks on both sides of the Atlantic. In Europe, 58% of incidents began with compromised cloud accounts and email, overtaking traditional network breaches at 42%. In the Americas, attackers most often break in through SaaS applications and Microsoft 365 accounts, with many of these breaches escalating into double or even triple extortion campaigns.
With 94% of organizations worldwide now relying on cloud computing, the risk is widespread. Across cloud providers, Azure was the most targeted, drawing 43.5% of observed malware samples, compared with 33.2% for Google Cloud Platform (GCP) and 23.2% for Amazon Web Services (AWS). When measured by unique malicious IP addresses, Docker environments accounted for 54.3% of honeypot targeting, underscoring the growing appeal of containerized cloud infrastructure for large scale attacks.
Email Attacks Are Becoming More Sophisticated
Analysis of the 32 million phishing emails detected across Darktrace’s global fleet shows a clear trend: email attacks grew significantly more sophisticated in 2025, with AI‑assisted content, evasive payloads, and identity‑targeting techniques all increasing year-over-year.
Key indicators of this rising sophistication include:
- AI‑assisted phishing accelerating: Signs of AI usage increased year-over-year, with novel social engineering techniques rising from 32% to 38% and large‑text, long‑form messages increasing from 27% to 33%. These patterns reflect a shift toward more personalized, credible‑looking lures designed to evade traditional filters.
- QR‑code attacks on the rise: Darktrace detected a 28% increase in QR code-based phishing attacks from 940,000 in 2024 to over 1.2 million in 2025. Alongside growing volume, attackers introduced new forms of QR code phishing including ‘splishing’, in which a QR code is split into two distinct images, and QR code nesting, where a legitimate QR code is embedded with a malicious one, all designed to bypass link‑scanning tools and route victims through multi‑stage redirects.
- Fresh domains used at scale: More than 1.6 million phishing emails relied on newly created domains spun up specifically for malicious activity, reducing the effectiveness of reputation‑based defenses.
- DMARC evasion through legitimacy: 70% of phishing emails passed DMARC authentication, helping them appear legitimate to both users and automated controls.
“Phishing has become far more convincing and far more targeted,” Jones comments. “Attackers are using AI to craft messages that look authentic, exploit human trust, and slip past traditional email filters. Defenders need technology that can identify subtle signs of abnormality even when an email appears legitimate at first glance.”
Critical National Infrastructure Outlook
The convergence of geopolitical tensions and rapid digital transformation has made Critical National Infrastructure (CNI) a strategic target for state‑aligned and criminal actors. Darktrace observed three recurring trends shaping CNI risk in 2025:
- Disruption of national services: Cyber‑physical attacks linked to the Russia‑Ukraine conflict targeted Western and Ukrainian energy infrastructure, with downstream impacts on healthcare and other dependent sectors.
- Strategic access and pre‑positioning: Groups such as Salt Typhoon and Volt Typhoon expanded operations beyond espionage, infiltrating telecommunications and energy organizations to enable intelligence gathering and potential future disruption.
- Use of proxy and hybrid actors: State‑sponsored groups, particularly DPRK‑affiliated actors, blended financially motivated operations with strategic objectives. In 2025, Darktrace observed DPRK‑linked activity exploiting vulnerabilities and deploying trojanized malware in financial services environments to support broader intelligence efforts.
The Annual Threat Report 2026 shows that the threat landscape has entered a new phase. With credential abuse driving the majority of intrusions and attackers increasingly exploiting trusted accounts, cloud services, and interconnected SaaS environments, identity has become the most reliable path into an organization. AI is accelerating this trend by helping attackers scale targeted, credible‑looking activity that blends into normal behavior. As organizations continue to adopt cloud, SaaS, and AI‑driven technologies, security teams must evolve their approach to detecting and responding to abnormal behavior across highly distributed environments.
“The speed and scale of modern attacks demand continuous visibility into how users and systems behave. Identity has become the most reliable path for attackers, and cloud interconnectivity means a single compromised account can have far‑reaching consequences. Behavioral AI gives defenders the ability to detect small deviations early, before they develop into major incidents,” Jones concludes.
Additional Resources:
- Download the full Annual Threat Report and region-specific outlooks here and check out the Darktrace blog here for more insights behind the data.
- Register for the webinar, “Navigating the Threat Landscape: Insights from the Darktrace Annual Threat Report 2026” on March 11 for a deeper dive.
About the Darktrace Annual Threat Report 2026
The Darktrace Annual Threat Report is based on extensive analysis conducted across Darktrace’s global customer base. The findings draw on data collected throughout 2025, including behavioral anomalies, threat notifications, and real‑world case studies. Darktrace combines these insights with intelligence from national agencies and cyber intelligence partners, as well as open‑source, industry‑leading sources such as CERT advisories and dark‑web collection, to provide a comprehensive and accurate view of the threat landscape. Darktrace will also release a series of in‑depth, region‑specific reports offering tailored intelligence and contextual analysis.
About Darktrace
Darktrace is a global leader in AI for cybersecurity that keeps organizations ahead of the changing threat landscape every day. Founded in 2013, Darktrace provides the essential cybersecurity platform protecting organizations from unknown threats using its proprietary AI that learns from the unique patterns of life for each customer in real-time. The Darktrace ActiveAI Security Platform™ delivers a proactive approach to cyber resilience to secure the business across the entire digital estate – from network to cloud to email. It provides pre-emptive visibility into the customer’s security posture, transforms operations with a Cyber AI Analyst™, and detects and autonomously responds to threats in real-time. Breakthrough innovations from our R&D teams in Cambridge, UK, and The Hague, Netherlands have resulted in over 250 patent applications filed. Darktrace’s platform and services are supported by over 2,300 employees around the world who protect nearly 10,000 customers across all major industries globally.
