The IBM X-Force 2025 Threat Intelligence Index shows a rise in infostealers delivered via phishing emails and credential phishing. Organizations must limit their exposure as part of their threat management strategy.
Below are some of the reportâs findings.
The report notes that âthreat actors are using AI to build websites and incorporate deepfakes in phishing attacks. We have also observed threat actors applying gen AI to create phishing emails and write malicious code.â
âYear-over-year, X-Force is seeing a rise in infostealers delivered via phishing emails and credential phishing. Both result in active credentials that may be used in follow-on, identity-based attacks.
In 2024, we observed an 84% increase in infostealers delivered via phishingâŠEarly data from 2025 suggests an even greater increase of 180% of weekly volume compared to 2023.â
âFor the second year in a row, attackers adopted more stealthy and persistent attack methods, with nearly one in three attacks that X-Force observed using valid accounts. A surge in phishing emails distributing infostealer malware and credential phishing fuels this trend, which may be attributed to attackers leveraging AI to scale attacks.â
âIt is almost impossible to trace back to the origin of the compromised credentials. It is likely that, for many valid accounts incidents, the actual infection vector was a premeditated credential phishing or infostealer malware campaign, a fact that cannot be accurately reflected in the statistic of initial access vectors.â
âAlthough by the numbers it might seem like phishing risks are decreasing, itâs just become more challenging to determine where the risk originated. Valid credentials still must be sourced from somewhere. While it can be difficult to prove, most compromised credentials came from infostealers and credential harvesting campaigns, of which an increasing amount is delivered via phishing.â
âCredentials or data were stolen in nearly half of all cyberattacks, highlighting a growing challenge in securing both data and identities.â
âThreat actors are using valid credentials to log in; exploit unpatched vulnerabilities; and to a slightly lesser extent, phish their way inâwith or without AI assistance. Organizations need to develop and run their own cybersecurity playbooksâseeking to identify exposures, assess risks, and mitigate incident impacts.â
The first step the report gives for threat management is to âLimit your exposure across the threat environment.â
An essential part of this is minimizing the exposure of employee PII across data broker sites, as threat actors routinely use this data for reconnaissance, phishing, and credential compromise.
Download the full report for more insights.