CREDENTIAL ABUSE is among the most effective techniques used by cyberattackers, with criminals now increasingly relying on these tactics over malware, according to a report by Kaspersky Security Services.
Attackers found better success in getting access to users’ data while evading detection via password guessing and valid account misuse in 2025, triggering a shift from the use of malware that could trigger endpoint protection, Kaspersky’s “Anatomy of a Cyber World 2026” report showed.
The analysis examined the conversion rates of various indicators of attack.
“Threat actors do not always need sophisticated malware to achieve their objectives. In many cases, legitimate administrative tools and compromised accounts remain the fastest and most effective way to move inside an organization while avoiding detection,” said Sergey Soldatov, head of Security Operations Center at Kaspersky.
“The continued popularity of these techniques shows that organizations need deep visibility into attacker behavior and the ability to correlate suspicious activity across different stages of an attack.”
Kaspersky said a large portion of the most frequently monitored attack techniques revolves around credentials and identity management.
Password guessing had a conversion rate of 34.8%.
“This technique entails attackers systematically trying different passwords until successfully gaining access to an account. It tops the conversion list due to its occurrence in both actual attacks and authorized security assessments, making it a persistent threat in today’s cybersecurity landscape. Organizations who rely on weak or reused passwords continues to enable this age-old strategy,” it said.
Meanwhile, local account creation had a conversion rate of 34.7%. Through this attack method, cyber criminals create new accounts once they find a way inside a target’s system so that they can continue to have access, even after the breach is detected.
Valid account abuse, where attackers use stolen or compromised credentials to log in, had a conversion rate of 34.5%. Kaspersky said this method is one of the most dangerous attack vectors because it makes detection “significantly harder, as the access itself appears legitimate.”
Meanwhile, account manipulation, which had a conversion rate of 32%, happens when attackers modify existing accounts, including privileges and permissions. “This reinforces the broader pattern — rather than introducing new tools, adversaries deepen their control using what is already there.”
Lastly, network service discovery had a conversion rate 31.2%.
“Before moving deeper into a network, attackers typically scan for open services and systems they can reach. This reconnaissance step is a strong predictor of what follows: lateral movement and further exploitation. Detecting it early provides security teams a critical window to intervene.”
Kaspersky said effective detection requires prioritizing behaviors with the highest probability of malicious intent while avoiding excessive false positives.
It added that its solutions like Kaspersky Managed Detection and Response and Incident Response can cover the entire incident management cycle, from threat detection to continuous protection and remediation. — Bettina V. Roc


