Sophos 2025 Active Adversary Report: Over Half of Attacks Use Valid Credentials as Cyber Threats Accelerate

Introduction

The 2025 Sophos Active Adversary Report delivers a sobering analysis of today’s cyber threat landscape. Based on over 400 real-world cases from Sophos’ Incident Response (IR) and Managed Detection and Response (MDR) services in 2024, the report reveals a stark reality: attackers are getting faster, smarter, and more efficient — often using legitimate tools and stolen credentials to breach systems in hours, not days.

The findings paint a picture of a cyber battlefield where time is a critical weapon. Threat actors now move from breach to data exfiltration in just three days, and in more than half of all cases (56%), they gain access through valid logins — such as compromised credentials used with exposed remote access tools like VPNs or firewalls.

Below is a comprehensive breakdown of the report’s major findings and what they mean for cybersecurity teams and organizational leadership globally.

1. Attackers Love Your Logins: Valid Credentials Are the Top Vector

In both MDR and IR cases, attackers gained initial access in 56% of incidents by exploiting external remote servicesusing valid credentials. This marks the second year in a row where compromised credentials were the number one root cause of breaches, accounting for 41% of all attacks.

Other Initial Access Methods:

• Exploited vulnerabilities: 21.79%
• Brute force attacks: 21.07%

Sophos’ data showed a close relationship between external remote services (71% of cases) and valid accounts (78% when combined), highlighting a continued overreliance on easily exploitable login systems, especially when MFA (multifactor authentication) is missing — which it was in 63% of breached organizations.

2. From Breach to Exfil in 3 Days: The Blazing Speed of Modern Attacks

Sophos’ X-Ops team found that attackers are exfiltrating data in a median time of 72.98 hours (just over 3 days). Alarmingly, there is only a 2.7-hour gap between the moment data is exfiltrated and when the attack is detected in ransomware and extortion cases.

This speed compresses response windows, forcing defenders to move quickly or risk full-scale compromise.

3. Attackers Target Active Directory Within 11 Hours

Attackers prioritize domain dominance fast: the median time between initial access and first attempt at compromising Active Directory was just 11 hours.

With 62% of compromised AD servers running out-of-support operating systems, attackers face little resistance. Gaining control of AD allows them to move laterally and escalate access almost instantly.

4. Dwell Time Hits Record Low in MDR Cases

Median Dwell Time Across All Cases:

• Overall: 2 days (down from 4 in 2023)
• IR cases: 7 days
  • Ransomware: 4 days
  • Non-ransomware: 11.5 days
• MDR cases:
  • Ransomware: 3 days
  • Non-ransomware: 1 day

These figures show how proactive monitoring significantly reduces dwell time, limiting the window for attackers to inflict damage.

5. Ransomware Payloads Dropped After-Hours

Sophos found that 83% of ransomware binaries were dropped outside the targets’ local business hours, reinforcing the need for 24/7 monitoring. These overnight attacks often allow adversaries to operate undetected until damage is already done.

6. RDP Abuse Remains Rampant

Remote Desktop Protocol (RDP) was involved in 84% of all cases — mostly used for internal lateral movement. Despite repeated warnings, many organizations still leave RDP ports exposed or insufficiently restricted.

Sophos recommends:

• Closing exposed RDP ports
• Applying least privilege access
• Enforcing MFA
• Monitoring logins for anomalies (e.g., unexpected hostnames or time zones)

7. Case Study: The High Cost of Business Process Delays

One highlighted MDR case details a company breached three times in 14 months via a vulnerable FortiGate VPN appliance running a 14-year-old firmware. Despite repeated recommendations, business process constraints delayed patching — and ransomware actors struck again.

In the final attack, ransomware encrypted the entire estate just nine days after a previous incident. The same compromised service account was still active. Only then was the VPN disabled.

This example underscores how business process failures can enable cybercriminals to return and succeed — again and again.

8. Attackers’ Toolkits Are Evolving: Goodbye Cobalt Strike, Hello Impacket

Sophos recorded a dramatic rise in Impacket usage, especially tools like:

• wmiexec.py (35% of attacks)
• secretsdump.py (used for credential dumping)

By contrast, Cobalt Strike, once a staple of ransomware operations, fell to just 7.5% of cases, down from 25% in earlier years. This decline is attributed to improved detection and blocking.

9. LOLBins Continue to Be a Threat

Living-off-the-land binaries (LOLBins) — legitimate Windows tools used maliciously — saw a 126% increase in unique binaries abused.

Top LOLBins included:

• cmd.exe
• wevtutil.exe (used to delete logs)
• notepad.exe (used to read plaintext passwords)

Attackers continue to use built-in tools to avoid detection, making endpoint behavior monitoring more critical than ever.

10. Exfiltration Confirmed in 27% of Cases

Data exfiltration was confirmed in 27% of all cases, with signs of staging or possible exfiltration in another 9%. Among ransomware victims, 43% had confirmed data theft.

Remote ransomware attacks — where encryption occurs off-site via network connections — also surged 141% since 2022. These attacks often evade detection, as no malware is dropped locally.

11. The Ransomware Landscape Is Fragmenting

After the takedown of LockBit, no single group dominated the field in 2024. Still, Akira, Fog, and LockBit remnantswere among the most observed.

This fragmentation makes attribution harder and reinforces the need for broad defenses rather than threat actor–specific strategies.

12. Sophos’ Recommendations: How to Defend Effectively

To build a more resilient defense posture, Sophos urges organizations to:

• Close exposed RDP ports
• Use phishing-resistant MFA
• Patch all internet-facing systems promptly
• Deploy 24/7 MDR or EDR solutions
• Develop and rehearse incident response plans

Conclusion: Proactive Security Is the Only Way Forward

The 2025 Sophos Active Adversary Report makes one thing clear — passive security is no longer an option. Attacks are faster, more sophisticated, and increasingly use tools that mimic legitimate system behavior.

Organizations must embrace real-time monitoring, swift response capabilities, and eliminate internal roadblocks to patching and configuration changes. Otherwise, they risk learning hard lessons — as some unfortunate case studies show — too late.

With valid credentials now the most common weapon, and data exfiltration happening within days, the question isn’t if you’ll be targeted, but whether you’re ready to respond in time.