Introduction
TheΒ 2025 Sophos Active Adversary ReportΒ delivers a sobering analysis of todayβs cyber threat landscape. Based on overΒ 400 real-world casesΒ from Sophosβ Incident Response (IR) and Managed Detection and Response (MDR) services in 2024, the report reveals a stark reality: attackers are getting faster, smarter, and more efficient β often using legitimate tools and stolen credentials to breach systems in hours, not days.
The findings paint a picture of a cyber battlefield where time is a critical weapon. Threat actors now move from breach to data exfiltration in justΒ three days, and in more thanΒ half of all cases (56%), they gain access throughΒ valid loginsΒ β such as compromised credentials used with exposed remote access tools like VPNs or firewalls.
Below is a comprehensive breakdown of the report’s major findings and what they mean for cybersecurity teams and organizational leadership globally.
1. Attackers Love Your Logins: Valid Credentials Are the Top Vector
In both MDR and IR cases, attackers gained initial access inΒ 56% of incidentsΒ by exploitingΒ external remote servicesusingΒ valid credentials. This marks the second year in a row whereΒ compromised credentialsΒ were theΒ number one root causeΒ of breaches, accounting forΒ 41% of all attacks.
Other Initial Access Methods:
- Exploited vulnerabilities: 21.79%
- Brute force attacks: 21.07%
Sophos’ data showed a close relationship betweenΒ external remote services (71% of cases)Β andΒ valid accounts (78% when combined), highlighting a continued overreliance on easily exploitable login systems, especially when MFA (multifactor authentication) is missing β which it was inΒ 63% of breached organizations.
2. From Breach to Exfil in 3 Days: The Blazing Speed of Modern Attacks
Sophosβ X-Ops team found that attackers areΒ exfiltrating data in a median time of 72.98 hours (just over 3 days). Alarmingly, there is only aΒ 2.7-hour gapΒ between the moment data is exfiltrated and when the attack is detected in ransomware and extortion cases.
This speed compresses response windows, forcing defenders to move quickly or risk full-scale compromise.
3. Attackers Target Active Directory Within 11 Hours
Attackers prioritize domain dominance fast: theΒ median time between initial access and first attempt at compromising Active DirectoryΒ was justΒ 11 hours.
With 62% of compromised AD servers runningΒ out-of-support operating systems, attackers face little resistance. Gaining control of AD allows them to move laterally and escalate access almost instantly.
4. Dwell Time Hits Record Low in MDR Cases
Median Dwell Time Across All Cases:
- Overall: 2 days (down from 4 in 2023)
- IR cases: 7 days
- Ransomware: 4 days
- Non-ransomware: 11.5 days
- MDR cases:
- Ransomware: 3 days
- Non-ransomware: 1 day
These figures show howΒ proactive monitoring significantly reduces dwell time, limiting the window for attackers to inflict damage.
5. Ransomware Payloads Dropped After-Hours
Sophos found thatΒ 83% of ransomware binariesΒ were droppedΒ outside the targetsβ local business hours, reinforcing the need forΒ 24/7 monitoring. These overnight attacks often allow adversaries to operate undetected until damage is already done.
6. RDP Abuse Remains Rampant
Remote Desktop Protocol (RDP)Β was involved inΒ 84%Β of all cases β mostly used forΒ internal lateral movement. Despite repeated warnings, many organizations still leave RDP ports exposed or insufficiently restricted.
Sophos recommends:
- Closing exposed RDP ports
- ApplyingΒ least privilegeΒ access
- EnforcingΒ MFA
- Monitoring logins for anomalies (e.g., unexpected hostnames or time zones)
7. Case Study: The High Cost of Business Process Delays
One highlighted MDR case details a company breachedΒ three times in 14 monthsΒ via a vulnerableΒ FortiGate VPN appliance running aΒ 14-year-old firmware. Despite repeated recommendations, business process constraints delayed patching β and ransomware actors struck again.
In the final attack, ransomware encrypted the entire estate justΒ nine daysΒ after a previous incident. The same compromised service account was still active. Only then was the VPN disabled.
This example underscores howΒ business process failuresΒ can enable cybercriminals to return and succeed β again and again.
8. Attackers’ Toolkits Are Evolving: Goodbye Cobalt Strike, Hello Impacket
Sophos recorded aΒ dramatic rise in Impacket usage, especially tools like:
wmiexec.pyΒ (35% of attacks)secretsdump.pyΒ (used for credential dumping)
By contrast,Β Cobalt Strike, once a staple of ransomware operations, fell to justΒ 7.5% of cases, down from 25% in earlier years. This decline is attributed to improved detection and blocking.
9. LOLBins Continue to Be a Threat
Living-off-the-land binaries (LOLBins)Β β legitimate Windows tools used maliciously β sawΒ a 126% increaseΒ in unique binaries abused.
Top LOLBins included:
cmd.exewevtutil.exeΒ (used to delete logs)notepad.exeΒ (used to read plaintext passwords)
Attackers continue to use built-in tools to avoid detection, making endpoint behavior monitoring more critical than ever.
10. Exfiltration Confirmed in 27% of Cases
Data exfiltration was confirmed inΒ 27%Β of all cases, with signs of staging or possible exfiltration in anotherΒ 9%. Among ransomware victims,Β 43%Β had confirmed data theft.
Remote ransomware attacks β where encryption occursΒ off-siteΒ via network connections β also surgedΒ 141%Β since 2022. These attacks often evade detection, as no malware is dropped locally.
11. The Ransomware Landscape Is Fragmenting
After the takedown of LockBit, no single group dominated the field in 2024. Still,Β Akira,Β Fog, andΒ LockBit remnantswere among the most observed.
This fragmentation makes attribution harder and reinforces the need for broad defenses rather than threat actorβspecific strategies.
12. Sophosβ Recommendations: How to Defend Effectively
To build a more resilient defense posture, Sophos urges organizations to:
- Close exposed RDP ports
- Use phishing-resistant MFA
- Patch all internet-facing systems promptly
- Deploy 24/7 MDR or EDR solutions
- Develop and rehearse incident response plans
Conclusion: Proactive Security Is the Only Way Forward
The 2025 Sophos Active Adversary Report makes one thing clear βΒ passive security is no longer an option. Attacks are faster, more sophisticated, and increasingly use tools that mimic legitimate system behavior.
Organizations mustΒ embrace real-time monitoring, swift response capabilities, and eliminate internal roadblocks to patching and configuration changes. Otherwise, they risk learning hard lessons β as some unfortunate case studies show β too late.
With valid credentials now the most common weapon, and data exfiltration happening within days, the question isn’tΒ if you’ll be targeted, but whether you’re ready to respond in time.
