According to a recent global report by Kaspersky Security Services, password guessing and valid account misuse rank among the most effective tactics used by cyber criminals in 2025. This trend reflects a strategic shift, as attackers move away from triggering endpoint protection with noisy malware, in preference of leveraging legitimate access to evade detection.
The ‘Anatomy of a Cyber World’ is an in-depth global report based on data gathered from Kaspersky Managed Detection and Response (MDR), Incident Response (IR), Compromise Assessment and SOC Consulting in 2025. It covers the most common adversary techniques, tools and detection scenarios and highlights the peculiarities of detected incidents.
According to the report, a significant portion of the most frequently monitored attack techniques revolves around credentials and identity management. This analysis, which examines the conversion rates* of various Indicators of Attack (IoA), highlights the following prevalent malicious tactics:
Password guessing – 34.8%. This technique entails attackers systematically trying different passwords until successfully gaining access to an account. It tops the conversion list due to its occurrence in both actual attacks and authorised security assessments, making it a persistent threat in today’s cybersecurity landscape. Organisations who rely on weak or reused passwords continues to enable this age-old strategy.
Local account creation – 34.7%. Once inside a system, attackers frequently create new local accounts to maintain access even if their original foothold is discovered and removed. This technique is frequently observed during security exercises and can be detected — but only with the right telemetry in place, which is often lacking.
Valid account abuse – 34.5%. Instead of deploying malware, attackers log in using stolen or compromised credentials and simply blend in with normal user activity. This makes detection significantly harder, as the access itself appears legitimate. The high conversion rate underscores why compromised credentials remain one of the most dangerous attack vectors.
Account manipulation – 32%. Attackers modify existing accounts to consolidate access such as by activating disabled accounts, altering group memberships, or escalating privileges. This reinforces the broader pattern — rather than introducing new tools, adversaries deepen their control using what is already there.
Network service discovery – 31.2%. Before moving deeper into a network, attackers typically scan for open services and systems they can reach. This reconnaissance step is a strong predictor of what follows: lateral movement and further exploitation. Detecting it early provides security teams a critical window to intervene.
The report ranks attacker techniques by how frequently observed activity ultimately resulted in confirmed malicious incidents. According to Kaspersky experts, while MITRE ATT&CK® catalogs a vast number of adversary techniques, effective detection requires prioritising behaviours with the highest probability of malicious intent while avoiding excessive false positives.
“Threat actors do not always need sophisticated malware to achieve their objectives. In many cases, legitimate administrative tools and compromised accounts remain the fastest and most effective way to move inside an organisation while avoiding detection. The continued popularity of these techniques shows that organisations need deep visibility into attacker behaviour and the ability to correlate suspicious activity across different stages of an attack. To address these challenges, companies can enhance their security with our solutions: Kaspersky Managed Detection and Response and Incident Response which cover the entire incident management cycle – from threat detection to continuous protection and remediation,” comments Sergey Soldatov, Head of Security Operations Center at Kaspersky.
To learn more about attacker tactics and techniques, the characteristics of detected incidents and their distribution across regions and industry sectors, read the full report.
