260 initial access brokers advertised to over 1,400 European organizations in 2025

Phishing (including malspam, vishing, and malvertising) was the dominant intrusion vector, accounting for approx. 60% of cases..

Vulnerability exploitation accounted for 21.3% of initial access vectors.

Insider threats accounted for 0.8% of initial access vectors.

Comcast Business detected 4.7 billion phishing attempts, which specifically targeted human error and poor credential hygiene.

Botnet accounted for 9.9% of initial access vectors.

Malicious applications accounted for 8% of initial access vectors.

SCATTERED SPIDER moved from initial access to encryption by deploying ransomware in under 24 hours in one observed case

Initial access brokers on cybercriminal forums are increasingly offering: corporate credentials (20%), RDP access (19%), admin panels (13%), web shells (12%).

The top initial access vector observed in 2024 was a tie between exploitation of public facing applications and use of valid account credentials, both representing 30% of X-Force incidence response engagements.

The average time from initial access to domain control has shrunk to under two hours.

For Initial Access, the most observed technique by DirectDefense is Valid Accounts, which involves leveraging stolen credentials for unauthorized access. Alerts triggered for Initial Access include: First Ingress Authentication from Country, Multiple Country Ingress Authentications, Multiple Wireless Country Authentications.

DirectDefense mapped alerts to the MITRE ATT&CK® framework to identify the top five tactics. The top five tactics identified are: Initial Access, Persistence, Lateral Movement, Execution, and Credential Access.

4 of 5 (83%) financial fraud claims began with email.

Email was the preferred entry vector for cybercriminals, driving 43% of claims.