Phishing drove 40% of 2025 breaches; MFA, direct send abused

Phishing supplied initial access in 40% of incidents in 2025. Attackers exploited weak points in multi-factor authentication and abused Microsoft 365 Direct Send to make emails look internal. The findings come from a Year in Review report released Tuesday, April 21, 2026.

The analysis describes cascaded phishing, where a first compromised account is used to send follow-on lures to employees and trusted partners. Email content shifted from generic spam to workflow-style messages tied to IT requests, travel bookings and logistics updates, while political themes declined. Repetitive and inconsistent formats in legitimate expensing and travel emails lowered vigilance. Many lures sent users to fake single sign-on pages to steal credentials, payment details or MFA tokens.

A review of thousands of blocked emails found 60% of subject lines used terms such as “request,” “invoice,” “fwd” and “report.” IT-focused phishing grew more technical, using words like “tampering,” “domain,” “configuration” and “token,” reflecting a push into IT and security workflows that can lead to deeper access.

Attackers also exploited Microsoft 365 Direct Send, the feature used by printers and scanners to email documents. By spoofing internal addresses, messages appeared to originate from and return to the same account. These internal-looking emails often bypass stricter external filtering and routine user checks, allowing convincing lures to reach inboxes without prior credential theft.

Identity and access systems were frequent targets. Nearly one-third of 2025 MFA spray attacks focused on identity and access management tools. Reported device compromise incidents rose 178%, driven in part by voice phishing that tricked administrators into registering attacker-controlled devices. With that access, intruders harvested single sign-on tokens and changed user roles, reset credentials or altered MFA policies to persist.

Tactics varied by environment. MFA spray worked best in organizations with predictable login behavior and centralized identity controls. Device compromise was more effective in networks with many unmanaged or frequently changing endpoints and lagging MFA enrollment or device governance. Higher education was the most targeted sector for device compromise, a pattern tied to diverse device populations, uneven patching and management, lenient new-device verification and large public directories that aid targeted phishing. Universities were an unfavorable target for MFA spray because credential formats and MFA methods vary, and many institutions enforce strong portal policies, lockouts and attempt limits.

After initial access, attackers relied on living-off-the-land binaries and dual-use open-source tools that blend with normal operations, complicating detection and response.

The report recommends treating internal-looking messages with the same scrutiny as inbound mail, tightening SPF and DMARC enforcement, enabling Microsoft’s “Reject Direct Send” control and blocking external IP use of sensitive features. For MFA spray, it highlights lockout policies, improved password hygiene and conditional access. For device compromise, it points to endpoint hardening and management, session controls and phishing-resistant MFA with governed enrollment.