Identity attacks dominate Expel's 2026 threat report
Identity-based attacks made up more than two-thirds of the security incidents Expel handled during 2025, underscoring threat actors' continued reliance on stolen credentials and weak configurations rather than novel techniques.
Expel's 2026 Annual Threat Report found identity was the primary attack surface in 68.6% of incidents observed over the year. Endpoint activity ranked second at 29%.
Security controls stopped many credential-driven attempts quickly-but not all. In identity-based attacks using legitimate credentials, 52.3% failed immediately due to controls such as multi-factor authentication. The remaining 47.7% resulted in attackers gaining access.
The figures highlight the gap between preventative controls and the realities of incident response. Credential theft remains effective because it can blend into normal user activity and evade some monitoring.
Endpoint activity
Endpoint-originated incidents involved enterprise computers and servers and were largely opportunistic. Malware accounted for 63.9% of endpoint incidents, while hands-on hacking made up 21.4%. Server-side vulnerability exploitation represented 2.3%.
The report noted attackers relied on established delivery methods, citing ClickFix and backdoored productivity apps as examples seen during the year.
Cloud incidents
Cloud infrastructure accounted for 2.5% of incidents in Expel's data, a small but growing category.
Many cloud-related incidents involved unauthorised access linked to misconfigurations, vulnerabilities, and exposed cloud secrets. While the cloud was a smaller entry point in the dataset, the report noted the concentration of data and business systems in cloud environments.
The cloud also emerged as a key destination for data theft. Expel described cloud infrastructure as the most common destination for data exfiltration.
Incident volume
Incident volume varied by organisation size. Small organisations with fewer than 1,000 employees averaged six incidents per year. Medium-sized organisations averaged 24. Enterprise customers with more than 10,000 employees averaged 68.
The findings point to a relationship between size, visibility, and complexity. Larger organisations typically run more systems, rely on more third parties, and manage more identities, widening the number of potential entry points.
Operational gaps
The report attributed many successful intrusions to day-to-day security execution rather than a lack of awareness, and highlighted the period between detection and response as a time of heightened risk.
"The gap between detecting a threat and actually doing something about it is where breaches happen. We saw it play out across our customer base all year: Many intrusions succeeded simply because the "basics"-like MFA or proper configurations-weren't fully optimised," said Greg Notch, CSO, Expel.
Phishing and supply chain
Expel identified phishing as a primary driver of malicious activity tied to identity compromise. Its malicious phishing submissions during 2025 showed identity attacks dominating, with attackers prioritising credential theft. Social engineering was a distant second, with attackers trying to persuade recipients to take specific actions.
Supply chain risk also featured prominently. Expel's security operations centre observed a shift in supply chain attacks late in 2025 with the emergence of the Shai Hulud 2.0 worm, which typically began with phishing campaigns targeting NPM package maintainers.
Sectors and priorities
Manufacturing, financial services, and healthcare saw the most incidents in Expel's dataset, in that order. The report also noted differences in incident mix across sectors: healthcare recorded more malware than manufacturing, while financial services saw more incidents involving valid credentials than healthcare.
Looking ahead, the report outlined several themes for security leaders in 2026, including managing identity risks across third and fourth parties, budget pressure, and supply chain risk across internal software and SaaS providers. It also highlighted the need for CISOs to get "their arms around AI risks and governance."