Key Findings

• Phishing attacks have surged 400% year-over-year, with nearly 40% of the 28+ million recaptured phished records containing a business email address, compared to just 11.5% in recaptured malware data.

• Enterprises are now three times more likely to be targeted with phishing attacks than infostealer malware.

• Phishing has become the preferred gateway into enterprise environments, and is now the leading entry point for ransomware, accounting for 35% of all ransomware infections.

• Cybercrime enablement services, like phishing-as-a-service kits, are putting advanced tactics into the hands of low-skilled actors, making it easier to compromise users at scale.

• Malware remains a critical threat vector, with nearly 1 in 2 corporate users having been the victim of an infostealer malware infection in their digital history.

Background

The findings reinforce a growing shift in cybercriminals' strategy: phishing is now the preferred gateway into enterprise environments, and SpyCloud sees this trend continuing in 2026. Threat actors are using this access as a launchpad for follow-on attacks, with SpyCloud reporting in its 2025 Identity Threat Report that phishing is now the leading entry point for ransomware, accounting for 35% of all ransomware infections.

Phishing as a Scalable Breach Tactic

"Phishing is now one of the most scalable tools cybercriminals use to breach enterprise environments," said Trevor Hilligoss, SpyCloud's Head of Security Research. "Cybercrime enablement services, like phishing-as-a-service kits that automate convincing lures and adversary-in-the-middle tactics that capture MFA tokens and session cookies, put advanced tactics into the hands of low-skilled actors, making it easier than ever to compromise users at scale. SpyCloud's visibility into these campaigns gives organizations a critical edge, helping them detect who's been targeted and what data has been exposed, and remediate those credentials before they can be weaponized."

Malware Threats Remain Critical

While phishing has become a dominant entry point, malware remains a critical threat vector. In the age of remote work and bring-your-own-device policies, personal exposures are increasingly used to compromise enterprise environments. A recent example is the 2025 Nikkei breach, where malware on a personal device led to the compromise of sensitive corporate data. Despite only 11.5% of recaptured malware infections exfiltrating business email addresses directly, SpyCloud data shows that nearly 1 in 2 corporate users have been the victim of an infostealer malware infection in their digital history, whether that be on a managed or unmanaged device – a strong indicator that threat actors are moving laterally from personal to corporate accounts.

Holistic Identity Protection is Essential

"Protecting the enterprise means looking beyond corporate accounts," Fleury added. "Due to the continuous reuse of passwords and shared identity data across work and personal accounts like mobile numbers, the line between a user's personal digital history and their professional access effectively no longer exists. That's why it's essential to monitor and remediate exposures across the full spectrum of an individual's digital identity – personal and professional."

Sources

• https://securityonline.info/spycloud-data-shows-corporate-users-3x-more-likely-to-be-targeted-by-phishing-than-by-malware/

• https://hackread.com/spycloud-data-shows-corporate-users-3x-more-likely-to-be-targeted-by-phishing-than-by-malware/

• https://spycloud.com/newsroom/phishing-has-surged-400-percent-year-over-year/