2026 State of Enterprise Infostealer Identity Exposure

One in Five Infections May Yield Enterprise Credentials this Year

Enterprise identity credentials remain a prime target for infostealer malware. This report analyzes 18.7 million infostealer logs collected between January and November 2025, with a focus on enterprise identity provider credential exposure. The findings reveal a concerning trend: enterprise identity exposure intensified on two fronts in 2025, with enterprise identity log volume increasing and the proportion of infections yielding enterprise identity access climbing from ~6% in January 2024 to nearly 14% of all logs in November 2025. Preliminary December data suggests this trend may be accelerating, early numbers show enterprise identity exposure jumping to 16%, well above model predictions.

In 2024, enterprise identity logs accounted for roughly 8% of all infostealer activity on average.

In 2025, that figure jumped to exceed 11%. Across 2025, enterprise identity logs represented more than one in ten infostealer infections, corresponding to 2.05 million compromised enterprise identities in total. This shift reflects the accelerating corporate adoption of centralized identity systems. While they improve usability and baseline security, they also concentrate risk by creating single points of failure.

Microsoft Entra ID dominates, appearing in 79% of enterprise identity logs. And over 1.17 million logs contained both credentials and session cookies, giving attackers the keys to potentially bypass MFA entirely.

Key Findings of the State of Stealer Logs

Of the 18.7 million stealer logs analyzed, 2.05 million contained credentials for enterprise identity providers

In 2025, enterprise identity exposure intensified on two fronts: overall volume increased while risk density sharpened, as enterprise identity logs grew from ~8% to ~11% of all logs.

Microsoft Entra ID credentials appeared in 79% of enterprise identity logs, making them by far the most compromised identity provider

Over 18% of identity logs contained credentials for multiple identity providers, expanding blast radius

More than 1.17 million logs represented the full jackpot, combining enterprise identity credentials with enterprise identity session cookies, allowing attackers to bypass authentication even when MFA was enabled.

Looking ahead, models project enterprise identity exposure reaching 15–16% of all infostealer infections by late 2026 under baseline assumptions. But if December's surge holds, enterprise identity exposure could hit 20%, where one in five infections yield enterprise credentials, as early as Q3 2026.

Defining Infostealer Malware

Compromised identities have become one of the most significant threat vectors for organizations since the advent of ransomware. The 2025 Verizon DBIR, utilizing Flare's exposed credential data, found that an astonishing 85% of web application attacks were facilitated through leaked credentials. The conclusion is straightforward: threat actors exploit the simplest path to gain access and make money, and stolen credentials are that path.

But "credentials" is a broad term, and the ways they are exposed are myriad. Understanding the ecosystem is essential to understanding why infostealers have emerged as one of the dominant threats to enterprise identity.

Named data breaches remain a persistent source of exposure. When major web applications are compromised, eBay, LinkedIn, Neopets, and countless others, the credential pairs of all users are often leaked en masse. Threat actors recycle these credentials using automated tools like OpenBullet to test them against other services, exploiting the reality that most people reuse passwords.

Phishing kits have industrialized credential theft. These pre-packaged toolkits enable threat actors to rapidly deploy convincing fake login pages impersonating Microsoft 365, banks, and other services. Modern kits include evasion techniques, real-time credential capture and session token harvesting capabilities, flooding the criminal ecosystem with fresh credentials daily.

Combolists and ULPs aggregate and structure this stolen data. Combolists compile username-password pairs from multiple sources, deduplicated and sorted by email domain or service for efficiency. URL:Login:Password (ULP) files pair credentials with the specific domains where they were captured, enabling targeted credential stuffing at scale.

Exposed sessions represent a different category of risk entirely. Authentication tokens, session cookies, or API keys inadvertently exposed through misconfigured servers, public code repositories, or malware can bypass multi-factor authentication entirely, granting immediate access to authenticated accounts without requiring a password.

Stealer logs compared to disparate credential sources package together a much greater amount of information about the victim.

Each of these vectors poses real risk. But they share a common limitation: they offer fragmented, often stale snapshots. A breach yields credentials from one service. A phishing campaign captures logins for one platform. A combolist aggregates data of uncertain age and validity and an exposed session token may have already expired.

Infostealer malware has changed the game entirely. It combines all of these threats into a single, comprehensive package harvested from an individual machine. A stealer log doesn’t contain one credential from one breach, it contains every:

browser-saved password
autofill field
stored login
active session

from the infected machine. It's not a collage of potentially dead credentials assembled from disparate sources, it's a complete, current snapshot of a single victim's digital identity.

This comprehensiveness of a stealer log is what makes infostealers uniquely dangerous. The victim's entire saved credential history and sessions, across every browser and every service, lands in the hands of threat actors. A single infection yields hundreds of credentials spanning personal accounts, corporate applications, and enterprise identity platforms alike.

And since the data is harvested directly from the victim's browser on the day of the infection, the credentials are far more likely to be current and valid. Threat actors then distribute these logs through Telegram channels and dark web marketplaces like Russian Market, where they fuel account takeover, financial fraud, and initial access into corporate environments.

Fragmented credential sources from various data breaches

Why Enterprise Identity Is the Ultimate Prize

The rapid global adoption of centralized identity systems has fundamentally changed the threat landscape. With cybersecurity becoming more of a concern as the years pass, companies are investing more into their security posture. The identity and access management market is projected to reach $42.61 billion by 2030, with SSO solutions growing at a 13.5% CAGR. More organizations than ever rely on platforms like Microsoft Entra ID, Okta, and AWS IAM Identity Center to manage authentication across their entire application ecosystem.

This push towards identity centralization certainly improves usability and baseline security posture, but it also concentrates risk. A single compromised credential can now function as a master key, unlocking not just one application but an employee's entire digital footprint: email, cloud storage, HR systems, financial platforms, and business SaaS applications. For attackers, enterprise identity credentials represent the highest-value targets in the credential economy.

This is why infostealers have become a dominant threat to enterprise security. They don't just steal one password, they steal every password. And when those passwords include enterprise SSO credentials, attackers gain the keys to the kingdom.

Methodology

Infostealer malware is rarely targeted. Instead, among several distribution methods, threat actors often rely on large-scale distribution schemes that seed cracked software with infostealers and promote them through compromised Google Ads and Facebook accounts. While many threat actors specialize in compromising consumer accounts found in stealer logs, ransomware affiliates and initial access brokers actively comb through logs to identify high-risk enterprise assets that can be used to facilitate an attack.

Active Directory is one of the most promising targets, and often the first stop after a ransomware group gains network access. AD serves as the backbone of enterprise identity management. When an employee saves their AD credentials in a browser, whether for Outlook Web Access, a VPN portal, or an internal application, those same credentials often unlock dozens of connected systems. Threat actors understand this, and actively filter stealer logs for corporate domains and AD-integrated services.

The risk compounds with Single Sign-On implementations. Organizations increasingly federate AD with cloud services through Azure AD (now Entra ID) or ADFS. A single harvested credential can grant access to email, cloud storage, HR systems, and business applications simultaneously, potentially bypassing MFA entirely. Initial access brokers specifically prize these credentials because they dramatically shorten the path from initial access to full network compromise.

This is why this report focuses specifically on enterprise identity provider credentials: they represent the highest-value targets in the stealer log ecosystem.

Data Collection and Scope

This report analyzes stealer log data from infections occurring between January 1st and November 30th, 2025, focusing on credentials associated with enterprise Single Sign-On (SSO) and Identity Provider (IdP) platforms.

SSO systems allow users to authenticate once and gain access to multiple applications without re-entering credentials. IdPs are the services that verify user identities and issue authentication tokens (e.g. Okta, Microsoft Entra ID, and Ping Identity). Because these platforms serve as centralized gateways to an organization's entire application ecosystem, compromised SSO/IdP credentials represent a particularly high-value target for threat actors seeking broad access from a single point of entry.

Detection Methodology

This report applied a high-confidence detection targeting known enterprise identity and access management (IAM) platforms that provide SSO capabilities:

Microsoft Entra ID: login.microsoftonline.com, sts.windows.net, login.microsoft.com
Okta: *.okta.com, *.oktapreview.com
Jumpcloud: *.jumpcloud.com
AWS IAM Identity Center: *.awsapps.com, signin.aws.amazon.com
Oracle: login.oracle.com, *.oraclecloud.com
OneLogin: *.onelogin.com
Plus 10 additional enterprise IdPs (Salesforce, Duo, Ping, etc.)

Microsoft Entra Filtering: To ensure Microsoft credentials represented true enterprise accounts rather than personal Microsoft 365 or education accounts, we required the presence of enterprise-specific URL parameters:

tid= (Azure AD Tenant ID)
oauth2/v2.0/authorize (OAuth enterprise flow)
organizations/ (multi-tenant enterprise path)
adfs (Active Directory Federation Services)
saml2 (SAML enterprise authentication)

Consumer-mixed providers such as Google Workspace or Auth0 were excluded to ensure conservative enterprise-only figures. The list of included domains for the high-confidence detection in this report are available in the appendix.

Limiting our scope to these authenticated enterprise flows allows for a high-confidence measurement of the threat to corporate environments. Applied to the 18.7 million stealer logs collected in 2025, this lens reveals that infostealer infections yield access to enterprise identity credentials with alarming frequency.

Findings

Enterprise Identity Exposure Over Time

Key Metric: In 2025, one in ten infected machines yielded corporate identity credentials.

Enterprise identity credentials remain a prime target for infostealer malware. This report analyzes stealer logs from January 1st, 2025 to November 30th, 2025. Of the 18.7 million stealer logs analyzed, 2.05 million contained credentials for enterprise identity providers.

To put it simply: over one in ten infected machines provided attackers with access to corporate identity credentials.

2025 Monthly Infostealer Log Distribution

Enterprise Identity vs Total Stealer Logs

Enterprise Identity

Total Logs

In 2025, activity started with a downward tendency from January through April. May marked the beginning of a sustained recovery, with both total and enterprise identity compromises climbing steadily through the remainder of the year. By June, volumes had returned to near-January levels, representing the highest activity since the year began.

Overall, the volume of logs exposing enterprise identity closely mirrors total log volume, with both curves following nearly identical patterns and differing mainly in scale. This indicates that fluctuations in enterprise identity exposure are largely driven by changes in overall log activity rather than distinct behavioral shifts.

At first glance, 2025 looks like a slight improvement over 2024. The total number of logs collected dropped from 23.6 million in 2024 to 18.7 million in 2025, a 20% year-over-year decrease.

However, this apparent improvement is misleading. The number of logs exposing enterprise identity credentials actually rose from 1.90 million in 2024 to 2.05 million in 2025, an 8% increase. Once you account for that drop, the picture changes significantly.

In 2024, the 1.90 million enterprise identity logs made up about 8% of all logs.

In 2025, 2.05 million logs represent more than 11% of the total, that’s a 3% point increase on average. The chart highlights this shift by comparing monthly percentages across both years and shows a clear upward trend.

In 2024, enterprise identity exposure started at around 6% of all logs and steadily climbed to around 10% by year-end.

In 2025, the year began at an already elevated 10.4% and followed the same upward pattern, ending with a sharp jump in November to nearly 14% (13.7%).

Monthly Enterprise Identity Exposure Rate

Percentage of logs containing enterprise identity credentials

2025

Over the past two years, the share of logs containing enterprise identity access has more than doubled, going from 6% to almost 14%, and is still increasing. In practical terms, we went from roughly one out of every 20 logs containing enterprise identity access to about one out of every seven. So while the absolute number of exposed enterprise identity credentials went down, the proportion of infected machines with enterprise identity access has grown substantially, making the overall risk higher rather than lower.

The rise in the percentage of logs containing enterprise identity credentials could be a by-product of the widespread and accelerating corporate adoption of centralized identity systems.

The rapid global push toward centralized identity infrastructure, an industry projected to reach $42.61 billion by 2030, with SSO solutions growing at a 13.5% CAGR, would naturally mean more corporate endpoints have identity credentials and tokens sitting there, ready to be grabbed. At the same time, the explosion of SaaS apps across organizations could be pushing more companies toward centralized login systems, which in turn expands the pool of machines with enterprise identity sessions worth stealing.

While a centralized identity system improves usability and security posture, it also concentrates risk. They create a “single point of failure:” a single compromised credential or session token can function as a “master key,” granting access to a user’s entire application ecosystem.

Therefore, the growing share of enterprise identity-exposing logs likely reflects an expanding attack surface driven by the widespread adoption of centralized identity solutions. At the same time, rapid enterprise adoption of centralized identity systems often comes with stronger security awareness and defenses, which could explain the reduced overall infection volume. However, when compromises do occur, they are more likely to yield high-value identity credentials, increasing the impact of each successful attack.

This raises the next question: which malware families are driving these high-value compromises? Understanding the distribution of logs across different stealer families provides insight not just into sheer volume, but also into how effectively each family harvests enterprise identity assets.

Malware Families: Who's Harvesting Enterprise Credentials

Key Metric: While the average infostealer family exposes enterprise identity credentials in roughly 10% of infections, families such as AMOS and WorldWind nearly double that rate, with an Enterprise Identity Exposure Index (EIEI) approaching 20%.

Analyzing the distribution of enterprise identity logs per malware family revealed an interesting landscape. While more than half of these logs (53.8%) could not be confidently linked to a specific infostealer family, among attributed logs, one family dominates: Lummac2.

IDP Proportion per Stealer Family

Distribution of identity provider compromises across stealer families

In 2025, the Lumma family was responsible for over 580,000 logs, representing 28.4% of all enterprise identity logs. In other words, roughly one in every four compromised enterprise identity stealer log originated from Lumma.

Other families trail far behind. RedLine accounts for 7.3% of enterprise identity logs, while Vidar ranks third at 6.3%. It is worth mentioning that following the RedLine takedown in 2024, our data suggests the family has not rebounded in adoption rates; the same analysis performed in 2024 would’ve painted a very different picture.

The enterprise identity log distribution highlights Lumma's outsized role in enterprise identity credential exposure and reinforces its position as one of the most consequential infostealers currently active. However, these figures merely mirror the overall distribution of infections rather than indicating a unique advantage in harvesting enterprise identity data. As shown in the figure below, the top malware families by total log volume closely align with their share of enterprise identity logs. Families accounting for less than 1% of total logs were excluded for clarity.

In 2025, Lumma accounted for 29.3% of all collected logs, which translated almost directly into 28.4% of all enterprise identity logs. Similarly, RedLine was responsible for 6.4% of overall logs and 7.3% of enterprise identity logs. This pattern holds across all families exceeding the 1% threshold: among high-volume infostealers, the share of enterprise identity logs closely tracks their share of total logs.

Log Distribution by Infostealer Family

Comparative analysis of compromise percentages

% Logs

% Enterprise Identity Logs

The shift emerges only when examining lower-volume families. For malware families contributing less than 1% of overall logs, the relationship between total log volume and enterprise identity exposure becomes less uniform, with some exhibiting a higher share of enterprise identity logs relative to their overall presence in the infostealer scene. In these cases, enterprise identity exposure is no longer explained by prevalence in the scene alone.

To capture this dimension, we define the Enterprise Identity Exposure Index (EIEI) as the percentage of logs generated by a given malware family that contain enterprise identity credentials. This measure reflects how likely a stealer log from a specific family is to result in the theft of enterprise identity credentials.

When evaluated using EIEI, several low-volume families emerge as clear outliers. Aurora and Rhadamanthys sit at the high end of the spectrum, with EIEI values of 27.4% and 25.6%, respectively. In practical terms, roughly one in four Aurora logs and one in four Rhadamanthys logs contained an enterprise login credential.

However, such high EIEI must be interpreted in context: both families produced fewer than 300 logs respectively. At such low volumes, even modest fluctuation in activity can yield disproportionately high EIEI values.

Among the high-volume families (e.g. those producing the largest absolute number of logs) EIEI converges toward a more stable range around 10%. RedLine slightly outperforms its high-volume peers at 12.5%, corresponding to 150.9k enterprise identity logs. Lumma, despite a more moderate EIEI, remains the most consequential family overall: out of 5.48 million logs, it harvested more than half a million enterprise identity logs.

Between these extremes lies a middle tier of families that combine meaningful volume with elevated EIEI values. AMOS and WorldWind fall into this category, each with EIEI values between 15% and 25%. At these levels, they pose an enterprise risk: they are responsible for more than 1.3k and 2.2k enterprise identity compromises, drawn from total log volumes of 8k and 10k, respectively.

The elevated EIEI proportion observed for AMOS may be influenced by operating system dynamics rather than campaign scale alone. As a macOS-specific infostealer, AMOS is less likely to be distributed through gaming-focused campaigns, given the limited gaming ecosystem on macOS. At the same time, macOS devices appear to be disproportionately represented in corporate environments compared to consumer Windows machines, which dominate both the gaming and home-user markets. This imbalance may cause even moderate-scale AMOS campaigns to generate a relatively higher share of enterprise identity exposures, inflating its EIEI values.

However, there are two phenomena that could explain this discrepancy between higher and lower-volume families.

Infostealer Families EIEI Analysis

EIEI vs Enterprise Identity Log Volume — Bubble size represents total logs

High EIEI

High Volume

Threat Level (by Success Rate)

Critical (>25%)

High (15-25%)

Medium (8-15%)

Low (<8%)

Bubble Size (Total Logs)

10K

100K

5M+

Enterprise Identity Exposure Index (EIEI)

Analyzing the relationship between IDP logs, success rates, and total volume

High EIEI

High Volume

Threat Level (by Success Rate)

Critical (>25%)

High (15-25%)

Medium (8-15%)

Low (<8%)

Bubble Size (Total Logs)

10K

100K

5M+

On one hand, it could be a combination of who gets infected (targeting, distribution channels, geography, victim type) and what the malware can collect. The same family can produce very different results depending on how and where it is deployed. A gaming-focused campaign will yield fewer enterprise identity credentials, while campaigns targeting corporate environments will naturally produce more. Malware-specific collection scope also matters. Some malware families are thorough in their collection scope and capabilities, hitting every browser and even hunting for VPN and email configuration files. This naturally increases the odds of finding enterprise credentials in a compromised device. Other families and variants that aren't as exhaustive in their harvesting and can have capability gaps. Even with the same group of victims, these gaps mean it might miss out on those crucial enterprise identity credentials.

On the other hand, the discrepancy may simply reflect scale and maturity. Small families often lack enough logs for EIEI values to stabilize, so apparent overperformance can be inflated by limited samples. As these families grow, their EIEI may converge toward the ~10% plateau seen in established, high-volume infostealers, suggesting that current differences may reflect early-stage volatility rather than specialization.

Both explanations likely play a role. What's clear is that volume and enterprise exposure don't scale together in a predictable way. Lumma's sheer ecosystem dominance makes it the biggest source of compromised enterprise identity credentials in absolute terms, but its lower EIEI suggests broad, untargeted distribution. Meanwhile, smaller families like Amos and WorldWind hit enterprise environments at disproportionately high rates, whether that's intentional targeting, smarter distribution, or just better collection capabilities.

Identity Providers Under Fire

Key Metric: Eight out of ten enterprise identity logs contain a Microsoft Entra ID access, making it the most impacted identity provider of 2025.

Microsoft Entra ID's dominance in enterprise environments makes it the most impacted identity provider in 2025, and the data reflects this reality. Across all logs containing compromised enterprise identity credentials, Microsoft accounts for approximately 1.63 million cases, meaning that roughly eight out of every ten enterprise identity logs include a Microsoft credential. No other provider comes close.

Enterprise Identity Logs Distribution

Number of logs per identity provider

#	Identity Provider	Log Count	Percentage
1	Microsoft Entra	1,634,307	79.35%
2	AWS	250,213	12.15%
3	Oracle	248,523	12.06%
4	Okta	112,501	5.46%
5	Salesforce	82,967	4.03%
6	ServiceNow	32,610	1.58%
7	OneLogin	27,464	1.33%
8	Duo Security	8,349	0.40%
9	JumpCloud	3,631	0.18%
10	Citrix	3,463	0.17%
11	Ping Identity	2,480	0.12%
12	RSA SecurID	1,028	0.05%
13	SecureAuth	577	0.03%
14	CyberArk	488	0.02%
15	ForgeRock	179	0.01%
16	IBM Verify	158	0.01%

AWS appears next with 250k logs, an order of magnitude lower than Microsoft’s footprint, and Oracle follows closely with 248k logs containing an Oracle identity. Okta and Salesforce round out the top five, appearing in over 100k and 80k logs respectively.

What this means in practice:

Pick an enterprise identity log at random and you have a:

80% chance it contains Microsoft credentials
12% chance it contains AWS or Oracle access
<5% chance it contains Okta credentials
<4% chance it contains Salesforce credentials

The Microsoft figure isn't surprising given Entra ID's market share. This distribution underscores an important takeaway: infostealer activity mirrors the structure of the enterprise identity ecosystem itself. Because Entra ID anchors the vast majority of corporate authentication flows, it naturally becomes the most harvested enterprise identity credential. Attackers aren't targeting Microsoft; their harvests are just in line with the identity market.

Geography of Compromise: Regional Identity Risk

Key Metric: In 2025, Microsoft Entra ID dominates globally, while secondary identity exposure diverges by region, Okta in North America and Oceania, and AWS in Europe, South America and Asia.

A subset of the logs in our dataset includes the geolocation of the infected device, offering a valuable regional perspective on Enterprise Identity Exposure.

Loading map...

Looking at the global distribution, three countries stand out. India leads with approximately 185,000 enterprise identity logs, followed by the United States with over 118,000 and Brazil with more than 100,000. At the continental level, the Americas and Asia bear the heaviest exposure, with Europe not far behind.

But raw volume only tells part of the story. When we examine which identity providers appear in region-specific logs, a more nuanced picture emerges.

Microsoft dominates everywhere, but the supporting cast varies.

Across every region, the picture is remarkably consistent: Microsoft credentials dominate, appearing in around 70% of enterprise identity logs. Europe shows the highest concentration at 76%, while Asia sits at the lower end with 63%, still appearing in nearly two-thirds of all enterprise identity logs.

The consistency is striking: regardless of geography, Microsoft remains the anchor of enterprise identity infrastructure.

The more interesting variation lies in the second and third most exposed providers. Okta ranks second in North America and Oceania, followed by Oracle, but is notably absent from the top three elsewhere. This pattern aligns with Okta's strong foothold in Anglophone countries, particularly North American enterprises.

But in Europe, Asia, South America, and Africa, AWS breaks into the top three. In Asia specifically, AWS rises to second place, likely mirroring the broader regional adoption of AWS IAM Identity Center.

These regional differences suggest that while Microsoft remains the universal anchor of enterprise identity, the supporting enterprise identity ecosystem, and therefore the exposure landscape, varies meaningfully across regions.

Loading map...

Regional Identity Provider Distribution

Top 3 identity providers by usage in each region

North America

Microsoft 69.5%

Okta 9.4%

Oracle 7%

South America

Microsoft 73.6%

Oracle 10.4%

AWS 9.1%

Europe

Microsoft 76.4%

Oracle 8.5%

AWS 6.8%

Africa

Microsoft 69.5%

Oracle 12.4%

AWS 10.6%

Asia Pacific

Microsoft 63.5%

AWS 13.6%

Oracle 12.3%

Oceania

Microsoft 72.6%

Okta 11.7%

Oracle 5.2%

Percentages represent share of detected identity provider usage within each region

Compound Identity Exposure: One Log, Multiple Points of Failure

Key Metric: Over 18% of enterprise identity logs in 2025 show multi-provider compromise.

So far, we've treated enterprise exposure as binary, a log either contains an identity credential or it doesn't. The reality is often worse. Many logs don't just expose one provider; they expose several, turning a single infection into multiple simultaneous points of failure. And while single-provider compromise is damaging, multi-provider compromise is catastrophic: it expands lateral movement options and complicates incident response dramatically.

In 2025, 12.98% of all enterprise identity logs contained a double compromise, meaning a single infection captured credentials for two different enterprise identity providers. Even more alarming, over 5% of these logs represented a triple-provider (or greater) compromise. In total, this amounts to over 100,000 logs granting access to three or more enterprise identity platforms, a level of overlap that dramatically expands the potential blast radius of a single stealer infection.

Compound Enterprise Identity Exposure

Share of logs with 1, 2, or 3+ identity provider(s) credentials

An attacker with credentials for both Microsoft Entra ID and AWS IAM Identity Center can pivot between cloud environments, access different data stores, and maintain persistence even if one set of credentials is revoked. Multi-provider exposure transforms a containable incident into a potential enterprise-wide breach.

But credentials, even multiple sets of them, are only part of the story. What if attackers didn't need to authenticate at all? Multiple credentials are bad. But what's worse than stealing the keys? Bypassing the door entirely.

Key Metric: Nearly 1.17 million logs in 2025 contained both enterprise credentials and session cookies, creating the highest-risk vector for attackers with immediate access, MFA bypass, and persistence.

So far, we've examined enterprise credentials: which providers are exposed, how often they overlap, and where compromises concentrate. But credentials alone don't capture the full risk. Session cookies enable attackers to potentially bypass authentication entirely, including MFA.

In 2025:

2.05 million logs contained at least one enterprise IdP SSO credential
5.72 million logs contained at least one enterprise IdP SSO session cookie
1.17 million logs contained both credentials & session cookies

The 1,170,638 logs containing both credentials and cookies represent the highest-risk exposures. With such logs, attackers gain potentially immediate access via the session cookie, persistence via the credentials (re-authenticate if the session expires), and MFA bypass built in.

This is the final layer of the infostealer enterprise identity exposure problem. One in ten infections yields enterprise credentials. Nearly one in five of those exposes multiple providers. And over a million logs hand attackers everything they need, credentials, cookies, and a potentially clean bypass around MFA.

Infostealers have evolved from nuisance to existential threat for enterprise identity. The question is no longer if credentials are being harvested, but how quickly organizations can detect and respond before attackers use them. Defending against this threat requires more than stronger passwords or broader MFA rollouts. It demands continuous session monitoring, aggressive token expiration policies, and the assumption that credentials are already compromised. In the infostealer ecosystem, they probably are.

2026 Outlook

2026 Key Trajectory & Milestones

Based on the best-fit model, the baseline expectation for 2026 is a continued climb, with the enterprise identity credential exposure rate reaching 15.3% by December 2026.
Average exposure: The average enterprise identity exposure rate for 2026 is projected at 14%, a significant increase from the 2025 average of 11%.
The "one in seven" threshold: By mid-2026, the data suggests that one in every seven successful infostealer infections globally will yield valid enterprise credentials.
Systemic growth: The trend shows an annualized increase of 2.8% points. However, if the preliminary December 16% surge becomes the "new normal," we may reach the 20% threshold (one in five infections) as early as Q3 2026, well ahead of model predictions.

Over the past two years, enterprise identity exposure in stealer logs has more than doubled, from 6% in January 2024 to nearly 14% by late 2025. The question now is whether 2026 will continue this steady climb or mark something more dramatic.

To project the trajectory, we applied regression analysis to 23 months of data (January 2024-November 2025), holding out December 2025 for validation. Three models emerged with similar explanatory power: linear, polynomial, and exponential, all capturing roughly 90% of the variance. Under the conservative linear and polynomial projections, enterprise exposure would cross 15% by October 2026. The exponential model points toward 18-22% by year's end.

Then came December's preliminary numbers.

December 2025: An Early Warning Signal

Both the polynomial and exponential models predicted 12-13% of December 2025 stealer logs would contain enterprise identity credentials. The actual preliminary figure¹: 16.20%, was a 3.2 percentage-point gap that no model anticipated. November had already shown a three point monthly jump, breaking from the pattern of steady increases. December suggests it may not be a fluke.

This validation failure matters. It suggests we could no longer be tracking steady growth but the early phase of rapid acceleration. Our model projections should then be read as a conservative floor, not a central estimate.

¹ Numbers for December 1st, 2025 until December 17th, 2025

What 2026 Looks Like

Based on the best-fit model, baseline projections show enterprise identity exposure in stealer logs reaching 15.3% by December 2026, with an annual average of 14%, up from 11% in 2025. By mid-year, roughly one in seven infostealer infections globally would yield enterprise identity credentials.

Regression Model Comparison

Training fit vs held-out December 2025 validation

Actual

★ Dec-25 Actual

Linear (0.897)

Poly₂ (0.897)

Log (0.828)

Exp (0.893)

But if December's surge (purple star) represents the new normal rather than an anomaly, the picture shifts considerably. The 20% threshold, where one in five infections compromise enterprise access, could arrive as early as Q3 2026, well ahead of any model prediction.

Enterprise Identity Exposure Trend & Forecast

Polynomial Fit (Best Fit) applied to 2026 predictions

Actual

★ Dec-25 Act

Poly₂ Pred

95% CI

The Underlying Driver

What makes this acceleration plausible is the structural shift happening beneath it. The identity and access management market is on track to reach $42.61 billion by 2030, with SSO adoption growing at 13.5% annually. Every new deployment of centralized identity systems adds credentials and session tokens to the attack surface.

Here's the paradox: as enterprises consolidate around these solutions, they may actually improve baseline security hygiene and reduce raw infection counts. We've already seen total log volumes drop from 23.6 million in 2024 to 18.7 million in 2025. But the infections that do occur increasingly hit environments with enterprise identity credentials. Fewer infections, higher yield.

For threat actors, the economics are improving. For security teams, the risk calculus is fundamentally changing. We're moving from a world where one in ten infections touched enterprise access toward one where it's one in five, a shift that demands a different defensive posture entirely.

The Uncomfortable Bottom Line: Future of Enterprise Infostealer Infections

Two years ago, one in 16 infostealer infections yielded enterprise credentials. By late 2025, it was one in seven. If December's numbers hold, we're looking at one in five by Q3 2026.

That changes the math. Preventing credential theft still matters, but it's not enough anymore, not when the hit rate is this high. The focus for 2026 must shift toward detecting and killing compromised sessions in near-real-time. Aggressive token expiration. Continuous session monitoring. Identity threat detection that operates on the assumption of breach, not the hope of prevention. These aren’t advanced hardening measures, they’re baseline requirements now.

The infostealer economy is maturing into an efficient market for enterprise identity access. December's 16% preliminary figure suggests that efficiency is going up. The structural drivers, adoption of centralized identity at scale, SSO proliferation and session token density, aren't slowing down. Neither is the threat.

Limitations to our Research

Validity unknown: We cannot determine how many credentials and/or sessions remain valid.

Coverage: Our visibility, while extensive, is not exhaustive. Private Telegram channels with restricted membership, direct sales between threat actors, and credentials held but not yet distributed are not captured in these figures. The true scope of enterprise credential exposure is likely higher than reported here.

Enterprise identity credential selection: This report adopted a ‘high-confidence’ enterprise identity providers selection, and thus will have missed stealer logs containing credentials from providers not considered in this report.

Duplicates: This analysis cannot determine how many logs are unique or new. The recycling being inherent to the cybercrime industry, our dataset surely contains some duplicates or recycled logs.

Cookie attribution is less reliable. This analysis focuses primarily on credentials since enterprise SSO URLs contain explicit markers (tenant IDs, OAuth flows, SAML paths) that distinguish corporate from consumer accounts. Session cookies lack equivalent markers, making confident enterprise attribution harder. Cookie exposure figures should be interpreted as directional rather than precise.

Monitor for Enterprise Infostealer Logs with Flare

The Flare Threat Exposure Management solution empowers organizations to proactively detect, prioritize, and mitigate the types of exposures commonly exploited by threat actors. Our platform automatically scans the clear & dark web and prominent threat actor communities 24/7 to discover unknown events, prioritize risks, and deliver actionable intelligence you can use instantly to improve security.

Flare integrates into your security program in 30 minutes and often replaces several SaaS and open source tools. See what external threats are exposed for your organization by signing up for our free trial.