New analysis of 18.7 million infostealer logs carried out by Flare shows a significant rise in enterprise identity compromise. Researchers found that more than one in 10 infections already contained enterprise Single Sign-On (SSO) or Identity Provider (IdP) credentials, and that rate is quickly increasing.
In 2025, 2.05 million infostealer logs exposed enterprise identity credentials, providing attackers with potential access to corporate email, cloud infrastructure, SaaS platforms, and internal systems. Preliminary data from late 2025 shows enterprise identity exposure surging to 16 percent of infections, well above model predictions, signaling a shift toward rapid acceleration.
“Centralized identity has become the control plane of the modern enterprise,” says Estelle Ruellan, cybersecurity researcher at Flare. “What this data shows is that attackers understand that shift very well. When an infostealer infection succeeds today, it’s increasingly likely to deliver direct access to the systems organizations depend on most.”
The report finds that enterprise identity exposure more than doubled, rising from approximately six percent of infections in early 2024 to nearly 14 percent by late 2025. Microsoft Entra ID appears in 79 percent of enterprise identity logs, making it the most impacted identity provider by a wide margin.
Over 18 percent of enterprise identity logs expose multiple identity providers, significantly increasing breach impact and complexity. 1.17 million logs contained both enterprise credentials and session cookies, enabling immediate access and potential MFA bypass.
Despite a 20 percent year-on-year decline in total infostealer infections, enterprise identity exposure continued to rise. The research shows that infostealers are increasingly linked to enterprise credential theft, reflecting the higher prevalence and value of enterprise access on compromised systems.
You can find out more on the Flare site.
Image credit: Tsingha25/Dreamstime.com
