By Merium Khalid, Director of SOC Offensive Security, Barracuda Networks
For years, the cybersecurity industry has looked for the next breakthrough in threat technology, sometimes missing a quieter truth: attackers don’t always rely on revolutionary tools. More often, they take advantage of the everyday weaknesses that organisations can sometimes overlook.
The findings from the Barracuda Managed XDR Global Threat Report reveal the highest volume of incidents observed over the past year weren’t the result of unbeatable malware, but rather simple security oversights, including unpatched firewalls, rogue endpoints and dormant identities.
Analysis of over two trillion IT events and 600,000 security alerts from 2025 shows just how quickly today’s threats can unfold. In the quickest case, the time from initial breach to complete ransomware encryption was only three hours. When attackers can move from initial access to impact in a short amount of time, organisations need the ability to spot subtle behavioural shifts the moment they appear. Early, precise detection has become a real differentiator, giving defenders the chance to intervene before an intrusion becomes an incident, and before routine oversights turn into risk.
When attackers log in instead of breaking in
The report confirms a fundamental shift that has been occurring for some time in attacker tradecraft: the focus has moved from compromising systems to compromising identities. Identity-based attacks such as Microsoft 365 anomalous logins and “impossible travel” alerts are becoming the primary red flags for credential theft.
Anomalous logins are unusual or unexpected logins to a user account that do not correspond to the user’s typical behaviour pattern in terms of device, location or time. Impossible travel is where a user logs in from a second location they could never have reached in the time between logins. These are a strong indicator of credential theft and account compromise, and such attempts account for 17% of the top detections Barracuda’s XDR discovered last year.
Privilege escalation – the path to full control
Once an attacker gains a foothold via a stolen credential, their first order of business is often to obtain administrative level rights. This is called ‘privilege escalation’ and allows them to have deeper control over the network, for example to disable security software and then roll out ransomware.
By joining high access groups or granting themselves global administrator rights, they turn limited access into full sovereign control over the environment. In Windows environments, this often involves adding a user to a high privilege group such as Domain Administrators, which occurred in 42% of observed cases. Within Microsoft 365, attackers sought full control of the cloud environment by adding a new user to the Global Administrator group in 16% of incidents.
In one real-world incident, attackers breached a network using a “ghost” account created for a third-party vendor that was never deactivated after the contract ended. This single oversight allowed them to move laterally and eventually launch ransomware.
Hiding in plain sight
Attackers’ ability to hide malicious behaviour among normal everyday tasks and tools is the next challenge security teams face once privilege escalation is accomplished. By closely mirroring normal activity, attackers’ blend into plain sight. This approach of living of the land (LOTL) means threat actors evade detection using legitimate software tools and techniques.
It is during this time that attempts are made to harvest other credentials and move laterally within a network. These follow-on behaviours increase the potential risk of future stages of attacks. Examples include data theft, extraction and encryption which can all be used as leverage in ransomware incidents. In fact, 96% of lateral movement cases Barracuda’s XDR monitored involved the eventual deployment of ransomware.
Securing the identity perimeter is no longer optional
The weak spots being exploited are often the ones we consider “basic,” but their impact is anything but. Many businesses remain exposed because basic controls are not applied consistently.
Some do not use location-based access rules that reflect where they operate. Others still allow weak or reused passwords. Multi-factor authentication is often missing or only partially enforced. In many cases, login activity is not actively monitored for unusual times or locations. The response does not need to be complex. A combination of preventative and monitoring measures can significantly reduce the risk of a breach.
Strong, unique passwords, ideally managed through password tools, reduce risk significantly. Enforcing multi-factor authentication across all users remains the single most effective step. Monitoring login alerts and applying conditional access policies, such as blocking access from unexpected regions, can help stop attacks early. Continuously auditing identity systems strengthens this further by removing dormant accounts and closely monitoring any changes to administrator groups makes it harder to achieve silent privilege escalation. Alongside this, staff need to recognise phishing attempts, as these can be the starting point for credential theft.
Layering behavioural monitoring through XDR tools adds an additional safeguard, allowing faster investigation and containment before an attacker can move deeper into the environment. Using an integrated security platform that delivers full visibility across networks, devices, servers, cloud storage and email further helps organisations identify threats earlier and limit potential exposure. These steps are particularly important for organisations with limited security resources, as they provide clearer insight into how attacks unfold in real world environments and where common security gaps are most often exploited.