Submitted by Global Scam Watch on

The global cybersecurity landscape is undergoing a fundamental transformation as ransomware actors abandon traditional infectious code in favour of sophisticated identity theft. A landmark industry report published today by Cloudflare reveals a strategic shift where stolen credentials and the hijacking of legitimate accounts have surpassed malware as the primary entry point for major breaches. This transition signifies the battleground has moved from the workstation to the identity provider, placing platforms like Microsoft 365 and Google Workspace at the centre of modern digital extortion.

From Malware to Mimicry

For years, ransomware relied on dropping malicious payloads to encrypt files. However, the 2026 data indicates attackers now prefer "living off the land" by using valid usernames and passwords. Cloudflare researchers describe this as a shift from "breaking in" to "logging in." By impersonating legitimate employees, cybercriminals can bypass traditional antivirus software and firewalls, which often struggle to distinguish between a regular user and an intruder using genuine credentials.

The report introduces a new barometer for risk: the Measure of Effectiveness (MOE). This metric represents a cold calculation by attackers of the ratio of effort to operational outcome. In 2026, the modern adversary is trading the pursuit of technical sophistication for throughput. Why use an expensive zero-day exploit when a stolen session token provides higher results with less effort? This high-fidelity impersonation allows for the hijacking of email threads, where an attacker inserts themselves into an existing conversation to redirect payments or solicit further sensitive information.

The Persistent Role of Malware

While impersonation has become the dominant strategy, organizations must recognize malware still exists as a critical component of the threat ecosystem. Malicious code has not disappeared; rather, its role has evolved. Instead of acting as the primary tool for encryption, malware often serves as the delivery vehicle for identity theft. Infostealers and Trojans, such as LummaC2, are frequently deployed to harvest the very session tokens and login credentials enabling the impersonation phase and neutralizing multi-factor authentication.

Furthermore, traditional ransomware strains continue to target legacy systems and unpatched vulnerabilities where identity-based entry is less effective. Research suggests malware remains a fallback or a secondary stage in many attacks. Once an intruder gains access via a stolen identity, they may still deploy malicious scripts to disable backups, exfiltrate data, or perform the final act of encryption. Therefore, security teams cannot afford to neglect endpoint protection while they pivot toward identity security.

The Economics of Modern Extortion

The financial motivations driving these shifts are becoming increasingly calculated. Researchers noted a trend where ransom demands are frequently calibrated to approximately $49,000. This specific figure is often low enough to fall under the threshold requiring intensive executive or board-level scrutiny in many Canadian and international corporations, yet high enough to maintain profitability for the criminal enterprise.

  • Automation of Deception: Attackers are leveraging generative artificial intelligence to manage thousands of impersonation attempts simultaneously.
  • Targeting Continuity: Manufacturing and critical infrastructure sectors are facing increased pressure, as these industries now represent over 50% of all targeted attacks.
  • Cloud Persistence: By compromising a Google Workspace or Microsoft 365 account, attackers establish a persistent presence surviving hardware wipes or local network resets.

Defending the Digital Identity: Technical Configurations

To mitigate the risks highlighted in the report, organizations must transition to an "Identity-First" security model. When attackers log in rather than break in, the goal is ensuring a stolen password or session token is insufficient to grant access.

Hardening Microsoft 365 and Google Workspace

  • Implement Phishing-Resistant MFA: Traditional SMS or push-based codes are vulnerable to "adversary-in-the-middle" (AiTM) phishing. Transition to hardware-backed authentication, such as FIDO2/WebAuthn security keys, which cryptographically binds the login to the legitimate domain.
  • Enforce Conditional Access Policies: Configure rules evaluating sign-in risk in real-time. For instance, block access if a login attempt originates from an "impossible travel" location or an unmanaged device failing to meet security compliance standards.
  • Shorten Session Lifespans: Reduce the window of opportunity for an attacker by enforcing frequent re-authentication and setting short expiration times for access tokens.
  • Enable Token Binding: Use token protection features tying a session token to the specific device requesting it. This prevents an attacker from using a stolen "cookie" on a different machine.
  • Automate Threat Response: Use integrated tools like Microsoft Defender for Office 365 or Google Security Command Center to terminate sessions and revoke access automatically the moment the system detects anomalous behaviour.

General Strategies for Resilience

  • The Log Out Habit: Manually clicking "Log Out" instructs the server to destroy the session token immediately, rendering it useless if an attacker later scrapes browser data.
  • Avoid Public Wi-Fi for Work: Unsecured networks remain a prime location for session "sidejacking." Use a trusted VPN or a mobile hotspot when accessing corporate accounts in public spaces.
  • Audit App Permissions: Regularly review which third-party applications have "Read/Write" access to accounts and revoke permissions for any tools no longer in use.
  • Monitor for Infostealers: Deploy Endpoint Detection and Response (EDR) tools specifically designed to catch malware focusing on harvesting session tokens rather than encrypting files.

The 2026 report emphasizes that because attackers now prioritize throughput over complexity, the most effective defenses are those making the cost of entry too high for the criminal to justify the effort.