The threat posed by infostealers is evolving, with a notable shift towards targeting Single Sign-On (SSO) access in enterprises. Recent data from Flare reveals a concerning trend: by late 2025, 16% of recorded infections involved the exposure of identity provider details, indicating a significant risk to enterprise identities.
Flare's findings are based on an extensive analysis of 18.7 million infostealer logs gathered throughout 2025, making it one of the most comprehensive datasets scrutinized for this type of cyber threat. Out of these logs, approximately 2.05 million revealed that enterprise identity credentials were compromised. Such credentials can unlock critical access to corporate email accounts, cloud storage infrastructures, software-as-a-service applications, and other internal systems, raising alarms about potential security breaches.
A Shift in Focus
The report highlights a crucial transition in the tactics of infostealers. Previously focused on stealing consumer credentials, these malicious entities are now increasingly compromising enterprise identities. In fact, more than 10% of infections already included SSO or identity provider credentials, a significant increase from about 6% back in early 2024. The situation worsened as enterprise identity exposures surged to nearly 14% by the end of 2025, surpassing earlier model predictions, which anticipated lower rates.
Flare explains that centralized authentication systems are prevalent in modern enterprise environments, naming key identity platforms such as Microsoft Entra ID, Okta, and AWS IAM Identity Centre as vital components in access management. The consolidation of authentication processes raises the stakes, concentrating risk within fewer systems. A single compromised credential or session could potentially grant access to multiple interconnected systems, as infostealers systematically harvest stored credentials and active sessions from infected devices.
"Centralized identity has become the control plane of the modern enterprise," stated Estelle Ruellan, a cybersecurity researcher at Flare. "This data clearly indicates that attackers have adapted to this shift. Nowadays, when an infostealer infection occurs, it increasingly likely opens the door directly to the systems that organizations rely on the most."
Exposure Among Providers
In its report, Flare also categorized identity provider exposures across a dozen vendors, including major players like AWS, Microsoft, Okta, Oracle, and Salesforce. Notably, Microsoft Entra ID was found in 79% of the enterprise identity logs analyzed, marking it as the most affected identity provider in Flare's dataset. Furthermore, over 18% of the enterprise identity logs indicated exposure across multiple identity providers, complicating incident response since an infected device might yield credentials for various authentication systems utilized by the organization.
The report highlighted that 1.17 million logs contained both enterprise credentials and session cookies. This combination could allow immediate access and might enable attackers to bypass multi-factor authentication in certain cases, depending on how the session is configured.
Changing Trends in Attacks
Interestingly, Flare reported a 20% decrease in total infostealer infections year-on-year; however, the rate of enterprise identity exposure has continued to rise. This change suggests a transformation in attacker behavior and the economic incentives driving credential theft. Fewer infections may still result in significant consequences if the affected machines provide access to key identity systems. Moreover, the increasing prevalence of enterprise access on compromised devices means that infostealers are now more frequently linked to enterprise credential theft when the infected machines are either within organizations or belong to personnel with access to corporate resources.
Looking Ahead to 2026
If these trends persist, Flare predicts that by the third quarter of 2026, one in five infostealer infections could expose enterprise credentials. Such an increase would escalate business risks, as successful breaches could shorten the timeframe between initial compromise and broader access to corporate networks.
Security teams are already monitoring infostealer activities as part of a broader strategy for managing credential risks. The emphasis on identity providers in this report presents an additional perspective for prioritizing responses, especially since identity systems are central to accessing email, cloud services, and internal applications.
"This divergence underscores a fundamental shift in the economics of attacks: fewer infections can lead to significantly greater impacts when compromises take place," Ruellan concluded.
Is the increased targeting of enterprise identities simply a reflection of changing technology, or does it reveal deeper vulnerabilities in how organizations manage their authentication systems? What do you think about the implications of these trends for the future of cybersecurity?
