1 in 5 Infostealer Infections Will Expose Enterprise Creds

Enterprise identity exposure from infostealer infections doubled throughout 2025, climbing from roughly 6% of infections in early 2024 to nearly 14% by year's end. If the trend continues, one in five infostealer infections could yield corporate SSO or identity provider credentials by Q3 2026, according to research Flare published on February 2.

The findings come from analysis of 18.7 million infostealer logs collected during 2025. Flare identified 2.05 million logs containing enterprise identity credentials—a number that should alarm security teams who assumed consumer-focused malware posed limited corporate risk.

Microsoft Entra ID Dominates Exposure

Microsoft Entra ID (formerly Azure Active Directory) appeared in 79% of enterprise identity logs, making it the most impacted identity provider by a substantial margin. The concentration reflects both Microsoft's market dominance in enterprise identity and the corresponding attention from infostealer operators.

More than 18% of logs exposed credentials for multiple identity providers. An employee infected at home might have credentials for their corporate Entra ID tenant, a client's Okta instance, and various SaaS applications—all captured in a single infostealer session. The multi-provider exposure amplifies breach impact exponentially.

Session Cookies: The MFA Killer

The research identified 1.17 million logs containing both credentials and active session cookies. This combination enables immediate account access with MFA bypass—attackers import the session into their browser and skip authentication entirely.

Session hijacking through stolen cookies isn't theoretical. We've covered multiple campaigns where browser-based malware prioritized cookie theft precisely because cookies render MFA irrelevant. The Flare numbers quantify the scale: over a million opportunities for session hijacking across enterprise environments.

For organizations that invested heavily in MFA as their primary defense, this represents a concerning bypass. Phishing-resistant MFA like FIDO2 hardware keys can't be replayed, but session cookies can—and infostealers grab them automatically.

Attackers Shifting to High-Value Targets

Overall infostealer infections declined 20% year-over-year, but enterprise credential theft increased. Flare interprets this as strategic targeting: operators are concentrating on higher-value victims rather than casting a wider net.

The economics support this shift. Consumer credentials sell for cents on dark web markets. Corporate SSO access—especially to organizations in healthcare, finance, or government—commands premium prices. A single enterprise log containing credentials, cookies, and VPN configurations can be worth thousands of dollars to initial access brokers who resell to ransomware operators.

How Infostealers Reach Enterprise Users

Infostealers predominantly infect personal devices, then capture credentials when employees access corporate resources. Common infection vectors include:

• Pirated software and game cheats
• Fake browser extensions and developer tools
• Malvertising leading to drive-by downloads
• Phishing links in Discord, Telegram, and social media

Developer-focused attacks like the GlassWorm campaign show how threat actors specifically target professionals whose credentials unlock valuable corporate resources. The bring-your-own-device problem is acute here. Corporate security controls don't extend to personal machines, but personal machines frequently access corporate SSO portals. One infected laptop at home can compromise credentials that unlock the entire enterprise.

Detection Challenges

Traditional endpoint detection struggles with infostealers because infections happen on unmanaged devices. By the time stolen credentials surface on dark web markets, attackers have already used them.

Flare recommends organizations monitor for credential exposure in dark web markets and infostealer log repositories. The 18.7 million logs they analyzed represent publicly traded data—defenders can access the same information attackers buy.

Identity-focused detection also helps. Unusual authentication patterns—logins from unexpected locations, session tokens appearing on new devices, rapid access across multiple applications—can indicate credential theft even without endpoint visibility.

Recommendations

1. Deploy credential monitoring for enterprise domains across dark web markets and log repositories
2. Implement session controls that detect cookie import from new devices or browsers
3. Consider conditional access policies that restrict sensitive applications to managed devices
4. Treat Entra ID security as critical infrastructure—79% exposure demands corresponding protection
5. Educate employees about infostealer risks on personal devices, particularly pirated software and suspicious browser extensions

The trajectory is clear: infostealers that once targeted consumers are now harvesting enterprise access at scale. Organizations that assume corporate identity security ends at the office perimeter are already exposed.