Credential abuse has become one of the most effective techniques used by cyber attackers, overtaking traditional malware reliance. Threat actors achieve data access while evading detection through password guessing and misuse of valid accounts.
A recent analysis examined conversion rates of various attack indicators, revealing that credential‑based methods dominate the threat landscape. The shift reflects attackers’ preference for tactics that avoid triggering endpoint protection.
Password guessing recorded a conversion rate of 34.8%, reflecting systematic attempts to breach accounts. Its prevalence in both real attacks and security assessments makes it a persistent threat, especially where weak or reused passwords exist.
Local account creation followed closely with a 34.7% conversion rate. Threat actors establish new accounts after an initial compromise to maintain access even after detection.
Valid account abuse, using stolen or compromised credentials, showed a 34.5% conversion rate. Because the login appears legitimate, detection becomes significantly more difficult.
Account manipulation, altering privileges or permissions of existing accounts, achieved a 32% conversion rate. This approach deepens adversary control without introducing new tools.
Network service discovery registered a 31.2% conversion rate. Scanning for open services provides attackers with a foothold for lateral movement and further exploitation, making early detection critical.
The findings underscore the need for organizations to gain deep visibility into attacker behavior and correlate suspicious activity across attack stages. Prioritizing high‑probability malicious behaviors while limiting false positives is essential for effective defense.