Infostealers increasingly target enterprise SSO access

Flare said infostealer malware is exposing enterprise identity credentials at a rising rate, with late-2025 data showing 16% of infections containing Single Sign-On or identity provider details.

The company based its findings on analysis of 18.7 million infostealer logs collected during 2025. It described the dataset as one of the largest examined for this type of threat activity.

Flare said 2.05 million infostealer logs from January to November 2025 exposed enterprise identity credentials. The company said those credentials could provide access to corporate email, cloud infrastructure, software-as-a-service platforms, and internal systems.

Identity focus

The report said infostealers have shifted from a focus on consumer credential theft to enterprise identity compromise. Flare said more than one in 10 infections already contained enterprise Single Sign-On or identity provider credentials, compared with roughly 6% in early 2024.

Flare said enterprise identity exposure rose to nearly 14% by late 2025. It also reported a late-2025 exposure rate of 16%, which it said was above model predictions.

The report described the role of centralised authentication in enterprise environments. Flare pointed to identity platforms such as Microsoft Entra ID, Okta, and AWS IAM Identity Centre as common components in modern access control. It said the consolidation of authentication concentrates risk in a smaller number of systems.

Flare said a single compromised credential or session can provide access across multiple connected systems. It said infostealers harvest saved credentials and active sessions from infected machines.

“Centralized identity has become the control plane of the modern enterprise,” said Estelle Ruellan, Cybersecurity Researcher, Flare. “What this data shows is that attackers understand that shift very well. When an infostealer infection succeeds today, it’s increasingly likely to deliver direct access to the systems organizations depend on most.”

Provider exposure

Flare said the report breaks out identity provider exposure across more than a dozen vendors. The list included AWS, Microsoft, Okta, Oracle, and Salesforce.

The report said Microsoft Entra ID appeared in 79% of enterprise identity logs. Flare said that made it the most impacted identity provider in its dataset.

Flare also said over 18% of enterprise identity logs exposed multiple identity providers. It said that increases incident complexity because a single infected device may provide credentials for more than one authentication system used by an organisation.

The report said 1.17 million logs contained both enterprise credentials and session cookies. Flare said that could allow immediate access and could create a risk of multi-factor authentication bypass in some cases, depending on the configuration and the nature of the session.

Trend divergence

Flare reported a 20% year-on-year decline in total infostealer infections. It said enterprise identity exposure continued to rise in the same period.

The company described this as a change in attacker behaviour and a shift in the economic incentives behind credential theft. It said fewer infections can still produce high impact if the compromised machines contain access to central identity systems.

Flare also linked the trend to the prevalence of enterprise access on compromised systems. It said infostealers increasingly correlate with enterprise credential theft when infected machines sit inside organisations or belong to staff with access to corporate applications.

2026 outlook

Flare said that if the trend holds, one in five infostealer infections could expose enterprise credentials by the third quarter of 2026. The company said that would increase business risk because successful infections can reduce the time between an initial compromise and broader access across corporate systems.

Security teams already track infostealer activity as part of wider credential risk management. The report’s emphasis on identity providers adds another lens for prioritising response, since identity systems sit at the centre of access to email, cloud services, and internal applications.

“This divergence points to a structural shift in attacker economics: fewer infections with far greater impact when compromises occur,” said Ruellan.