Talos Highlights Surge in Credential Abuse and MFA‑Spray Attacks, Recommends Identity‑Centric Defense Priorities
What Happened — Cisco Talos’ 2025 Year‑in‑Review reveals that attackers are now able to develop and deploy exploits in hours, dramatically lowering the barrier to entry. Credential‑based attacks—especially MFA‑spray and device‑registration abuse—rose sharply, with device compromise incidents up 178 % year‑over‑year.
Why It Matters for TPRM —
- Third‑party identity and access management (IAM) platforms become high‑value supply‑chain risk vectors.
- Credential abuse can cascade across multiple vendors, amplifying exposure for downstream customers.
- Rapid exploit development shortens the window for detection, demanding stronger continuous monitoring of partner environments.
Who Is Affected — Financial services, healthcare, SaaS providers, cloud‑hosting firms, and any organization that relies on external IAM/PAM solutions or VPN/AD infrastructure.
Recommended Actions —
- Treat IAM, PAM, and MFA registration workflows as Tier‑1 critical assets in your vendor risk program.
- Require partners to implement robust credential‑monitoring, MFA‑hardening, and anomalous‑behavior analytics.
- Conduct periodic assessments of third‑party device‑registration and VPN configurations for mis‑configurations or abuse.
Technical Notes — Attack vectors include MFA‑spray, stolen credentials, and compromised devices used to register as trusted MFA methods. No specific CVE is cited; the trend reflects a shift toward credential‑focused exploitation rather than vulnerability‑driven attacks. Source: Cisco Talos – Five defender priorities from the Talos Year in Review