CrowdStrike’s 2025 Threat Hunting Report offers a detailed view into how modern intrusions unfold. The findings span multiple threat categories, but one pattern dominates: attackers aren't breaking in anymore–they're logging in as legitimate employees, operating inside the exact identity workflows organizations built to establish trust.
Below are five findings that show how identity has become the primary attack surface, and why the way we think about verification needs to change.
TLDR
CrowdStrike’s 2025 Threat Hunting Report shows that modern intrusions are driven by identity abuse, not malware. Attackers use valid credentials, discovery techniques, and social engineering to impersonate employees and operate inside trusted workflows. Organizations need identity assurance that goes beyond login and can be raised when trust matters most, particularly during support and account recovery.
Finding 1: Interactive (Hands-on-Keyboard) Intrusions Are Increasing
CrowdStrike observed a 27% year-over-year increase in interactive intrusions—attackers authenticating with valid credentials and operating manually inside environments. Often no malware or obvious exploits. Just someone who appears to belong, doing things that look legitimate.
Once authentication succeeds, the session is trusted. Most identity systems don't reassess that trust as context changes, allowing attackers to operate quietly using legitimate access. This extends dwell time and makes detection far more difficult.
Finding 2: Half of the Most Common Attack Techniques Focus on Discovery
Defense evasion remains the most commonly observed tactic, but five of the ten most frequently used MITRE ATT&CK® techniques were discovery-focused.
These techniques allow attackers to enumerate accounts, identify privileged identities, and understand how access is structured within an organization. Discovery activity reveals where privileged access exists and what data it can reach—both of which get monetized by access brokers and ransomware operators. Because these actions often resemble legitimate administrative behavior, they frequently go unnoticed.
Without stronger identity assurance, attackers can map access paths and identify high-value identities long before security teams realize an intrusion is underway.
Finding 3: GenAI-Powered Social Engineering Is Redefining Workforce Impersonation
CrowdStrike reports an increased use in generative AI to enhance social engineering and impersonation capabilities, including attacks from groups like Scattered Spider. The primary target: support and account recovery workflows.
Support and recovery processes rely on weak identity signals and human judgment. When attackers impersonate employees convincingly enough, they don't bypass authentication—they exploit workflows that assume legitimacy. Workforce impersonation has become one of the most reliable intrusion paths available.
For a deeper look at how these attacks work, download Nametag’s 2026 Workforce Impersonation Report. → [Link to Workforce Impersonation]
Finding 4: Every Industry Now Faces Identity Risk
Technology remained the most frequently targeted industry for the eighth consecutive year. But CrowdStrike observed sharp increases in interactive intrusions targeting manufacturing (55%) and retail (41%).
Identity abuse isn't tied to a specific technology stack. Any organization that relies on workforce identity to grant access, restore accounts, or approve actions is exposed to the same attack patterns. Industry-specific defenses don't address a fundamentally identity-driven threat model.
Finding 5: Authentication Happens Once, Identity Verification Rarely Happens at All
Across these findings, a consistent failure mode emerges: organizations authenticate accounts at login but rarely verify the human behind them. Authentication proves someone has valid credentials—a password, an MFA code, a session token. Identity verification proves the person using those credentials is actually who they claim to be.
Most systems stop at authentication. Once credentials check out, trust is granted and rarely questioned again. Attackers exploit this gap by compromising credentials through phishing, social engineering, often passing helpdesk identity verification checks, then operating inside trusted workflows for extended periods without anyone confirming the actual human behind the activity.
The problem surfaces during high-risk moments: help desk MFA resets, sensitive data access requests, unusual account behavior. Authentication says "valid credentials" but can't answer "correct human."
Static authentication checks can't keep pace with dynamic risk. Without the ability to verify and re-verify identity when trust matters most—particularly during support interactions and account recovery—organizations remain vulnerable even when authentication appears to be working perfectly.
How Nametag Addresses These Identity Failures
Nametag is built to secure the entire identity ecosystem by changing how trust is established and maintained. At the core is Nametag’s Workforce Identity Verification Platform, powered by Deepfake Defense™, which evaluates multiple independent identity signals and delivers a clear pass/fail decision.
Nametag’s Deepfake Defense™ technology analyzes these signals to verify that identity inputs are real, unmanipulated, and tied to a live human. Signals include device integrity, spatial liveness, document authenticity, location integrity, and identity correlation with enterprise records. Rather than surfacing raw signals or risk scores, the platform produces a clear pass or fail identity decision that teams can act on immediately.
Rather than relying on a single signal, Nametag verifies identity holistically using device integrity, live human presence, document authenticity, location integrity, and identity correlation with enterprise records. Each successful verification produces a Nametag, a persistent, verified identity anchored to the correct human that can be quickly re-verified as risk changes.
Nametag applies this identity foundation directly to support and account recovery workflows, where attackers most often exploit impersonation. The Support solution verifies the real human behind a request before changes are made, replacing scripts and judgment calls with a clear, auditable identity decision.
How Organizations Should Secure Workforce Identity Against Modern Threats
CrowdStrike’s 2025 Threat Hunting Report shows that modern intrusions are identity-driven by default. Attackers succeed because identity is trusted once and assumed forever.
Defending against these threats requires treating identity as a continuously validated trust signal rather than a one-time check. Nametag is designed to support that model by anchoring identity to a verified human and enforcing trust where impersonation risk is highest.
