The cybersecurity landscape is witnessing a concerning shift: infostealers are increasingly targeting enterprise Single Sign-On (SSO) access, posing a significant threat to organizations. According to Flare's recent report, infostealer malware is exposing enterprise identity credentials at an alarming rate. Data from late 2025 reveals that 16% of infections contained SSO or identity provider details, a stark increase from the 6% recorded in early 2024.
The report analyzed a massive dataset of 18.7 million infostealer logs, highlighting a disturbing trend. Between January and November 2025, 2.05 million infostealer logs exposed enterprise identity credentials, granting potential access to corporate email, cloud infrastructure, SaaS platforms, and internal systems. This shift in focus from consumer credential theft to enterprise identity compromise is a critical concern.
The rise in enterprise identity exposure is attributed to the widespread use of centralized authentication systems. Flare identifies identity platforms like Microsoft Entra ID, Okta, and AWS IAM Identity Centre as common targets. These platforms, while streamlining access, concentrate risk in fewer systems, making them attractive to attackers. A single compromised credential or session can provide access to multiple connected systems, and infostealers are adept at harvesting saved credentials and active sessions from infected machines.
Estelle Ruellan, a Cybersecurity Researcher at Flare, emphasizes the gravity of the situation: "Centralized identity has become the control plane of the modern enterprise. Attackers understand this shift, and when an infostealer infection succeeds, it increasingly delivers direct access to the systems organizations rely on the most."
The report further breaks down identity provider exposure across over a dozen vendors, including AWS, Microsoft, Okta, Oracle, and Salesforce. Microsoft Entra ID, in particular, was found in 79% of enterprise identity logs, making it the most impacted identity provider. Over 18% of logs exposed multiple identity providers, increasing incident complexity and the risk of multi-factor authentication bypass.
Despite a 20% year-on-year decline in total infostealer infections, the report predicts a dire outlook for 2026. If the trend persists, Flare estimates that one in five infostealer infections could expose enterprise credentials by the third quarter of 2026. This would significantly elevate business risk, as successful infections can expedite the transition from initial compromise to broader access across corporate systems.
Security teams are already monitoring infostealer activity as part of credential risk management. The report's emphasis on identity providers provides a crucial perspective for prioritizing responses, as identity systems are central to access control. Ruellan concludes, "This divergence points to a structural shift in attacker economics: fewer infections with far greater impact when compromises occur."
