Every year, the Verizon Data Breach Investigations Report (DBIR) offers a snapshot of how attackers are evolving and where defenders continue to struggle.

This year's report is packed with attention-grabbing findings, from vulnerability exploitation overtaking credential abuse to a sharp rise in third-party compromise and the growing use of AI by threat actors. Yet one statistic ties many of these trends together: the human element was involved in 62% of breaches.

One of the biggest shifts in this year’s DBIR is the rise of vulnerability exploitation as the leading initial access vector.

According to Verizon, exploitation of vulnerabilities accounted for 31% of breaches in 2025, overtaking credential abuse, which dropped to 13%.

That statistic may sound like a move away from identity-focused attacks, but the broader report tells a more nuanced story.

Credential abuse still appeared somewhere in 39% of breaches overall, meaning that attackers aren't abandoning credential-based attacks; they're combining identity compromise with infrastructure exploitation as part of the same intrusion chain. Initial access increasingly comes through exposed edge infrastructure, but compromised identities remain central to lateral movement, persistence, and data theft.

The report also highlights a growing operational problem for defenders: organizations are falling behind on remediation. Only 26% of known exploited vulnerabilities (KEVs) were fully remediated in 2025, down from 38% the previous year.

That combination—expanding attack surface plus slower remediation—creates ideal conditions for ransomware groups and sophisticated intrusions.

Despite the growing focus on vulnerabilities and infrastructure compromise, the human element remained involved in 62% of breaches overall.

The DBIR also highlights the growing prevalence of “Pretexting” attacks—social engineering campaigns built around impersonation, ongoing conversations, and trust manipulation.

Rather than relying solely on obvious phishing lures, attackers increasingly impersonate executives, vendors, IT teams, or trusted business contacts inside existing workflows and communication threads.

This aligns closely with patterns observed across recent Abnormal threat intelligence research, including:

• business email compromise (BEC)

• vendor impersonation

• account takeover

• and relationship-based fraud

These attacks are especially difficult to detect because the surrounding context is often legitimate. Messages arrive through established vendor relationships, inside existing email threads, and as part of normal business workflows.

As a result, the most reliable signals often aren't malicious links, attachments, or known indicators. They're behavioral anomalies, such as:

• unusual communication patterns

• unexpected requests

• abnormal payment workflows

• suspicious identity activity

That shift continues pushing detection away from static indicators and toward behavioral understanding.

One of the most significant findings in this year’s DBIR is the continued rise of third-party compromise.

According to Verizon, 48% of breaches involved a third party in some capacity—a 60% increase from the previous year.

Rather than targeting organizations directly, attackers increasingly exploit vendors, SaaS providers, cloud platforms, contractors, and OAuth integrations.

The report repeatedly highlights how compromised vendor accounts, weak cloud identity controls, and excessive permissions are enabling attackers to move laterally through trusted ecosystems. Abnormal’s own research shows that 44.2% of read vendor email compromise messages are engaged with by employees, illustrating just how effective trusted communications can be once attackers gain access to legitimate accounts.

Third-party compromise is particularly dangerous because it expands the attack surface beyond an organization's direct control. A single compromised vendor, SaaS platform, or cloud identity can create downstream risk across hundreds or even thousands of connected organizations.

As organizations continue expanding their SaaS and partner ecosystems, trust itself is increasingly becoming part of the attack surface.

The DBIR shows that threat actors continue to leverage generative AI across phishing, malware development, vulnerability research, and attack automation. Verizon found the median malicious actor leveraged AI across 15 different documented attack techniques.

Importantly, the report concludes that AI is primarily accelerating and scaling known attack methods rather than inventing entirely new ones.

Attackers are using AI to industrialize and perfect existing tactics:

• generating more convincing phishing content

• improving impersonation quality

• accelerating exploit development

• scaling socially engineered attacks faster than traditional defenses can adapt

The 2026 DBIR reinforces a growing reality for security leaders: modern attacks increasingly blend technical compromise with human manipulation in ways that legacy controls struggle to interpret.

As a result, defending modern organizations increasingly requires understanding behavior itself: how people normally communicate, how relationships typically operate, and when something subtly deviates from that baseline.

To prepare for threats targeting your organization across cloud email and collaboration environments, explore Abnormal Threat Intelligence.