How to Navigate the 2025 Identity Threat Landscape

As exposed credentials and password spraying define the identity threat landscape, CrowdStrike Falcon Identity Protection helps organizations fight these modern threats.

March 31, 2025

| Ryan Terry - Kendra Kendall | Identity Protection

Identity is at the center of the fight against adversaries. As threat actors weaponize legitimate credentials and sell access to the highest bidders, organizations must proactively detect and secure exposed identities to shut down potential attack paths before they can be exploited.

The CrowdStrike 2025 Global Threat Report illustrates the urgent need for strong identity protection as adversaries explore new techniques. Social engineering is growing in popularity: Voice phishing (vishing) attacks surged by 442% between the first and second half of 2024 as groups like CURLY SPIDER trick employees into handing over login details. Those who don’t steal credentials can buy them — access broker activity was up nearly 50% in 2024, reflecting the growing market for illicit access. Further, more than half (52%) of observed vulnerabilities in 2024 were tied to initial access.

With their credentials in the crosshairs, organizations need a faster, smarter approach to detect and stop adversary activity in real time. CrowdStrike Falcon® Identity Protection delivers this speed and intelligence by harnessing the power of the CrowdStrike Falcon® platform and its world-class threat intelligence and unifying identity protection across hybrid environments. Falcon Identity Protection helps organizations detect and stop identity-based threats before they escalate — even when they use legitimate credentials.

Detect and Respond to Exposed Credentials

Organizations can stay ahead of this growing threat by leveraging Falcon Identity Protection along with the Recon function in CrowdStrike Falcon® Adversary Intelligence, which seamlessly integrate to detect and mitigate exposed credentials in real time.

The following scenario demonstrates how with this integration, Falcon Identity Protection responds to credentials exposed by access brokers. A Recon notification reveals a data exposure involving the fictitious company: Awesome Health Network. The activity is linked to LockBit, a notorious ransomware-as-a-service operation. Further investigation shows that BITWISE SPIDER — a well-known eCrime adversary with a history of leveraging LockBit — has ties to this exposure event, underscoring the urgent need for swift action.

Figure 1. A Recon notification highlighting exposed data linked to the fictitious “Awesome Health Network,” with ties to LockBit ransomware and eCrime actor BITWISE SPIDER.

The table on the lower half of the screen displays the data exposed, which was posted by an attacker to a malicious forum. A number of identities were compromised, including user names, passwords, and other sensitive information. (Note: this information is fictitious and for demonstrative purposes only.)

Exposed identities detected by Recon can be sent to Falcon Identity Protection manually or automatically.

Figure 2. The Recon notification includes a detailed view of compromised credentials, showcasing exposed user names, emails, phone numbers, and hashed passwords tied to the leak (fictitious data).

In Falcon Identity Protection, affected accounts are flagged with the compromised password attribute, signifying the heightened risk level for the exposed identity. Compromised passwords are visually indicated by an unlocked lock icon when viewing entities.

Figure 3. A user involved in the exposed data event is automatically marked with the compromised password attribute and risk indicated by the unlocked lock icon.

Users can automatically mitigate compromised password risk with Falcon Identity Protection policy rules. The reset password action prompts affected users to change their password at their next login.

The compromised password attribute can be used as a condition when designing identity protection policies, enabling customizable controls to restrict access to critical resources, enforce identity verification, and strengthen security measures.

Figure 4. An identity policy rule takes a reset password action when a compromised password account event occurs - mitigating password-based risk automatically.

Watch how Falcon Identity Protection protects against exposed credentials:

Protect Cloud Credentials from Identity-Based Attacks

Adversaries are increasingly targeting cloud identities, using techniques like password spraying to compromise accounts for identity management services such as Entra ID. The China-nexus ORB07 network, highlighted in the CrowdStrike 2025 Global Threat Report, is one example of this growing threat. According to the report, the misuse of valid accounts emerged as the primary initial access vector for cloud environments, accounting for 35% of cloud incidents in the first half of 2024.

Falcon Identity Protection automatically detects malicious credential access activity, such as password spraying against an Entra ID account, and triggers a detection on the suspicious behavior.

Figure 5. Falcon Identity Protection automatically triggers an alert for a web-based password brute force attack, detailing the targeted accounts and destinations of the failed authentication attempts.

If an adversary gains valid credentials through password spraying, social engineering, or other methods, Falcon Identity Protection can block the malicious use of those credentials.

CrowdStrike recently announced inline, real-time protection for Microsoft Entra ID, delivering proactive defense against unauthorized access. Falcon Identity Protection is used as the EAM (external authentication methods) during Entra ID authentication requests.

Figure 6. Falcon Identity Protection is used as the external authentication method (EAM) during Entra ID authentication requests for inline, real-time protection.

This capability detects adversary login attempts in real time by analyzing unusual login locations, unauthorized access patterns, risk levels, user privileges, and other security signals. Based on these signals, access can be granted, blocked, or require additional verification, ensuring organizations stay ahead of evolving threats like those described in the CrowdStrike 2025 Global Threat Report.

Figure 7. An identity policy rule takes a block action when Entra ID authentication requests come from unusual countries, an anonymized IP, and a medium-to-high user risk.

Watch real-time Entra ID login protection in action:

The CrowdStrike 2025 Global Threat Report makes it clear: Adversaries are moving faster and exploiting legitimate credentials to blend in and evade detection. Falcon Identity Protection ensures security teams can accelerate their defenses. By integrating with Recon, organizations can automatically detect and respond to compromised credentials before adversaries exploit them.

With visibility and protection across hybrid identity environments — from on-premises Active Directory to cloud-based identity providers like Microsoft Entra ID and SaaS applications — CrowdStrike eliminates blind spots and stops attacks at every entry point. Our real-time protection and adaptive identity security policies proactively block adversaries, preventing breaches before they start.

Learn more about how Falcon Identity Protection can safeguard your organization from top identity-driven adversaries in this white paper: Outpacing Adversaries: Defending Against Identity-Based Threats.