Cybercriminals are no longer hacking into corporate networks β they are targeting legacy enterprise email security. According to the newly released Darktrace Annual Threat Report 2026, the battleground for North American businesses has shifted directly into the inbox. As threat actors increasingly leverage cloud account compromise to evade detection, they are paving the way for devastating downstream impacts, characterized by aggressive new ransomware extortion tactics.
For B2B organizations, the data serves as a critical warning that securing the modern digital workspace requires a fundamental shift in strategy.
The findings in this report are drawn from a comprehensive analysis of global cyber threat data collected throughout 2025, analyzing the billions of network connections, cloud interactions, and email communications across Darktraceβs global customer base.
While the full report covers a wide array of global cyber threats, including nation-state espionage and operational technology (OT) vulnerabilities, this article focuses on two of the most critical vectors impacting North American enterprises today: the collapse of traditional email defenses and the evolution of ransomware threats.
Keep Reading
- A Third of Businesses Were Hit by a Cyberattack Last Year β Hereβs What Needs To Happen Next
- Anthropicβs Mythos Vulnerability Hunting Gains Tempered by Findings of False Positives
- The $20 Hack Threatening Hybrid Work Security: Why a Stolen Laptop Is a Major UC Vulnerability
The Illusion of Trust: Why DMARC is No Longer Enough
The most alarming finding in the report regarding enterprise email security is the collapse of traditional authentication protocols. For years, the industry has relied on DMARC (Domain-based Message Authentication, Reporting, and Conformance) to verify sender identity and block malicious emails. However, Darktrace observed that a staggering 70% of malicious emails successfully passed DMARC authentication in 2025.
The report stated:
βEmail Remains the Single Most Reliable Attack Channel. Phishing volume, sophistication, and success continue to rise β driven by QR codes, AI-generated content, brand impersonation, and native platform abuse that bypasses legacy filtering.β
Threat actors are bypassing these legacy enterprise email security filters by exploiting the very concept of βtrust.β They achieve this primarily through cloud account compromise. Instead of spoofing a domain from the outside, attackers are logging into legitimate, trusted SaaS accounts and launching attacks from the inside. Because the email originates from a verified, high-reputation domain, traditional enterprise email security gateways wave it through.
Furthermore, attackers are weaponizing new infrastructure at an unprecedented scale. Darktrace identified over 1.6 million newly created domains used for phishing in 2025. These domains have no negative reputation history, allowing them to bypass blocklists and land directly in the inboxes of North American executives. In the Americas, 32% of phishing emails specifically targeted VIPs β a significantly higher rate than in Europe or Asia β highlighting the lucrative nature of high-level cloud account compromise.
Stay ahead of the latest cybersecurity threats by following UC Today on LinkedIn.
The Rise of Quishing and Evasive Payloads
As organizations train employees to spot suspicious links, attackers are adapting their methods to evade both human detection and automated enterprise email security scans. The report highlights a massive surge in βQuishingβ β QR code phishing.
In 2025, Darktrace detected over 1.2 million QR code phishing emails globally. Because QR codes are images, they often bypass text-based URL scanners used in standard enterprise email security platforms. To further complicate detection, attackers are employing highly evasive techniques, such as splitting the QR code into two separate images that only form a scannable code when rendered in the email client, or nesting the malicious code within a larger, benign image.
Once an employee scans the code with their mobile device, they are directed to a credential-harvesting sit. This leads directly to cloud account compromise. This tactic is particularly dangerous because it moves the attack off the protected corporate network and onto the userβs personal or unmanaged mobile device, effectively blinding the security team to the initial breach.
The Endgame: Aggressive Ransomware Extortion Tactics
The ultimate goal of a successful cloud account compromise is rarely just to read emails; it is to establish a foothold for monetization. In North America, the impact phase of these breaches is increasingly defined by aggressive ransomware extortion tactics.
The report notes that the ransomware ecosystem has matured into a highly specialized supply chain. Access brokers handle the initial cloud account compromise via phishing, and then sell that access to specialized ransomware operators. What is changing, however, is how these operators extract payment.
We are seeing a sharp rise in double and triple ransomware extortion tactics. Groups like Akira and BlackSuit, which heavily target US enterprises, are prioritizing data exfiltration before they deploy encryption payloads. This means that even if an organization has perfect backups and can restore their systems, they are still vulnerable to the public release of sensitive data.
These ransomware extortion tactics are proving highly effective, particularly against sectors that cannot afford downtime or regulatory scrutiny. The Manufacturing sector, for example, accounted for 29% of all ransomware incidents in the Americas in 2025. Attackers know that the combination of operational downtime and the threat of data leaks creates maximum leverage.
Final Takeaway
The data makes it clear that the traditional, perimeter-based approach to enterprise email security is fundamentally broken. When 70% of malicious emails pass standard authentication, and attackers are routinely using legitimate infrastructure to launch attacks, organizations must rethink their defenses.
Preventing cloud account compromise requires moving beyond static rules and blocklists, and adopting AI-driven behavioral analysis that can detect anomalies in how users and accounts behave, regardless of their authentication status. Ultimately, stopping the initial inbox breach is the only reliable way to protect the enterprise from the devastating financial and reputational damage of modern ransomware extortion tactics.
Discover how to build a resilient defense framework in The Ultimate Guide to UC Security, Compliance, and Risk.
FAQs
What is DMARC, and why is it failing enterprise email security?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol. It is designed to protect domain names from misuse, such as spoofing. It is failing modern enterprise email security checks because attackers are increasingly launching attacks from legally registered, newly created domains. They could also come from compromised, legitimate accounts that inherently pass DMARC checks.
What is βQuishingβ and how does it lead to cloud account compromise?
βQuishingβ is a form of phishing that uses malicious QR codes instead of text-based links. Because QR codes are images, they easily bypass traditional email scanners. When a user scans the code, they are taken to a fake login page designed to steal their credentials. This can then result in a cloud account compromise.
What are double ransomware extortion tactics?
Traditional ransomware simply encrypted a victimβs files and demanded payment for the decryption key. Double ransomware extortion tactics involve a two-pronged attack: the cybercriminals first steal (exfiltrate) sensitive corporate data before encrypting the network. They then demand a ransom to unlock the files and stop public exposure.
What does βLiving off the Landβ (LOTL) mean in the context of cloud account compromise?
βLiving off the Landβ refers to cyberattacks where the threat actor uses legitimate, native tools. These tools are already present in the victimβs environment, rather than malicious actors having to download custom malware. In a cloud account compromise, an attacker might use nativeΒ features to maintain stealthy access without triggering antivirus alerts.
