Cloudflare 2026 Report: Attackers Log In, Not Break In
Credentials Are the New Exploit
Cloudflare’s inaugural 2026 Threat Report, produced by its Cloudforce One threat intelligence team, delivers one blunt conclusion: the era of brute-force entry is over. Threat actors now log in to your environment using stolen credentials and trusted cloud services — they don’t break in. The report, drawn from trillions of network signals across roughly 20% of global web traffic, documents a landscape where 94% of all login attempts are bots and 63% of human logins involve credentials already compromised elsewhere. This isn’t a prediction. It’s a measurement of what happened throughout 2025, and it’s accelerating.
Cloudflare blocks an average of 230 billion threats per day, according to Help Net Security’s analysis of the report. The volume alone tells you the attack cycle has become fully automated. But the more dangerous signal is the shift in how breaches originate: from vulnerability exploitation to credential abuse and trust exploitation.
Measure of Effectiveness Trumps Sophistication
The report introduces a concept Cloudforce One calls the Measure of Effectiveness (MOE) — the ratio of effort to operational outcome. The most dangerous threat actors in 2026 aren’t the ones writing the most advanced zero-days. They’re the ones who can integrate intelligence and technology into a continuous system that achieves their mission fastest.
This explains why nation-state groups like China’s FrumpyToad use Google Calendar event descriptions for encrypted command-and-control loops, and why North Korea’s PatheticSlug routes XenoRAT payloads through Google Drive and Dropbox. These aren’t sophisticated technical exploits. They’re low-effort, high-return operations that blend seamlessly with legitimate enterprise traffic.
As Cloudflare’s report states: “In 2026, the most dangerous threat actors aren’t the ones with the most advanced code; it’s the ones who can integrate intelligence and technology into a single, continuous system that achieves their mission in the shortest time possible.”
Session Token Theft Renders MFA Irrelevant
The single most actionable finding for security teams: infostealers like LummaC2 harvest live session tokens, not stored passwords. A session token bypasses MFA entirely because it represents an already-authenticated session. Your second factor? Irrelevant. The attacker is holding the key that was issued after authentication.
According to Help Net Security, 54% of ransomware attacks in 2025 traced back to infostealer-enabled credential theft. Cloudforce One participated in a coordinated global operation in May 2025 to disrupt LummaC2 infrastructure, but successor variants are already being tracked — and they may automate the infection-to-ransomware pipeline down to hours.
The credential abuse numbers are stark:
- 94% of all login attempts originate from bots
- 46% of analyzed emails failed DMARC authentication
- 43% failed SPF, 44%+ lacked valid DKIM signatures
- $123 million in BEC theft attempts intercepted in 2025, averaging $49,225 per attempt — deliberately calibrated below executive approval thresholds
MFA remains necessary but insufficient. Teams need session token monitoring, anomaly detection on authenticated sessions, and token lifecycle management. For a deeper look at why machine identity failures are a growing cloud attack vector, see our earlier analysis on machine identity security in cloud-native systems.
Cloud Services Weaponized as C2 Infrastructure
Cloudforce One documents a pattern it calls “Living off the XaaS” (LotX) — threat actors routing malicious activity through legitimate cloud services to evade detection. This isn’t theoretical. The report names specific actors and their infrastructure choices:
| Threat Actor | Attribution | Technique | Infrastructure |
|---|---|---|---|
| FrumpyToad | China | Logic-based C2 | Google Calendar event descriptions for encrypted commands |
| PunyToad | China | Encrypted tunneling | Cloud computing for living-off-the-cloud architectures |
| NastyShrew | Russia | Dead drop resolvers | Teletype.in and Rentry.co paste sites |
| PatheticSlug | North Korea | PaaS-ing the perimeter | Google Drive, Dropbox, GitHub for payloads and C2 |
| CrustyKrill | Iran | SaaS-hosted phishing | Azure Web Apps for C2, ONLYOFFICE for payloads |
Defenders face a structural problem here: how do you block traffic to Google Calendar or Dropbox without crippling your own operations? The answer isn’t blanket blocking — it’s behavioral analytics on SaaS API usage, token scope auditing, and strict OAuth permission policies. Our earlier piece on thinking like a cloud attacker covers the attacker mindset that makes these techniques effective.
DDoS Closes Human Response Window
The DDoS data in the report should end any remaining debate about manual mitigation. Cloudflare recorded 47.1 million DDoS attacks in 2025, doubled from 2024, with network-layer attacks tripling year-over-year. The largest: a 31.4 Tbps UDP flood launched by the Aisuru botnet in November 2025 — six times larger than 2024’s peak.
The Aisuru and Kimwolf botnets collectively control an estimated 1-4 million infected hosts. Most attacks last under 10 minutes. As Cloudflare’s press release notes, when attacks move at machine speed, human-centric defense is no longer viable. If your DDoS response involves a human reading an alert and making a decision, you’ve already lost.
Nation-State Persistence: Salt Typhoon and Beyond
Chinese-affiliated groups Salt Typhoon and Linen Typhoon targeted North American telecommunications, government networks, and IT services throughout 2025, seeking persistent access for potential future disruption. These operations are linked to breaches at AT&T, Verizon, and Lumen, and the July 2025 Microsoft SharePoint compromise, according to Help Net Security’s coverage.
North Korean operations took a different approach: embedding operatives directly into Western companies through AI-generated deepfake profiles and U.S.-based laptop farms. Detection indicators include impossible travel alerts, mouse-jiggling software, and video metadata artifacts from real-time deepfake rendering.
Iranian groups like CrustyKrill used Azure Web Apps to host command-and-control pages — hiding behind Microsoft’s own infrastructure.
The common thread: every group exploits trust in legitimate services rather than technical vulnerabilities. As Cyber Security Asia summarizes, the security paradigm has shifted from “keeping strangers out” to “proving internal users are who they say they are.”
Defensive Actions for Cloud Teams
The report’s findings point to specific, prioritized actions for cloud security operations:
- Session token lifecycle management. Implement short-lived tokens, continuous session validation, and anomaly detection on authenticated sessions. MFA alone won’t stop token theft.
- Audit SaaS OAuth scopes and API integrations. Map every third-party integration with write access to your cloud environment. A single over-privileged SaaS connection — as demonstrated by the GRUB1/Salesloft breach — can cascade across hundreds of corporate tenants.
- Automate DDoS response. If your mitigation requires human approval, the attack is over before you respond. Deploy always-on automated scrubbing with sub-second activation.
- Implement strict DMARC enforcement. Nearly half of analyzed emails fail basic authentication. Enforce DMARC at p=reject for your own domains and scrutinize inbound mail from domains with weak or missing DMARC records.
- Behavioral analytics on cloud service usage. You can’t block Google Calendar or Azure Web Apps. You can detect anomalous API call patterns, unusual data volumes, and off-hours activity from service accounts.
- Verify remote workforce identity. Screen for deepfake indicators in video interviews, implement device attestation for remote workers, and flag impossible-travel login patterns.
Cloudflare CEO Matthew Prince framed it directly: “Hackers thrive on the gaps left by fragmented, stale threat intelligence.” The defensive shift isn’t optional — it’s structural. The organizations best positioned to defend themselves, as IBM X-Force notes, will treat the cloud as a fundamentally different attack surface, not a variation of on-premises security. Our analysis of the IBM X-Force 2026 report on cloud application exploitation surging 44% reinforces this same conclusion.
References
- Introducing the 2026 Cloudflare Threat Report — Cloudflare Blog
- Cloudflare tracked 230 billion daily threats and here is what it found — Help Net Security
- Cloudflare 2026 Threat Intelligence Report Press Release — Cloudflare
- Cloudflare 2026 Threat Intelligence Report: Nation-State Actors Shift from Breaking In to Logging In — Cyber Security Asia
- Cloud attacks are evolving: What 2025 trends mean for defenders in 2026 — IBM X-Force