Cyber Incidents in Europe 2026: Identity-based Attacks and the Impact of MDR

Cyber incidents across Europe are accelerating. They are happening more often, unfolding more quickly, and causing greater business impact than in previous years. An analysis of 630 cyber incidents that Eye Security handled across the Benelux region and Germany over the past three years shows a consistent shift in how threat actors operate and where organisations remain vulnerable.

Executive summary 

Cyber incidents in Europe are accelerating in volume, speed, and business impact. An analysis of 630 cyber incidents Eye Security handled across Benelux and Germany over the past three years reveals a shift in threat actor behavior:

• Business Email Compromise (BEC) now accounts for over 70% of incidents

• Breakout time, from initial access to lateral movement, has dropped to 48 minutes

• Identity abuse has become the dominant attack vector

• Ransomware remains financially devastating, with average demands of €613k often equaling 1–2% of annual revenue

• Most victims are not targeted but opportunistically exploited

These findings change how organisations should think about cybersecurity. Prevention alone is no longer sufficient. Incident response speed and visibility now determine the outcome.

Why incident data matters 

Incident response data shows what has already happened under real-world conditions. This article is based on anonymised forensic data drawn from approximately 800 organisations. It covers 630 incidents handled between 2023 and 2025, including 454 Business Email Compromise (BEC) cases, 30 ransomware incidents, and 106 compromise assessments. The data reflects organisations operating primarily in Benelux and Germany, offering a level of regional specificity that is still uncommon in public reporting.

The dataset includes both incidents detected in environments already running Managed Detection and Response (MDR) and emergency response engagements at organisations without MDR in place  that only sought help after a compromise had occurred. 

This evidence-based perspective is intended to support leaders tasked with designing security programs.

What is Eye Security's definition of incident response?  

Incident response is often perceived as a cleanup operation after ransomware encrypts files. In reality, it is far more proactive and comprehensive. When compromise is suspected or confirmed, incident response teams act to contain threats, investigate threat actor behaviour, determine affected systems and identities, eradicate the threat actor across the environment, and support recovery, compliance, and post-incident hardening.

An incident is defined as any security event exceeding an organisation's internal capacity to safely investigate or remediate. Within the Eye Security dataset, we make the distinction between a compromise assessment and a confirmed incident. A compromise assessment indicates suspicion of breach, whereas a confirmed incident validates a threat actor's presence. Notably, in 99% of cases investigated, threat actors were indeed present.

The dominant trend: Business Email Compromise (BEC) at scale

Business Email Compromise (BEC) is no longer a secondary issue or a niche form of cybercrime. It is the most common cyber incident affecting modern organisations. Over three years, 454 of 630 incidents were BEC-related, with the proportion increasing further in 2024 and 2025. BEC occurs when a threat actor gains access to a corporate email account, most commonly Microsoft 365. Because corporate email is tightly integrated with tools such as SharePoint, OneDrive, collaboration platforms, and identity management systems, email compromise is, in effect, identity compromise.

The financial and operational consequences are substantial. Threat actors exploit compromised emails to initiate fraudulent wire transfers, redirect invoices, access sensitive intellectual property, or gather intelligence for future attacks. Even a single compromised account can quickly escalate into a multi-day investigation if lateral movement remains undetected. Our incident data demonstrates that organisations lacking visibility into email behaviour and identity usage are exposed to risks far beyond what conventional endpoint-focused security controls can address.

The trouble with MFA bypass

Multi-Factor Authentication (MFA) was once seen as a near-certain defence against account compromise. Eye Security's analysis confirms that threat actors have adapted. Since early 2024, 62% of BEC incidents involved accounts protected by MFA. In most cases, threat actors employed real-time phishing proxies to relay login credentials and MFA codes instantly.

Threat actors increasingly rely on real-time phishing proxies that relay credentials and MFA challenges as they are entered.

The process is straightforward. A victim receives a phishing email and clicks a malicious link, which leads to a fake Microsoft login page. Credentials are relayed in real time to the threat actor, who forwards the MFA prompt back to the victim. Once the MFA code is entered, the threat actor gains immediate access. These techniques are widely available through Phishing-as-a-Service platforms, residential proxies, geolocation matching, and evasion tooling, making sophisticated attacks available to virtually any cybercriminal at a low cost. The barrier to entry is low, and the model is highly scalable.

In sum, MFA is necessary but no longer sufficient. Organisations must combine MFA with behavioural monitoring, anomaly detection, and rapid response capabilities to effectively protect critical accounts.

Breakout time has collapsed

Breakout time, the interval between initial access and lateral movement, has dropped dramatically. This rapid escalation renders manual incident response ineffective, as threat actors assume defenders are actively monitoring and act swiftly to maximise impact.

Alerts without immediate action are insufficient. Speed has become the defining factor in mitigating damage.

Organisations must therefore adopt systems and workflows that provide near real-time visibility into identity activity, endpoint behaviour, and network communications. This means MDR combined with human-led investigation, where security teams can intervene before threat actors achieve operational objectives.

Ransomware as a business model dominates

Although less frequent than BEC, ransomware remains financially devastating. According to the dataset, average demands are at €613k, often representing 1–2% of annual revenue. Modern ransomware groups operate dedicated victim portals and handle multiple attacks per day. These attacks are rarely simple encryption exercises. They follow a double-extortion model, stealing data before encryption and threatening public disclosure regardless of backup availability. This double extortion model renders traditional recovery strategies incomplete on their own.

The financial impact is compounded by reputational damage, regulatory scrutiny, and operational disruption. Classic resilience measures such as offline backups, while necessary, are no longer sufficient. Effective defence now requires continuous monitoring, rapid containment, and coordinated incident response.

Initial access is still mostly opportunistic

Despite narratives about targeted attacks, the analysis confirms that most attacks are opportunistic rather than highly targeted. Over 95% of incidents involved “spray-and-pray” credential attacks, exploitation of unpatched public-facing systems, brute-force attacks on remote access services, or purchases of initial access from brokers.

In the incidents we investigated, we observed that initial compromise often occurs weeks or months before any visible activity, with threat actors remaining dormant. Escalation follows only once threat actors return to exploit the access they already had. In many cases, organisations were breached long before they realised they were under attack.

This pattern highlights the need of  continuous visibility and proactive monitoring. Organisations may be compromised long before they even realise they are at risk.

The next frontier: supply chain attacks and the abuse of trusted relationships

Threat actors increasingly use trusted relationships rather than direct vulnerabilities. Compromised MSPs, infected appliances, and software supply chain incidents can cascade across multiple organisations. In several cases, a single compromised provider may lead to dozens of downstream breaches, affecting organisations that were not individually targeted.

The implication is profound. Your security posture is only as strong as your most trusted partners. Vendor monitoring, secure configuration practices, and proactive incident response planning are needed here to reduce the ripple effects of supply chain compromise.

Living off the land and identity-centric attacks

Modern threat actors avoid malware. Instead, they rely on native tools, stolen identities, and behaviour that mimics legitimate users. Detection therefore requires behavioural identity monitoring, including unusual login patterns, device anomalies, geographic irregularities, and deviations in access timing.

In Benelux and Germany, we observe the same dynamics seen globally. Identity has effectively become the primary security perimeter.

The MDR advantage and incident response in 2026

Organisations with continuous Managed Detection and Response (MDR) capabilities respond faster than those without. The trend report data shows:

• Median BEC detection time is 24 days without MDR, 24 minutes with MDR

• Overall response time: 46% faster containment for ransomware

• BEC-specific interventions: up to 90% faster when MDR is in place  

Shifting toward an assume breach mindset: the new default

The assume breach principle rests upon the assumption that compromise will occur. Detection speed and response capability determine outcomes. Priorities now focus on continuous visibility, human-led investigation, prepared workflows, and executive decision readiness.

Lessons for security leaders and final thoughts

In 2026, several principles emerge:

1. Email security does not equal identity security.

2. MFA alone is insufficient; invest in behavioral monitoring.

3. Speed of detection and response matters more than prevention.

4. Incident response is a core business function.

5. Preparation reduces panic and improves recovery.

6. Visibility without action is a vulnerability.

7. Trusted relationships must be actively monitored.

8. AI will be used by threat actors and defenders alike.

Every organisation in the dataset was attacked. The difference was not whether an attack occurred, but how quickly it was detected, contained, and remediated. Cybersecurity is no longer about building higher walls. It is about seeing faster, responding smarter, and limiting business impact.