Estelle Ruellan is a Threat Intelligence Researcher at Flare, bringing a blend of mathematics and criminology to her work in the cybersecurity space. She specializes in applying LLMs to cybercrime data and transforming the data into clear, actionable visualizations for partners.
At MSP GLOBAL 2025, she’ll be talking about how corporate credentials end up on infostealer logs. According to the 2025 Verizon Data Breach Investigations Report (DBIR), which includes data from Flare, credentials were involved in 88% of basic web application attack breaches, most likely from infostealer logs.
These logs effectively hand attackers the keys to the company kingdom. Estelle will be sharing real-life examples of successful infections and the methods attackers use to infect people’s devices.
Ahead of her session at MSP GLOBAL 2025, we asked Estelle and colleague Stephanie Monaghan, Director, Channel & Alliances, EMEA, at Flare, how MSPs can turn the tide on this type of breach and what proactive defense looks like.
What are infostealer logs?
Infostealer logs are a type of malware, and it’s basically hungry for data. Hence the name. It’s information stealer malware. When it infects a device, it will go and grab anything that could be a valuable piece of data: credentials, access, files, photos you would have on the computer, crypto wallets, browsing history, and then it builds up a kind of a numerical dossier on the identity of the user of that device. And then it’s either sold, or it’s used for further exploitation.
What sort of information do they contain, and more importantly, where do they show up?
An infostealer log is a report on the user’s identity on the web—so anything that has been visited on the browsing history, any passwords saved in that browser, any file, you can have the list of software from that computer. If it’s a personal device and you have photos on the desktop, they will be taken as well. And they’re very hungry for crypto wallets. Anything that could be valuable will be exfiltrated, either on a web server that is hosted by the threat actor itself or sometimes even on messaging apps like Telegram.
What kind of danger does this pose to corporations and larger organizations?
The key here is to understand that with access, you can enter by the front door. If a threat actor has his hands on corporate access to your company, they don’t need to put in the effort, skill or even money to build a technical exploit to enter your company via a vulnerability because they have the key to the front door.
The keys to the kingdom!
Yes, exactly! So they can enter and wreak as much havoc as they can with the access they have. We have now entered the “logging in” age of cybercrime instead of breaking in, which is a huge turnaround.
How do LLMs assist with cyber threat intelligence?
LLMs are very powerful. As humans, when we see text or data, we need to read it, and it requires effort and focus for the task to be efficient. It’s very time consuming to read everything or to understand an infostealer log at first glance. So LLMs can be very powerful if you train them well. They can help do the heavy lifting of cyber threat intelligence analysis.
That then frees up time for analysis, so humans can spend their time wisely on the deeper analysis to understand more complex patterns. So it’s a very powerful tool, but it’s not the solution to replace humans. We still need analysts in the loop.
How is the threat landscape evolving, and which methods are you seeing utilized the most?
From a criminology point of view, cybercrime is very much about opportunity. So anything that’s available and that’s low effort will always be used more than something more technical and more demanding.
And it’s exactly what we see. Infostealer logs fit into that movement because they’re often sold or even published on channels, and you can get them for free. Why would a contractor go and spend time and skills to build something to break in when they can just get something for free and then go on about their day?
In your view, what does effective protection and monitoring and remediation look like?
For an MSP or an MSSP, effective protection, monitoring and remediation would be a scenario where the MSP can detect threats and prevent them from impacting customer systems, customer data, and the day-to-day running of the customer business. They would be able to alert a customer to any potential issues, and if required they would also be able to remediate this issue using things like pre-configured workflows.
When our MSP and MSSPs offer Flare as a service to their customers, we integrate with whatever SIEM or SOAR technology they are using, and they often add a “service wrap” around the solution. Some may run Flare as a standalone continuous threat exposure management service, whereas others would run it as part of their existing SOC or MDR service to give their customers an extra layer of protection.
What would your number one piece of advice be to MSPs to prevent the initial infection in customer systems?
It’s not a matter of if someone gets infected, it’s a matter of when. You have to look at some of the huge names in the industries that are being breached. Effective antivirus and effective MDR is something that may help to prevent the infection. But I think it’s more important to have a plan in place of what is going to happen when you’re infected because ultimately, it will happen.
What’s the key message or benefit that MSPs will take away from your session at MSP GLOBAL?
The key message here is that one infection can trigger a chain reaction. MSPs must understand how impactful a single infection from even a personal device can impact an organization. Most infections happen from a willing user’s action—a click on something or downloading suspicious malware.
We want to spread the awareness about how an infection happens, and what the psychological tricks are by threat actors to infect most people, so MSPs know and recognize the danger before it arises.
For an MSP who may not already offer security services, it will give them a deeper understanding of the security challenges that customers face.
For MSSPs in particular, it will help them understand the challenges that lie within the dark and clear web, how a service wrap that they develop around Flare can enhance their existing SOC and MDR offerings, and help them mitigate and offer a more proactive approach to their managed service.
Cybercriminals are using the path of least resistance to maximize their profitability. Join Estelle at The Elevator Stage on Thursday October 23, 10:20am to 10:30am as she shows how corporate credentials got into an infostealer log, revealing recurring lures, malware distribution methods, and social engineering methods with real-world examples of successful infection campaigns from click to compromise.
Sign up for MSP GLOBAL newsletter for your free registration code, saving €399.
October 22-23, 2025 – 
PortAventura Theme Park (Barcelona), Spain