Keyloggers: record every keystroke, capturing passwords, messages and documents as they are typed. They exist in software form (the usual case) and hardware form (physical devices inserted inline with the keyboard, relevant in high-security environments).
What is spyware
Spyware is software designed to watch the victim and collect information without consent: keystrokes, screenshots, saved passwords, session cookies, browsing history and even microphone and camera. Unlike ransomware, it does not announce itself: its value depends on staying unnoticed for as long as possible while performing continuous data exfiltration to the attacker. In the enterprise, its most damaging variant today is the infostealer, responsible for much of the compromised credentials supply that feeds the initial access of other attacks: what begins as a silent spy ends as a named, notifiable breach.
Why it matters
Spyware turns every infected machine into an open microphone pointed at the business: what an employee types includes ERP passwords, customer data, banking credentials and confidential conversations. The most frequent impact today is not the spying itself but what follows: infostealers steal session cookies that let the attacker into email or Microsoft 365 without needing the password or MFA, because they hijack an already-authenticated session. That is the origin of many account takeover cases, CEO fraud campaigns and "legitimate" logins nobody can explain. At corporate scale, a single infected laptop can expose credentials for dozens of applications within minutes, and those credentials are on sale in criminal markets within days. There is also a legal dimension: if spyware captures personal data belonging to customers or employees, the company may be facing a notifiable breach under GDPR. And at the high end of the spectrum, mercenary spyware proves that even executives' encrypted phones are targets. Detecting it early —through endpoint behaviour and anomalous outbound traffic— is the difference between a contained incident and months of hostile surveillance.
Key points
Infostealers: the dominant variant in today's cybercrime. Within minutes they harvest browser-saved passwords, session cookies, tokens and wallets, and upload them to the attacker. Their haul feeds the compromised credentials market and account takeover attacks.
Stalkerware: commercial spyware installed by someone with physical access to the device, typically in personal surveillance contexts. It matters to businesses because a BYOD phone carrying stalkerware also exposes the corporate email and data that device touches.
Mobile and mercenary spyware: from spy apps demanding excessive permissions to professional platforms such as Pegasus, capable of compromising a phone with zero user interaction. Executives, legal advisers and anyone with access to sensitive information are their natural targets.
Detection: EDR with behavioural analysis on the endpoint, monitoring of outbound traffic towards anomalous domains, alerts on bulk access to the browser's credential stores, and impossible-travel sign-ins (the same account from two countries within minutes).
Prevention: application and browser-extension control, removing local admin rights, phishing-resistant MFA with policies that catch stolen sessions, DLP to stop sensitive data leaving, and targeted training on fake installers and "free" software.
Example: An infostealer hijacks Microsoft 365 sessions
A sales rep installs a "free tool" for downloading videos that actually bundles an infostealer. In under five minutes, the malware dumps the passwords saved in the browser, the session cookies —including the Microsoft 365 one— and the access tokens, compresses them and ships them to the attacker. The machine shows no symptoms: no encryption, no strange windows, no slowdown. Three days later, someone signs into the rep's mailbox from another country using the stolen cookie: they need neither the password nor a way past MFA, because the session was already authenticated.
From that mailbox, the attacker studies the customer conversations and launches a fraudulent invoice campaign using the company's real domain. Detection arrives twice over: an impossible-travel rule in the tenant, and an EDR alert that had sat unreviewed. The response requires revoking every active session, rotating credentials, analysing the machine with digital forensics to establish exactly what the infostealer took, and sweeping the tenant for malicious mailbox rules — the exact scenario a Microsoft 365 security audit helps harden before it happens.
Common mistakes
- Believing MFA makes spyware harmless. Infostealers steal cookies from already-authenticated sessions: the attacker gets in with no password and no second factor. Without session policies and revocation, MFA only guards the door, not the windows.
- Hunting only for malicious executables. Much of modern spyware lives in browser extensions, scripts and 'legitimate' applications with excessive permissions that no antivirus classifies as malware.
- Cleaning the machine without revoking sessions or rotating credentials. If the infostealer already exfiltrated cookies and passwords, the attacker keeps their access even after the machine is spotless. Cleaning without rotation is a false sense of closure.
- Treating it as a personal problem. A private phone carrying stalkerware or an infected BYOD laptop exposes corporate email, the CRM and everything else that device touches; the personal/professional boundary does not exist for malware.
- Relying on traditional antivirus with no telemetry. Spyware is designed to produce no symptoms; without EDR on the endpoint and visibility of outbound traffic, the first news usually arrives months later, from outside.
Related terms
Related services
This concept may be related to services such as:
Frequently asked questions
How do I know if a corporate machine has spyware?
Visible symptoms (slowness, battery drain, odd windows) are unreliable: modern spyware produces none. The useful signals are technical: outbound connections to anomalous domains, processes accessing the browser's credential stores, impossible-travel sign-ins on the user's accounts, and behavioural alerts from the EDR. If there is a founded suspicion, the machine gets isolated and analysed; it is never 'cleaned' blindly.
What is the difference between spyware and an infostealer?
An infostealer is a type of spyware optimised for speed: rather than watching for weeks, it steals everything it finds —passwords, cookies, tokens, wallets— within minutes and then vanishes or goes dormant. Classic spyware prioritises prolonged surveillance (keyboard, screen, microphone). In enterprise practice, the infostealer is now the most frequent variant and the one behind the most breaches.
Does spyware affect company phones too?
Yes, in two ways. The common one: spy apps or stalkerware installed with physical access or through deception, capturing messages, location and credentials. The advanced one: mercenary spyware such as Pegasus, which can compromise a device with zero interaction and targets high-value individuals. A well-configured MDM, up-to-date systems and separating work from personal use reduce both surfaces.
What should be done immediately after detecting spyware?
Isolate the device without powering it off, preserve the evidence, and assume everything that machine touched is compromised: revoke all of the user's active sessions, rotate their credentials, review mailbox rules and recent access, and scope the damage with forensics. Then close the entry route and assess whether personal data was accessed in a way that requires notification under GDPR.