Agari researchers entered unique credentials belonging to fake personas into phishing sites posing as widely used enterprise applications, and waited to see what the phishers would do next with the compromised accounts.
They found that 23% of all accounts were accessed almost immediately (likely in an automated manner, to confirm that the credentials work), 50% of the accounts were accessed manually withing 12 hours after compromise, and that 91% of the compromised accounts were accessed manually within the first week.
Read the full story here: https://www.helpnetsecurity.com/2021/06/09/compromised-accounts/