🎯Think of identity attacks like someone using a stolen key to get into your house. Instead of breaking a window, attackers are tricking people into giving them the keys (credentials). To stop them, we need to teach everyone how to recognize these tricks and use better locks (security measures) to keep our homes safe.
What Happened
In recent years, identity attacks have become a dominant theme in cybersecurity. Rather than brute-forcing their way through defenses, attackers are increasingly finding ways to be 'invited in' by manipulating consent. This trend reflects a significant shift in tactics, where adversaries exploit the trust of users to gain unauthorized access to sensitive systems.
The 2025 Talos Year in Review highlights that nearly a third of multi-factor authentication (MFA) spray attacks targeted identity access management (IAM) applications. Attackers are leveraging social engineering to convince victims to disclose their MFA codes in real time, often posing as IT support or trusted vendors. This manipulation allows them to bypass traditional security measures and operate within the system as legitimate users.
Moreover, a recent report from N-able emphasizes that identity compromise has become one of the most effective ways for attackers to infiltrate business systems. It notes that firewalls and endpoint protection are insufficient when attackers can log in using valid credentials, underscoring the importance of strengthening identity security.
A new report from Sophos indicates that identity-related attack techniques, including phishing (41%), stolen credentials (18%), and social engineering (12%), dominate incident response engagements. This shift towards exploiting human vulnerabilities rather than software flaws highlights a critical area for organizations to address.
Recent insights from The Hacker News further underscore the alarming trend of stolen credentials being the most reliable entry point for attackers. They can obtain valid credentials through credential stuffing from prior breach databases, password spraying against exposed services, or phishing campaigns. Once inside, attackers can dump and crack additional passwords, enabling lateral movement and expanding their foothold across the environment. This method is particularly concerning as it often goes unnoticed, with successful logins from legitimate credentials not triggering the same alarms as more overt attacks.
Who's Being Targeted
Organizations across various sectors are at risk, especially those relying heavily on digital identity verification and remote access. The surge in fraudulent device registration events—up 178%—indicates that attackers are not just targeting individuals but also the mechanisms that issue invitations for access. Companies that implement MFA without robust user education and awareness may find themselves vulnerable to these sophisticated tactics. The implications are broad, affecting both small businesses and large enterprises. As attackers refine their methods, the potential for damage increases, making it crucial for organizations to stay ahead of these evolving threats. Notably, the expanding hybrid and cloud environments create new entry points for attackers, who are increasingly targeting trusted tools and user behavior rather than relying solely on technical exploits.
Tactics & Techniques
Attackers employ a variety of tactics to gain access. One common method involves adversary-in-the-middle phishing kits that capture legitimate login credentials and MFA codes as users enter them. This technique is particularly insidious because the authentication appears valid, leading to unauthorized access without triggering alarms.
Additionally, social engineering plays a significant role. Attackers often manipulate victims into providing sensitive information under the guise of legitimate requests. This approach not only bypasses security barriers but also highlights a critical vulnerability in the human element of cybersecurity.
According to N-able, continuous validation of identity behavior can help detect compromise earlier. This includes monitoring for impossible travel logins, sudden privilege escalations, and unusual authentication patterns, which can provide early warning signs of an attack. Furthermore, the use of advanced techniques such as OAuth consent phishing and reverse proxy kits to steal session tokens is on the rise, allowing attackers to bypass MFA protections.
The Hacker News emphasizes that attackers are leveraging AI to scale their operations, automating credential testing and crafting phishing emails that are harder to distinguish from legitimate communications. This acceleration puts additional pressure on already-stretched defenders, as breaches unfold faster and spread further across environments.
Defensive Measures
Organizations must adopt a proactive stance to defend against these identity-based attacks. First and foremost, user education is essential. Employees should be trained to recognize social engineering attempts and understand the importance of safeguarding their authentication credentials.
Implementing robust security measures, such as continuous monitoring of access logs and employing advanced threat detection systems, can help identify suspicious activities early. Additionally, organizations should regularly review and update their MFA protocols to ensure they remain effective against evolving tactics.
N-able suggests enforcing MFA for all identities, particularly for high-privilege accounts, and adopting a least privilege access model to control administrative permissions. This approach minimizes the risk of attackers gaining broad access through compromised credentials.
Finally, fostering a culture of security awareness can empower employees to act as the first line of defense against identity attacks. Establishing a Zero Trust framework that combines identity, devices, networks, applications, and data is also critical to reducing lateral movement and strengthening attack resilience. Experts recommend adopting phishing-resistant authentication methods, such as hardware security keys and time-bound access for accounts, to further enhance security. Moreover, organizations should consider adopting a dynamic approach to incident response that emphasizes continuous communication and iterative scoping, as breaches often evolve and reveal new complexities during containment efforts.
The rise of identity-based attacks highlights the critical need for organizations to not only implement technical defenses but also focus on user education and awareness. As attackers adapt and refine their methods, a comprehensive approach to security that includes continuous monitoring and a Zero Trust framework is essential.
