Become a TechRadar Insider
For years, cybersecurity strategies were built around the idea of a hardened perimeter: keep attackers out, and systems remain safe. That model is now obsolete. In today’s cloud-first, SaaS-driven environments, identity has become the new control plane and, increasingly, the primary attack vector.
Head of Cyber at Red Helix.
This shift reflects both the success of endpoint detection and response (EDR) technologies, which have made malware-based attacks noisier and riskier, and the growing complexity of identity ecosystems.
Modern enterprises now manage thousands (sometimes tens of thousands) of identities spanning employees, contractors, applications, APIs, and automated workloads. Each represents a potential entry point. And unlike traditional breaches, identity-based attacks often leave little trace.
The techniques redefining intrusion
Attackers have rapidly evolved their methods to exploit authentication systems directly. Among the most prominent techniques is token and session hijacking. Instead of stealing passwords, adversaries capture active authentication tokens or session cookies, allowing them to bypass multi-factor authentication (MFA) entirely.
Adversary-in-the-middle (AiTM) attacks have also surged, particularly in SaaS environments such as Microsoft 365. These attacks use phishing frameworks that act as a proxy between the user and the legitimate login service, intercepting credentials, MFA responses, and session data in real time.
The rise of phishing-as-a-service platforms has industrialized this approach, enabling even low-skilled actors to execute highly effective campaigns at scale.
The Tycoon 2FA Phishing-as-a-service attacks this year are examples of AiTM, reportedly compromising 100,000 organizations. Many of which are likely to be SMBs with limited cyber security resources.
Equally concerning is the growing focus on non-human identities. Service accounts, APIs, and machine identities underpin modern infrastructure, particularly in DevOps and cloud-native environments. These identities often have persistent credentials, broad privileges, and limited oversight making them ideal targets.
Once compromised, they provide attackers with durable, low-visibility access deep within critical systems.
A diverse and determined threat landscape
The actors behind identity-based attacks are as varied as their methods. Financially motivated cyber criminal groups continue to dominate the landscape, often leveraging phishing kits and purchasing stolen credentials from initial access brokers.
These brokers specialize in harvesting and selling access to compromised environments, effectively lowering the barrier to entry for ransomware operators and other threat actors.
Ransomware groups have increasingly shifted away from traditional exploitation techniques. By using valid credentials, they reduce their operational footprint and evade many forms of detection, moving laterally through networks with minimal resistance.
At the more sophisticated end of the spectrum, nation-state actors are embracing identity compromise as a means of long-term espionage. These groups prioritize stealth and persistence, often targeting service providers or organizations with extensive partner networks to maximize reach.
By compromising identities rather than deploying malware, they can maintain access over extended periods while remaining largely undetected.
Certain sectors are particularly exposed, including financial services, healthcare, government, and technology. MSPs that hold privileged access to many client’s systems also have a magnetic attraction for attackers as they offer lucrative chances for classic supply chain compromise.
The Midnight Blizzard group, for example, conducted a significant attack compromising non-production cloud identities without MFA in 2024. This group is linked to the Russian state and conducts espionage through service providers.
However, the common denominator is not industry but complexity. Organizations with large SaaS footprints, hybrid workforces, and intricate identity relationships present a significantly expanded attack surface.
Why exposure is accelerating
The rapid adoption of cloud technologies and identity-centric architectures has fundamentally reshaped organizational risk. Platforms such as directory services and identity providers now sit at the heart of enterprise operations, governing access to critical systems and data.
At the same time, the number of identities has exploded. A mid-sized organization may now rely on hundreds of SaaS applications and thousands of human and machine identities.
This trend scales rapidly at enterprise level, where organizations can utilize over 1,000 applications, with each employee managing around 35 separate identities. Each integration introduces new dependencies and potential vulnerabilities, often without corresponding improvements in visibility or control.
Machine identities, in particular, have become a major blind spot. Unlike human users, they are rarely subject to rigorous lifecycle management or strong authentication controls. Credentials may be hardcoded, rarely rotated, or shared across systems creating persistent weaknesses that attackers can exploit.
The shift to remote and hybrid work has further compounded the issue, increasing reliance on authentication systems while expanding opportunities for phishing and credential theft.
The role of AI in amplifying risk
The next phase of identity-based attacks is being shaped by artificial intelligence. AI is already enabling more convincing and highly personalized phishing campaigns, using contextual data to increase success rates. Automated reconnaissance tools allow attackers to map identity relationships and privilege structures at unprecedented speed.
More concerning still is the emergence of deepfake and synthetic media techniques. Voice cloning and AI-generated video can be used to impersonate executives or trusted contacts, significantly enhancing social engineering attacks.
These capabilities reduce the friction traditionally associated with deception, allowing attackers to operate at both scale and sophistication.
Rethinking defense: identity as a continuous control surface
Addressing identity-based threats requires more than incremental improvements. It demands a fundamental shift in how organizations approach security.
Phishing-resistant authentication is a critical first step. Hardware security keys, FIDO2-based passwordless approaches, and certificate-based authentication can significantly reduce the risk of credential theft and AiTM attacks.
However, authentication alone is not enough. A zero trust model grounded in continuous verification is essential.
Access decisions should be based not just on identity, but on device posture, user behavior, and contextual risk signals. Least privilege principles must be rigorously enforced, with time-bound access limiting the window of opportunity for attackers.
Visibility is equally important. Organizations need a comprehensive view of all identities human and machine and their associated privileges. Identity threat detection and response (ITDR) capabilities can help identify anomalies such as token misuse, unusual access patterns, or privilege escalation attempts.
Finally, identity security must be continuously tested. Regular penetration testing, red teaming, and attack path analysis are vital for uncovering hidden weaknesses. Machine identities, in particular, require ongoing management, including credential rotation and policy enforcement.
As digital transformation accelerates, identity will only become more central to organizational security and more attractive to attackers. The shift from “breaking in” to “logging in” is not a temporary trend but a structural change in the threat landscape.
For security leaders, the implication is clear: identity can no longer be treated as a supporting function. It is the frontline. Those who fail to secure it risk granting attackers exactly what they need legitimate access, with minimal resistance.
We've featured the best secure email provider.
This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.
The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit