TESTIMONIALS

“Received the latest edition of Professional Security Magazine, once again a very enjoyable magazine to read, interesting content keeps me reading from front to back. Keep up the good work on such an informative magazine.”

Graham Penn
ALL TESTIMONIALS
FIND A BUSINESS

Would you like your business to be added to this list?

ADD LISTING
FEATURED COMPANY
Cyber

A wolf in sheep’s clothing

by Mark Rowe

Identity threats are at every organisation’s door, says Tom Exelby, pictured, Head of Cybersecurity at the cyber services company Red Helix.

The traditional idea of cyber-security has been to build a perimeter so deep and impervious that attackers just cannot find a way through it. Yet this model no longer reflects how most businesses operate. Increasingly, attackers do not need to exploit a software vulnerability or deploy malware. They simply log in.

Cloud platforms, SaaS applications, hybrid working, APIs, and automated workloads have moved identity to the centre of security. Identity management now determines who and what, can access systems, data, applications, and services, making it one of the most alluring waysfor attackers to gain entry. By using stolen credentials, hijacked sessions, or compromised service accounts, attackers can impersonate legitimate users, services, or machines. Once inside, they blend into normal activity, making detection far more difficult.

Cyber-criminals see a new opportunity

This chiefly reflects the success of endpoint detection and response technologies (EDR) which have reduced the success rates for malware attacks. Criminals have refocused their efforts to exploit the complexity of identity ecosystems, which in an enterprise-level organisation, run into the tens of thousands and include employees, contractors and software APIs.

Each represents a potential entry point where criminal behaviour leaves few traces. One prominent technique is token and session hijacking. Instead of stealing a password, attackers capture an active authentication token or session cookie so they can bypass multi-factor authentication because the system already believes the user has logged in.

Adversary-in-the-middle attacks are also increasing, especially in relation to SaaS applications such as Microsoft 365. These attacks use phishing frameworks that sit between the user and the legitimate login service, intercepting credentials, MFA responses, and session data. Phishing-as-a-service platforms do this on an industrial scale, enabling criminals with relatively limited skills to run convincing campaigns. Tycoon 2FA attacks are a good example, affecting 100,000 organisations, many of which are likely to include smaller businesses with limited cyber security resources.

A broader threat landscape

The actors behind these identity-based attacks vary widely. Cybercrime groups remain highly active, often buying stolen credentials from initial access brokers. These brokers harvest and sell access, giving ransomware groups a faster route into target organisations. Ransomware groups are also making greater use of valid credentials to move through networks in ways that may appear legitimate. At the more sophisticated end, nation-state groups use identity compromise for long-term espionage. By compromising identities rather than deploying malware, they can maintain access for longer while attracting less attention.

Some sectors are especially exposed to these attacks, including financial services, healthcare, government, and technology. The managed service organisations serving them are hugely attractive too, because of their access privileges. But the common issue is complexity. Organisations with large SaaS estates, hybrid workforces, third-party integrations, and many densely interconnected identities have a wider attack surface.

Why exposure is accelerating

Cloud adoption has switched up the level of risk in this respect. Directory services and identity providers are at the heart of business operations, controlling access to critical systems and sensitive data. At the same time, the number of identities has surged. A mid-sized organisation may use hundreds of SaaS applications and thousands of human and machine identities.

Non-human identities in the sights of criminals include the service accounts, APIs, and machine identities that support modern infrastructure. Networked devices often have persistent credentials, broad privileges, and limited oversight. Once compromised, they can provide long-term access deep inside critical systems.

Each application, integration, and account introduces another dependency. Without clear ownership, regular access reviews, and consistent controls, gaps appear quickly. Machine identities are a major blind spot because of poor lifecycle management. Credentials may be hardcoded, shared, or rarely rotated, creating significant weaknesses. Remote and hybrid working have also added pressure by increasing reliance on authentication systems and creating more opportunities for phishing, credential theft, and session abuse.

AI raises the stakes

Inevitably, artificial intelligence is heavily involved in identity-based attacks. AI helps attackers create more convincing and personalised phishing campaigns, using contextual data to improve success rates. Automated reconnaissance can also rapidly map identity relationships and privilege structures. Deepfake and synthetic media techniques add to the threats. Voice cloning and AI-generated video can, for example, be used to impersonate executives, trusted contacts, or support teams. For anyone approving access or data transfers, verification now demands greater caution.

Rethinking identity defence

Addressing these proliferating identity-based threats requires a major shift in how organisations address security. Phishing-resistant authentication is a highly effective starting point. Hardware security keys, FIDO2-based passwordless approaches, and certificate-based authentication can reduce exposure to credential theft and adversary-in-the-middle attacks. But authentication alone will not solve the problem. Access decisions should also consider device posture, behaviour, location, and the sensitivity of the system being accessed.

Least privilege

A zero-trust model should be applied, implementing continuous verification. Users, administrators, service accounts, and machines should have only the access and time they need for a task. Visibility is equally important. Organisations need a clear view of all human and machine identities, their privileges, and their activity. Identity threat detection and response capabilities (ITDR) can help identify token misuse, unusual access patterns, and privilege escalation.

Penetration testing, red teaming, and attack path analysis should regularly be employed touncover weaknesses that monitoring may miss. Machine identities need particular attention, including credential rotation, policy enforcement, and the removal of unused accounts.

Identity threats are not going away

The quickening progress of digital transformation in so many industries organisations means identity security is now an essential. For attackers, the focus on valid access is a significant shift and much more than a short-lived trend. It helps them avoid some traditional controls, move with less friction, and remain hidden for longer. If you are responsible for an organisation’s security you must address identity to detect attacks earlier, contain compromise faster, and prevent legitimate access from being turned against you. Effective security demands it.

Related News

  • Cyber

    Digital watershed in 2026

    by Mark Rowe

    Ben Schilz, CEO at Wire, predicts for 2026 movements towards a sovereign Europe, quantum-ready encryption and a slow goodbye to Big Tech.…

  • Cyber

    Claude Mythos comments

    by Mark Rowe

    The Mythos ‘revelation’ got aired at the UK official CYBERUK conference in Glasgow last week. That’s how Home Office Security Minister Dan…