Identity-based attacks: The threat vector hiding in plain sight 

Today’s cyber criminals have found something far easier than hacking through your defences—they’re stealing the keys and opening the gates.

The security playing field has changed. Your network perimeter isn’t what it used to be—it’s dissolved, replaced by something far more fluid and harder to secure. Today, identity has become the new battleground.

In security terms, an identity is anything that can authenticate to your systems—employee accounts, admin credentials, service accounts, API keys, and even machine identities that your applications use to talk to each other. Each one is a potential key to your kingdom.

Let’s take a look at why this matters, and how to protect your business.

Why is identity such a potent threat vector? 

An identity-based attack begins not with exploiting a technical vulnerability, but with compromising the digital identity of someone or something with legitimate access to your systems. These are the shadows lurking within your organisation’s access framework—the credentials, accounts, and permissions that define who can reach what, when, and how.

The statistics tell an interesting story; one survey found that 93% of organisations have experienced two or more breaches due to identity-related cyberattacks, with 99% of affected organisations suffering negative business impacts. This isn’t a theoretical threat; it’s the reality for nearly every business.

Identity has become the new security perimeter in our interconnected world. When your workforce accesses company resources from anywhere, traditional network boundaries dissolve, leaving identities as the primary control point between your data and those who seek it.

How does an identity-based attack work? 

Let’s walk through a typical scenario:

Sarah, a finance director at a mid-sized manufacturing firm, receives an email that appears to be from Microsoft, warning that her account access will expire unless she verifies her credentials. The email looks legit—it has the right logo, formatting, and a professional tone. Concerned about losing access during month-end closing, she clicks the link and enters her username and password on the convincing-looking login page.

What Sarah doesn’t realise is that she’s just handed her credentials to an attacker.

Within hours, the attacker logs into her Microsoft 365 account from an unrecognised location. The company’s security tools don’t flag this because it looks like a legitimate login—correct username, correct password. The attacker begins by setting up email forwarding rules to receive copies of Sarah’s financial communications and to hide any security alerts that might be sent to her.

Over the next three weeks, the attacker:

• Maps the network by accessing SharePoint sites and Teams channels
• Identifies the finance system from calendar invites and emails
• Discovers Sarah has approved-user access to the payment platform
• Uses her existing sessions to navigate between connected systems
• Eventually initiates several fraudulent payments to overseas accounts

When the fraud is finally discovered during reconciliation, the company faces a multi-layered nightmare:

• £480,000 in fraudulent transfers, only partially recoverable
• Every system Sarah accessed must be considered compromised
• All her passwords need immediate reset, disrupting month-end processes
• IT have to comb through weeks of logs across multiple platforms to track the attacker’s movements
• The entire Microsoft 365 environment requires security review and hardening
• The company must notify clients whose data may have been exposed
• Third-party forensic experts and legal counsel must be engaged

What looked like a single compromised account ended up costing hundreds of thousands in direct losses, remediation costs, and lost productivity—all because one identity was compromised.

How Sarah’s company could have prevented this 

This attack wasn’t Sarah’s fault—it exploited normal human behaviour and trust. Several key safeguards could have stopped this attack at multiple stages, though:

• Multi-factor authentication would have prevented the attacker from accessing Sarah’s account, even with her password
• Anomaly detection could have flagged the login from an unusual location and device
• Conditional access policies could have restricted what actions can be performed from unrecognised devices
• Session monitoring would have identified unusual patterns of access across multiple systems
• Just-in-time access for financial systems would have required additional verification before payment approval
• Security awareness training would have helped Sarah recognise the phishing attempt, giving her the confidence to verify suspicious communications through official channels

None of these controls blame or burden Sarah—they simply add invisible guardrails that protect identities and catch attackers when credentials are compromised.

Why traditional security approaches fall short 

Conventional security has long focused on creating stronger walls—better firewalls, more secure endpoints, intrusion detection systems. But these tools struggle to detect what appears legitimate. If an attacker uses valid credentials, how does your security system recognise the threat?

This is why identity-based breaches are particularly dangerous. The average time to detect an identity-based breach is 168 days—nearly six months during which attackers can conduct reconnaissance, compromise accounts, and extract data. That’s half a year of someone exploring your network and accessing your sensitive information. They’re planting seeds in your garden without you noticing.

Traditional approaches fail here because they’re designed to spot abnormal entry points, not abnormal behaviour from trusted sources. When the attack looks like business as usual, conventional security is effectively blind.

The expanding identity attack surface 

The challenges here are growing with the abundance of tech we alll use for work. Your identity attack surface grows more complex by the day:

• Human identities: Every employee, contractor, and partner with access to your systems is a potential entry point. As companies embrace more flexible working arrangements and broader collaboration, this surface expands.
• Machine identities: Apps, service accounts, automation tools, and APIs all operate with their own identities. These non-human identities often hold privileged access but receive less security scrutiny than their human counterparts.
• Cloud identities: The shift to cloud services has multiplied identities across environments, each with its own access control system and security model.
• Privileged identities: Accounts with elevated access are prime targets. Once compromised, these identities give attackers extraordinary reach across your systems.

This complexity is accelerating. Nearly 50% of companies expect their total identities to grow threefold in the next 12 months. And machine identities are the primary driver of this explosive growth. As your business grows, your identity perimeter grows more complex by the day.

And that’s just your own identities. As for the dangers out there in the world? One report refers to the “absolute tsunami of new identities, new environments and new attack methods that are pummeling and muddying the threat landscape”.

Five critical identity security strategies for identity-based attacks

So how can you deal with these issues?

We think it takes a multifaceted approach that can feel a bit different to traditional security models. The main things to consider are:

• Identity governance and lifecycle management Implement edge-to-core visibility over all identities in your environment—who has access to what, and why. Regularly review and remove unnecessary permissions. Automate your offboarding processes to eliminate ‘orphaned’ accounts, for example.
• Privileged access management Apply stringent controls to high-value accounts. Insist upon time-limited access, approval workflows, and session monitoring. Remember that privileged access is about admin accounts as well as any identity that can access sensitive data.
• Just-in-time and just-enough access Move beyond static permissions to dynamic access that’s provided only when needed, for only as long as necessary, with only the minimum privileges required. This dramatically reduces your standing risk.
• Continuous monitoring and behaviour analytics Deploy solutions that establish baseline behaviour for each identity and flag anomalies. This means not just failed login attempts, but unusual access patterns, unusual locations, or atypical resource usage.
• Zero trust principles Introduce a security model that trusts nothing and verifies everything—continuously authenticating and authorising each access request regardless of source.

These strategies become increasingly important as your environment grows more complex. Consider that 84% of organisations will utilise three or more Cloud Service Providers (IaaS, PaaS or SaaS), and the number of SaaS applications is projected to increase by 89%. This makes for an intricate web of access points that really complicates identity management.

Getting started: practical next steps 

Securing your identity perimeter doesn’t happen overnight, but these steps will put you on the right path:

• Conduct an identity security assessment: Start by mapping your current identity landscape. Identify all human and non-human identities with access to your systems. Determine which have privileged access, which access sensitive data, and which may be unnecessary or outdated.
• Focus on quick wins: Implement multi-factor authentication everywhere, especially for privileged accounts. Remove dormant accounts and unnecessary permissions. Start monitoring privileged session activity. These steps can dramatically reduce your risk profile before larger initiatives are complete.
• Build the business case: Identity security does need investment, but the cost of inaction is far higher. The global average cost of a data breach now stands at £3.65 million—a massive 10% increase over the previous year and the highest total ever recorded. Can you afford to remain vulnerable?

Identity security as a business enabler 

Strong identity security reduces risk and helps you run a more confident business.

When you know exactly who and what is accessing your systems, you can enjoy the fruits of digital transformation more securely. You can extend access to partners, thrive with remote work, adopt new technologies, and enter new markets—all with clearer visibility and stronger controls.

The organisations that really do well in today’s security arena aren’t the ones that build higher walls. They’re the ones that gain crystal-clear visibility into who’s accessing what, and why. And they take smart action.

At Two Four Secure, we don’t just help you see the unseen within your identity portfolio—we help you take control of it. Reach out today to find out more.