///
The numbers are unambiguous. According to the 2026 Sophos Active Adversary Report, 67% of all incidents investigated were rooted in identity-related attacks. Mandiant’s M-Trends 2026 report confirms that stolen credentials overtook phishing as the second most common initial access vector. And the aggregate data across multiple industry reports shows that 65% of initial access in breaches is driven by identity-based techniques, with nearly 90% of incidents tracing back to an identity-related element as a critical factor. Stolen credentials cost organizations an average of $4.81 million per breach. Despite years of investment in multi-factor authentication, identity security remains the most exploited attack surface in enterprise environments.
Why Credentials Still Dominate
The persistence of credential-based attacks defies the expectation that MFA and zero trust architectures would solve the problem. Three structural factors explain why:
Credential reuse is endemic. Despite password manager adoption growing, most users still reuse passwords across services. When a consumer database breach exposes credentials, attackers test those credentials against corporate VPNs, SaaS applications, and cloud consoles. The success rate is alarmingly high because the human habit of password reuse has not changed at the rate that security tooling has evolved.
MFA is no longer a reliable defense. Adversary-in-the-middle (AiTM) phishing toolkits like EvilProxy and Evilginx now proxy authentication sessions in real time, capturing both passwords and MFA tokens simultaneously. The Palo Alto Networks Unit 42 Global Incident Response Report found that identity-based phishing (22%) and social engineering (11%) remain leading breach drivers, with attackers increasingly focused on MFA circumvention and session hijacking. MFA fatigue attacks — where attackers bombard users with push notifications until they approve one — continue to succeed.
Session tokens replace credentials post-authentication. Modern attacks increasingly target session tokens rather than credentials themselves. Once a user authenticates, the session token becomes the new credential. Infostealer malware harvests these tokens from browsers, and attackers replay them to bypass authentication entirely. The token is valid, the session appears legitimate, and security tools see an authenticated user.
The Anatomy of an Identity-Based Breach
The Sophos Active Adversary Report details a typical identity breach chain:
- Initial access: Compromised credentials from a previous breach or purchased on dark web markets
- Valid account usage: Attacker logs in through the front door using legitimate credentials — no exploit, no malware
- Lateral movement: Using the compromised account’s permissions to access additional systems
- Privilege escalation: Discovering accounts with higher privileges, often through Active Directory enumeration
- Data exfiltration or ransomware deployment: Final objective achieved through legitimate-appearing activity
Over 90% of data breaches were enabled by misconfigurations or gaps in security coverage rather than novel exploits. The attacker does not need to hack anything. They log in.
Advertisement
What the Data Shows About Detection
The detection gap for identity-based attacks is significant. Because the attacker uses valid credentials, traditional security tools — firewalls, intrusion detection systems, endpoint protection — see authorized activity. The median dwell time for identity-based intrusions is longer than for malware-based attacks because the adversary blends in with normal user behavior.
Organizations that detect identity-based breaches faster share three characteristics:
- User and Entity Behavior Analytics (UEBA): They monitor for anomalous login patterns — unusual hours, impossible travel, atypical resource access
- Conditional access policies: They enforce context-aware authentication that considers device posture, location, and risk score
- Continuous session validation: They verify sessions beyond initial authentication, revoking tokens when behavioral anomalies are detected
What Organizations Should Do
Deploy phishing-resistant MFA. FIDO2 hardware keys and passkeys are immune to AiTM proxy attacks because they bind authentication to the specific domain. Traditional SMS and push-notification MFA should be considered interim controls, not permanent solutions.
Implement credential monitoring. Subscribe to breach notification services and dark web monitoring for corporate email domains. When employee credentials appear in breach databases, force immediate password resets and session revocations.
Reduce session token lifetime. Shorter session durations limit the window during which stolen tokens are useful. For sensitive systems, implement continuous authentication that re-validates the user periodically rather than trusting a single login event.
Adopt identity threat detection and response (ITDR). ITDR platforms specifically monitor identity infrastructure — Active Directory, Entra ID, Okta — for the attack patterns that traditional security tools miss: credential spraying, golden ticket attacks, privilege escalation through group policy modifications.
Audit service accounts. Service accounts with static credentials and excessive privileges are among the most targeted assets. Implement just-in-time access, rotate credentials automatically, and monitor service account activity for deviation from expected behavior.
Key Takeaway
Authentication is not just one security control among many. It is the control. With 65% of breaches originating from identity-based attacks and credential theft costing $4.81 million per incident on average, identity security is the highest-leverage investment any organization can make. The shift from password-only to MFA was necessary but insufficient. The next step is phishing-resistant authentication, continuous session validation, and behavioral analytics that detect when legitimate credentials are used by illegitimate actors.
Frequently Asked Questions
Sources & Further Reading
- Sophos Active Adversary Report 2026: Identity Attacks Dominate — Sophos
- 2026 Unit 42 Global Incident Response Report — Palo Alto Networks
- One Stolen Credential Is All It Takes to Compromise Everything — Help Net Security
- Credential Theft Costs $4.8M Per Breach: The Case for Zero-Knowledge Authentication — WWPass
- A07:2025 Authentication Failures — OWASP Top 10
