The numbers are unambiguous. According to the 2026 Sophos Active Adversary Report, 67% of all incidents investigated were rooted in identity-related attacks. Mandiant’s M-Trends 2026 report confirms that stolen credentials overtook phishing as the second most common initial access vector. And the aggregate data across multiple industry reports shows that 65% of initial access in breaches is driven by identity-based techniques, with nearly 90% of incidents tracing back to an identity-related element as a critical factor. Stolen credentials cost organizations an average of $4.81 million per breach. Despite years of investment in multi-factor authentication, identity security remains the most exploited attack surface in enterprise environments.
Why Credentials Still Dominate
The persistence of credential-based attacks defies the expectation that MFA and zero trust architectures would solve the problem. Three structural factors explain why:
Credential reuse is endemic. Despite password manager adoption growing, most users still reuse passwords across services. When a consumer database breach exposes credentials, attackers test those credentials against corporate VPNs, SaaS applications, and cloud consoles. The success rate is alarmingly high because the human habit of password reuse has not changed at the rate that security tooling has evolved.
MFA is no longer a reliable defense. Adversary-in-the-middle (AiTM) phishing toolkits like EvilProxy and Evilginx now proxy authentication sessions in real time, capturing both passwords and MFA tokens simultaneously. The Palo Alto Networks Unit 42 Global Incident Response Report found that identity-based phishing (22%) and social engineering (11%) remain leading breach drivers, with attackers increasingly focused on MFA circumvention and session hijacking. MFA fatigue attacks — where attackers bombard users with push notifications until they approve one — continue to succeed.
Session tokens replace credentials post-authentication. Modern attacks increasingly target session tokens rather than credentials themselves. Once a user authenticates, the session token becomes the new credential. Infostealer malware harvests these tokens from browsers, and attackers replay them to bypass authentication entirely. The token is valid, the session appears legitimate, and security tools see an authenticated user.
The Anatomy of an Identity-Based Breach
The Sophos Active Adversary Report details a typical identity breach chain:
- Initial access: Compromised credentials from a previous breach or purchased on dark web markets
- Valid account usage: Attacker logs in through the front door using legitimate credentials — no exploit, no malware
- Lateral movement: Using the compromised account’s permissions to access additional systems
- Privilege escalation: Discovering accounts with higher privileges, often through Active Directory enumeration
- Data exfiltration or ransomware deployment: Final objective achieved through legitimate-appearing activity
Over 90% of data breaches were enabled by misconfigurations or gaps in security coverage rather than novel exploits. The attacker does not need to hack anything. They log in.
Advertisement
What the Data Shows About Detection
The detection gap for identity-based attacks is significant. Because the attacker uses valid credentials, traditional security tools — firewalls, intrusion detection systems, endpoint protection — see authorized activity. The median dwell time for identity-based intrusions is longer than for malware-based attacks because the adversary blends in with normal user behavior.
Organizations that detect identity-based breaches faster share three characteristics:
- User and Entity Behavior Analytics (UEBA): They monitor for anomalous login patterns — unusual hours, impossible travel, atypical resource access
- Conditional access policies: They enforce context-aware authentication that considers device posture, location, and risk score
- Continuous session validation: They verify sessions beyond initial authentication, revoking tokens when behavioral anomalies are detected
What Organizations Should Do
Deploy phishing-resistant MFA. FIDO2 hardware keys and passkeys are immune to AiTM proxy attacks because they bind authentication to the specific domain. Traditional SMS and push-notification MFA should be considered interim controls, not permanent solutions.
Implement credential monitoring. Subscribe to breach notification services and dark web monitoring for corporate email domains. When employee credentials appear in breach databases, force immediate password resets and session revocations.
Reduce session token lifetime. Shorter session durations limit the window during which stolen tokens are useful. For sensitive systems, implement continuous authentication that re-validates the user periodically rather than trusting a single login event.
Adopt identity threat detection and response (ITDR). ITDR platforms specifically monitor identity infrastructure — Active Directory, Entra ID, Okta — for the attack patterns that traditional security tools miss: credential spraying, golden ticket attacks, privilege escalation through group policy modifications.
Audit service accounts. Service accounts with static credentials and excessive privileges are among the most targeted assets. Implement just-in-time access, rotate credentials automatically, and monitor service account activity for deviation from expected behavior.
Frequently Asked Questions
Why is MFA not stopping these attacks?
Modern MFA bypass techniques like adversary-in-the-middle phishing (EvilProxy, Evilginx) capture both passwords and MFA tokens in real time by proxying the authentication session. MFA fatigue attacks overwhelm users with push notifications until they approve. Only phishing-resistant methods like FIDO2 hardware keys and passkeys resist these techniques because they bind authentication to the specific domain and cannot be proxied.
What is the most cost-effective first step for organizations with limited security budgets?
Credential monitoring and breach database subscriptions provide the highest return for the lowest cost. Services that scan dark web marketplaces and public breach databases for your corporate email domain cost a fraction of what a single breach costs, and they enable immediate remediation when employee credentials are compromised.
How does zero trust architecture help with credential-based attacks?
Zero trust removes implicit trust from authenticated sessions. Even with valid credentials, access decisions consider device health, user behavior, location, and resource sensitivity. This limits the damage from compromised credentials because the attacker must also satisfy contextual requirements that are much harder to fake than a username and password.
Sources & Further Reading
- Sophos Active Adversary Report 2026: Identity Attacks Dominate — Sophos
- 2026 Unit 42 Global Incident Response Report — Palo Alto Networks
- One Stolen Credential Is All It Takes to Compromise Everything — Help Net Security
- Credential Theft Costs $4.8M Per Breach: The Case for Zero-Knowledge Authentication — WWPass
- A07:2025 Authentication Failures — OWASP Top 10
