How do I tell the difference between a theoretical vulnerability and a weaponised exploit?

A theoretical vulnerability is a disclosed security flaw that may have limited practical exploitation potential, while a weaponised exploit has been actively operationalised by attackers using exploit kits, malware, ransomware campaigns, or automated attack tooling. Vulnerabilities with public proof-of-concept exploits, KEV inclusion, or observed attack activity typically require higher remediation priority.

What role does threat intelligence play in predictive vulnerability scoring?

Threat intelligence improves predictive vulnerability scoring by analysing exploit activity, attacker behaviour, ransomware campaigns, proof-of-concept releases, asset exposure, and real-world targeting trends. This helps organisations prioritise vulnerabilities based on actual exploitation likelihood rather than relying solely on static severity ratings such as CVSS.

What is exploit prediction scoring (EPSS) and how does it compare to CVSS?

EPSS (Exploit Prediction Scoring System) estimates the likelihood that a vulnerability will be exploited in the wild, while CVSS measures technical severity and potential impact. Unlike CVSS, EPSS focuses on real-world exploitation probability using threat intelligence and historical exploit data, making it highly valuable for vulnerability prioritisation and operational risk management.

Identity as Initial Access: Detection, Prevention & Enterprise Defense

Executive Summary

Identity-driven initial access has become a dominant operational pattern across ransomware, SaaS compromise, and cloud intrusion activity.

The Verizon 2025 Data Breach Investigations Report (DBIR) : analysing over 20,000 security incidents found that credential abuse was the leading initial access vector, present in 22% of breaches, with phishing accounting for a further 16%. Among ransomware victims specifically, 54% had prior credential exposure in infostealer logs before the attack occurred. These are not marginal statistics. They reflect a sustained, industrialised shift in how attackers gain enterprise footholds.

A note on the 2026 DBIR: The Verizon 2026 DBIR, published shortly before this article, shows vulnerability exploitation has overtaken credential abuse as the leading initial access vector overall. This shift is significant for vulnerability management programmes, but it does not diminish the identity threat landscape. Identity-based operations remain deeply embedded in ransomware affiliate workflows, SaaS compromise campaigns, and nation-state intrusion activity. The techniques described in this article are active, documented, and ongoing. Both attack surfaces software vulnerability exploitation and identity compromise that require parallel investment.

Microsoft has also reported sustained growth in password attacks, identity abuse, and adversary-in-the-middle (AiTM) phishing activity targeting cloud authentication workflows.

The shift accelerated during large-scale cloud and SaaS adoption between 2020 and 2022. As enterprise infrastructure moved toward federated identity, remote access, and SaaS administration, attackers increasingly targeted authentication systems, support workflows, session tokens, and third-party access relationships rather than relying exclusively on software exploitation.

Modern ransomware and intrusion operations increasingly prioritise:

→ Helpdesk social engineering and vishing

→ Session token theft and replay

→ OAuth abuse

→ SaaS administrative compromise

→ MFA fatigue attacks

→ Third-party identity exposure

→ Infostealer-derived credential operations

Traditional vulnerability management programmes do not reliably detect these attack paths. EDR platforms often have limited visibility into SaaS administrative abuse, OAuth persistence, or cloud-native session hijacking activity.

Identity infrastructure is now a primary operational attack surface.

For security operations teams, this changes detection priorities. Authentication telemetry, SaaS audit logs, OAuth activity, conditional access events, and administrative identity changes must be treated as critical security telemetry and not secondary IAM data sources.

This article examines how modern attackers operationalise identity compromise for enterprise initial access, where detection visibility commonly fails, and how SOC teams can improve identity-focused detection engineering and defensive monitoring.

Threat Overview

Identity-based attacks now span financially motivated ransomware operations, cloud-focused intrusion campaigns, insider-enabled compromise, and nation-state intelligence collection.

Ransomware Initial Access Through Identity Compromise

The Verizon 2025 DBIR and multiple incident response reports confirm credential theft and phishing remain among the most prevalent enterprise initial access vectors. Among ransomware victims specifically, 54% had prior infostealer credential exposure before the ransomware deployment occurred, a direct pipeline from credential theft to enterprise compromise.

Ransomware operators increasingly acquire access through:

→ Infostealer marketplace credentials

→ Purchased VPN credentials

→ SaaS administrative account compromise

→ Third-party contractor accounts

→ MFA fatigue attacks

→ Helpdesk social engineering

This operational model reduces reliance on exploit development while allowing attackers to blend into legitimate authentication workflows.

The operational pipeline increasingly resembles:

Infostealer infection → credential exfiltration → marketplace sale → identity-based enterprise access → ransomware deployment.

In many cases, no software exploitation is required.

Helpdesk and Vishing-Driven Compromise

The MGM Resorts incident is the most extensively documented example of operational social engineering against enterprise support workflows, and it remains an essential case study for identity-focused defenders.

In September 2023, attackers associated with Scattered Spider operating as an affiliate of the ALPHV/BlackCat ransomware-as-a-service operation conducted LinkedIn reconnaissance to identify an MGM Resorts employee. They called MGM's IT help desk, impersonated that employee, and convinced support personnel to provide login credentials and reset account access. Using those credentials, the attackers pivoted into MGM's Okta environment, achieved super-administrator privileges, moved laterally into Microsoft Azure infrastructure, and ultimately encrypted over 100 ESXi hypervisors. The estimated operational disruption cost exceeded $100 million.

The attack chain is important to understand precisely: the initial action was credential provision by a help desk operator, not simply an MFA reset. The Okta super-admin pivot that followed is a direct illustration of why identity providers represent high-value concentration targets. A detailed operational breakdown is available in the companion OFA: MGM Resorts Vishing Attack Analysis (coming soon).

The operational methodology included:

→ Employee impersonation

→ LinkedIn reconnaissance

→ Helpdesk manipulation

→ Credential provision and account access reset

→ Okta super-administrator pivot

→ Lateral movement through Azure and virtualisation infrastructure

The authentication itself appeared legitimate throughout. Traditional malware-centric detections offered limited visibility during initial access stages.

Similar operational patterns appeared in the Caesars Entertainment compromise and additional Scattered Spider-linked campaigns targeting cloud and SaaS environments.

Token Theft and Session Hijacking

Modern intrusion activity increasingly targets browser session storage, authentication cookies, OAuth tokens, and federated identity sessions rather than credentials alone.

Threat actors leverage:

→ Browser credential stores

→ Session cookie extraction

→ Adversary-in-the-middle (AiTM) phishing frameworks

→ OAuth token abuse

→ Refresh token replay

Microsoft threat intelligence reporting has documented AiTM phishing campaigns capable of intercepting authenticated sessions and bypassing conventional MFA protections through token theft rather than credential theft alone. Crucially, this means a user who correctly completes MFA can still have their authenticated session stolen and replayed.

Infostealer malware families including RedLine, Vidar, Raccoon, Lumma, and RisePro specifically target browser credentials, authentication cookies, and SaaS session material. The Snowflake customer compromise campaign in 2024 demonstrated that credentials harvested from these infostealers, in some cases years earlier, remained valid and exploitable at scale because they had never been rotated.

This operational shift changes detection requirements significantly. Successful authentication alone is no longer sufficient evidence of legitimate user activity.

How attackers bypass MFA across different attack paths is covered in depth in: How Attackers Bypass MFA in Real Environments (coming soon).

MFA Fatigue and Push Bombing

Push-based MFA implementations remain vulnerable to user fatigue and social engineering.

Documented incidents involving Uber, Cisco, and Rockstar Games demonstrated how attackers repeatedly initiated authentication requests until users eventually approved access out of frustration or confusion. In the Uber case, an external contractor's credentials, likely purchased from a dark web marketplace, were used to flood the account with 2FA login requests until one was accepted. The attacker, believed to be affiliated with Lapsus$, subsequently gained access to internal systems including G-Suite and Slack.

In several reported campaigns, attackers combined MFA fatigue attacks with follow-up vishing calls impersonating internal IT support teams, creating a compound social engineering pressure that significantly increases success rates.

The operational sequence is straightforward:

→ Obtain valid credentials

→ Trigger repeated MFA prompts

→ Socially engineer the user via follow-up call if prompts are ignored

→ Secure authenticated session access

The authentication event itself appears technically legitimate throughout.

Detection requires behavioural and contextual analysis rather than static signature matching. A detailed examination of bypass techniques including AiTM frameworks, push bombing, and token replay is available in: How Attackers Bypass MFA in Real Environments (coming soon).

OAuth Abuse and Application Consent

OAuth abuse increasingly provides attackers with low-noise persistence mechanisms inside SaaS ecosystems.

Threat actors register malicious OAuth applications requesting excessive Microsoft 365 / Entra ID permission scopes such as:

→ mail.read

→ files.readwrite

→ offline_access`

→ directory.read.all

Once consent is granted by a user or administrator, attackers can maintain persistent access without repeated authentication events or requiring the user's password to remain valid.

These operations often bypass traditional authentication anomaly detections because the application activity operates within approved authorisation frameworks. The session looks legitimate because it is legitimate , the malicious element is the application that was granted consent, not the authentication event itself.

SaaS Administrative Compromise

Enterprise SaaS adoption significantly expanded identity attack surfaces.

Organisations now maintain hundreds of SaaS integrations, administrative identities, service accounts, and third-party access relationships across distributed cloud environments.

The Snowflake customer compromise campaign of 2024 is the defining case study for infostealer-to-SaaS compromise at scale. Threat actors associated with the group tracked as UNC5537 (operating under the ShinyHunters alias) used credentials harvested from historical infostealer infectionsincluding VIDAR, RISEPRO, REDLINE, RACCOON STEALER, LUMMA, and METASTEALER variantsto access Snowflake customer environments. The earliest infostealer infection date linked to the campaign dated back to November 2020. Approximately 165 customer organisations were compromised. None of the breached accounts had MFA enabled, and credentials had not been rotatedmeaning years-old stolen credentials remained operationally valid.

This campaign demonstrates how infostealer-derived credentials enable broad SaaS compromise without requiring any software vulnerability exploitation, and how the absence of basic hygiene controls transforms credential theft into enterprise-scale impact.

Multiple other industry investigations during 2024 highlighted attackers targeting:

→ SaaS administrative credentials

→ Federated identity providers

→ Shared support systems

→ Cloud administrative consoles

→ Service account permissions

Third-Party Identity Exposure

Third-party access relationships continue to create operational visibility and trust challenges.

Contractors, MSPs, vendors, consultants, and support providers often maintain privileged access into enterprise identity systems, SaaS platforms, and cloud infrastructure.

The October 2023 Okta support system breach provides a precise illustration of how compromise of trusted identity infrastructure creates downstream customer exposure. Attackers gained access to Okta's customer support case management system using a stolen service account credentiallater traced to an employee who had saved the account's username and password in a personal Google account and signed into that account on an Okta-managed device. The attackers accessed HTTP Archive (HAR) files uploaded by customers for troubleshooting, which contained session tokens. Those tokens were used to hijack the live Okta sessions of five customers, including 1Password, BeyondTrust, and Cloudflare. Further investigation revealed that the attacker had also downloaded a report containing the names and email addresses of all 18,400 Okta customer support system users.

This incident is not simply a cautionary note about vendor risk. It demonstrates several operational realities with direct detection implications:

→ Identity providers represent high-value concentration targetsa single compromise creates exposure across the entire customer base

→ Support systems routinely handle sensitive artefactsHAR files, session tokens, administrative credentialsthat create downstream hijacking risk

→ Credential compromise on personal or non-managed devices can directly enable enterprise intrusion

→ The initial access vector (a personal Google account on a corporate device) would not have been visible in most standard enterprise monitoring configurations

A full operational breakdown is available in: Okta Support System Breach Operational Analysis (coming soon).

Third-party identity exposure increasingly represents a systemic operational risk rather than a narrow vendor management issue. The controls and governance frameworks for managing this risk are examined in: Pillar 5: Managing Third-Party & SaaS Access Risk (coming soon).

Infostealer-Driven Credential Operations

Infostealer malware ecosystems continue to industrialise credential theft operations.

The 2025 DBIR found that 30% of corporate-managed devices and 46% of unmanaged devices appearing in infostealer logs contained company credentials. Among ransomware victims, 54% had prior credential exposure in infostealer logs before the attack.

Enterprise credentials harvested from unmanaged personal systems increasingly appear within:

→ Credential marketplaces

→ Telegram channels

→ Access broker operations

→ Ransomware affiliate ecosystems

Several public investigations linked enterprise compromise activity to credentials originating from:

→ Personal devices

→ BYOD systems

→ Home systems used for work tasks

→ Non-managed browsers with saved enterprise credentials

→ Shared password reuse across personal and enterprise accounts

The operational implication is significant: enterprise exposure increasingly extends beyond corporate-managed infrastructure. An employee whose personal device is infected by an infostealer can expose enterprise credentials that never touched a corporate endpoint.

Nation-State Identity Tradecraft

Nation-state actors increasingly adopt identity-centric intrusion techniques previously associated with financially motivated cybercrime operations.

Public reporting from Microsoft, Google Threat Intelligence, and CISA indicates ongoing targeting of:

→ Cloud administrative accounts

→ Federated identity infrastructure

→ OAuth permissions

→ Remote access tooling

→ Contractor ecosystems

→ Third-party providers

Operational distinctions between cybercrime and espionage tradecraft continue to narrow. The same infostealer ecosystems supplying ransomware affiliates with credentials also supply nation-state-adjacent actors with initial access material. The techniques are shared; only the objectives differ.

The intersection of identity compromise with internet-facing infrastructure exploitationparticularly edge device targeting used by nation-state actors for lateral movementis examined in: Pillar 6: Internet-Facing Infrastructure Exploitation (coming soon).

Attack Chain Analysis

Initial AccessT1078: Valid Accounts

Attackers increasingly obtain enterprise access through:

→ Infostealer malware infections

→ Phishing campaigns (T1566)

→ Password spraying (T1110.003)

→ Credential marketplace purchases

→ Helpdesk social engineering

→ MFA reset abuse

→ Third-party support compromise

Authentication activity often appears operationally legitimate. Access commonly originates from residential proxy infrastructure, commercial VPN providers, previously unseen devices, or cloud-hosted infrastructureall of which can appear superficially similar to legitimate remote worker activity.

Credential AccessT1539: Steal Web Session Cookie

Following initial access, attackers frequently extract additional authentication material through:

→ Browser session token theft

→ OAuth token extraction

→ Password manager compromise

→ Session cookie replay

→ Cloud credential harvesting

→ Browser extension abuse

These operations often occur within legitimate user sessions and generate limited malware telemetry. The artefact being stolen is not a passwordit is a valid, authenticated session that can be replayed without triggering further authentication challenges.

PersistenceT1098: Account Manipulation

Identity persistence mechanisms commonly include:

→ Additional MFA device enrolment

→ OAuth application registration

→ Conditional access policy modification

→ Service account creation

→ Trusted device registration

→ Federation trust configuration

Persistence frequently relies on legitimate administrative functionality rather than malicious binaries. This is why persistence activity in identity environments can be exceptionally difficult to detect without behavioural baselining of administrative actions.

Privilege EscalationT1078.004: Cloud Accounts

Attackers escalate privileges through:

→ Misconfigured role assignments

→ Excessive SaaS permissions

→ Delegated administration abuse

→ PAM workflow weaknesses

→ OAuth consent grants

→ Cloud administrative inheritance

The MGM Okta super-admin pivot is a direct example: initial access through help desk social engineering led directly to cloud-native privilege escalation through a legitimate identity provider. Cloud-native privilege escalation of this kind often blends into routine administrative activity in environments without tight role governance.

Defense EvasionT1556: Modify Authentication Process

Common identity-focused evasion techniques include:

→ MFA disablement on targeted accounts

→ Log tampering or suppression

→ Residential proxy usage to normalise geographic origin

→ Authentication throttling to avoid rate-limit detections

→ Legitimate remote access and RMM tooling

Attackers increasingly prioritise low-noise operational access over aggressive malware deployment. The use of legitimate toolingRMM platforms, cloud management consoles, approved SaaS interfacesis examined in: RMM Tool Abuse as Initial Access (coming soon).

Command and Control

Identity-centric compromise frequently reduces the need for traditional command-and-control infrastructure.

Attackers increasingly operate directly through:

→ SaaS administrative interfaces

→ Cloud consoles

→ Webmail platforms

→ Collaboration tools

→ VPN infrastructure

→ RMM tooling

Network traffic often appears operationally legitimate because communications occur through trusted cloud providers and authenticated sessions. There is no malware binary to detect, no C2 beacon to identify, no unusual outbound connection to alert on.

Objectives

Identity compromise enables multiple downstream objectives:

→ Ransomware deployment

→ SaaS data exfiltration

→ Business email compromise

→ Intellectual property theft

→ Third-party compromise

→ Long-term intelligence collection

Operational Impact for SOC Teams

Visibility Gaps

Many organisations still maintain limited visibility into identity-centric attack paths.

SOC teams commonly lack centralised telemetry from:

→ SaaS administrative activity

→ OAuth application grants

→ Helpdesk systems

→ Third-party contractor access

→ Session token behaviour

→ Cloud administrative consoles

→ BYOD authentication activity

This creates detection blind spots precisely where modern initial access is occurring.

SaaS Telemetry Fragmentation

Each SaaS platform maintains independent logging formats, retention periods, APIs, and administrative schemas.

Correlating events across Microsoft 365, Salesforce, AWS, Okta, GitHub, ServiceNow, and Google Workspace often requires extensive custom integration and normalisation. Most organisations ingest only a subset of available identity telemetry, and the subset they ingest is rarely the subset that maps to attacker behaviour.

Ephemeral Access Patterns

Identity compromise frequently leaves limited forensic evidence.

Short-lived session tokens, OAuth refresh token abuse, browser cookie replay, and temporary SaaS administrative sessions may leave no persistent artefact. By the time compromise is identified, the original access path may no longer exist in retained logsparticularly in environments with short log retention windows.

Cloud Forensic Limitations

Traditional forensic approaches assume disk artefacts, endpoint persistence, malware binaries, and network packet capture. Cloud-native compromise investigations increasingly rely on API logs, SaaS audit trails, authentication records, and identity provider telemetry. Many cloud platforms were not designed around forensic reconstruction requirements, and organisations often discover this limitation during an active incident rather than before one.

Identity Alert Fatigue

Identity monitoring frequently generates high false-positive rates due to VPN usage, remote work, mobile device roaming, residential IP variation, and cloud proxy infrastructure. As a result, SOC teams often reduce alert sensitivitycreating operational gaps that attackers actively exploit. Calibrating signal-to-noise in identity monitoring is one of the most important and underinvested detection engineering challenges in modern SOC operations.

Strategies for improving signal quality from identity telemetry are covered in: Monitoring Identity Telemetry for Early Access Signals (coming soon).

Contractor Access Monitoring Challenges

Third-party identities remain difficult to monitor consistently. Organisations often lack visibility into contractor device posture, credential exposure status, access frequency, downstream SaaS activity, and federated authentication behaviour. Third-party access frequently persists beyond operational necessitycreating dormant but valid footholds that can be exploited months or years after a contractor engagement ends.

Remote Workforce Complexity

Remote and hybrid work fundamentally altered authentication baselines.

Previously suspicious indicatorsgeographic variation, residential IP access, cloud-hosted sessions, mobile authentication changesmay now appear operationally normal. Attackers deliberately operate within this ambiguity, using residential proxies and commercial VPN services to blend into legitimate remote worker traffic patterns.

Identity Telemetry Sources SOC Teams Commonly Ignore

Identity Provider Administrative Audit Logs

Many organisations monitor user authentication events but fail to ingest administrative identity changes.

Critical telemetry includes:

→ Conditional access policy changes

→ MFA exemptions and bypasses

→ Role assignments and modifications

→ Federation trust configuration changes

→ Administrative token creation

These events frequently indicate persistence activity or privilege escalation attempts. They are also among the highest-fidelity signals availablea conditional access policy change at 2am is rarely routine.

Helpdesk Ticket System Data

Password resets, MFA modifications, and account recovery requests often contain early indicators of social engineering activity.

Correlating helpdesk tickets with subsequent MFA resets, VPN access, and SaaS authentication events can expose compromise patterns that traditional SIEM detections miss entirely. The MGM incident demonstrated how support workflows themselves become the initial access vectorand how that access would have been visible in helpdesk telemetry if anyone had been looking for it.

SaaS Administrative APIs

Administrative APIs often expose telemetry not visible in standard authentication logs, including bulk exports, sharing permission changes, external collaboration grants, administrative console access, and privilege modifications. Attackers increasingly abuse legitimate application functionality inside authenticated sessionsactivity that only appears in API-level audit logs, not authentication logs.

Conditional Access Policy Failures

Failed policy evaluations frequently reveal reconnaissance or pre-compromise activity.

Examples include repeated blocked authentications, unusual device enrolment attempts, abnormal geographic access attempts, and failed privileged access requests. Most organisations alert primarily on successful compromise. Monitoring blocked identity abuse attempts provides earlier visibility into attacker reconnaissance and credential testing activity.

Device Registration and Compliance Logs

Device trust telemetry may reveal early-stage compromise through unexpected device enrolment, compliance status changes, MDM tampering, certificate enrolment anomalies, and unmanaged device registration. Attackers frequently register compromised systems as trusted devices to maintain persistencedevice enrolment outside of standard IT workflows is a high-value detection signal.

Browser Session and Endpoint Telemetry

EDR platforms and endpoint agents can identify session token extraction, browser cookie access, credential manager abuse, malicious browser extensions, and suspicious JavaScript execution. Correlating endpoint behaviour with authentication telemetry significantly improves visibility into session hijacking operationsan infostealer running on an endpoint will leave EDR artefacts even when the resulting credential theft generates no authentication anomaly at the identity provider.

Indicators and Warning Signs

Authentication Pattern Anomalies

More operationally useful than simple impossible travel alerts:

→ ASN changes during active sessions (different network provider mid-session)

→ Device fingerprint inconsistencies between authentication and subsequent activity

→ Sudden browser or user-agent changes within an active session

→ Authentication originating from known residential proxy or VPN providers

→ Session establishment outside historical behavioural patterns for that account

MFA Modification Events

→ MFA device enrolment outside standard onboarding periods or IT workflows

→ Multiple MFA reset requests for the same account in a short window

→ Secondary authenticator device enrolment on privileged accounts

→ MFA disablement on any account, particularly privileged ones

→ Helpdesk-initiated authenticator changes not matched to a verified support ticket

Suspicious Helpdesk Interactions

→ Password reset requests bypassing standard verification procedures

→ Repeated identity verification failures before eventual success

→ After-hours MFA reset requests, particularly for privileged accounts

→ Account recovery requests followed within minutes by VPN or SaaS authentication

→ Escalation requests targeting accounts with elevated privileges

Token and Session Anomalies

→ Token reuse from geographically inconsistent locations

→ Simultaneous active sessions from different devices or locations

→ Abnormal refresh token usage frequency or timing

→ Unusually long-lived sessions inconsistent with conditional access policy

→ OAuth token activity inconsistent with historical application usage patterns for that user

OAuth Grant Creation

→ Application permission requests including offline_access, mail.read, files.readwrite, or directory.read.all

→ External or unrecognised OAuth redirect URIs

→ OAuth application registrations initiated by non-administrative users

→ Consent grants occurring outside business hours or normal IT change windows

→ Dormant OAuth applications that suddenly become active

Abnormal SaaS Administrative Activity

→ Bulk data exports, particularly outside business hours

→ Retention or audit log policy changes

→ Role assignment changes or new service principal creation

→ External collaboration configuration changes

→ Any attempt to modify or disable audit logging

Dormant Account Activation

→ Inactive accounts authenticating after extended periods of inactivity

→ Contractor accounts used after the engagement end date

→ Service accounts authenticating interactively (rather than as a service)

→ Terminated employee access attempts

Defensive Recommendations

Phishing-Resistant MFA

Push notifications, SMS codes, and TOTP applications remain vulnerable to adversary-in-the-middle phishing and MFA fatigue attacks. These controls have value, but they do not constitute strong authentication against a determined attacker who has valid credentials.

Organisations should prioritise deployment of:

→ FIDO2 / WebAuthn

→ Hardware security keys (e.g. YubiKey)

→ Passkeys (device-bound, phishing-resistant)

→ Certificate-based authentication for privileged access workflows

Priority coverage should include administrative users, helpdesk personnel, financial systems, SaaS administrators, and all privileged cloud access. These accounts represent the highest-impact targets and the weakest link in most enterprise identity chains.

Conditional Access and Risk-Based Authentication

Modern access controls should evaluate device compliance, user risk scoring, network reputation, session behaviour, application sensitivity, and geographic context at the time of each access decisionnot just at initial authentication.

Privileged access from anonymising infrastructure, residential proxy providers, or previously unseen devices should trigger step-up authentication or be blocked outright pending review.

Identity Telemetry Centralisation

Security operations teams should centralise telemetry from identity providers, cloud platforms, SaaS applications, VPN systems, PAM tooling, endpoint agents, and helpdesk platforms into a single correlation environment. Cross-platform normalisation is not optionalit is the prerequisite for effective behavioural correlation across identity attack chains.

Practical guidance on identity telemetry pipelines and detection engineering is covered in: Monitoring Identity Telemetry for Early Access Signals (coming soon).

Session Risk Scoring

Continuous session evaluation should assess token age, geographic transitions within a session, concurrent sessions, device posture changes, abnormal API activity, and refresh token behaviour. High-risk session signals should trigger automated containmenttoken revocation and step-up re-authenticationrather than relying solely on analyst review.

SaaS Security Posture Monitoring

Organisations should continuously monitor OAuth permissions across all integrated applications, SaaS administrative changes, federation configurations, external sharing policies, service account creation, and privilege escalation activity. This is a distinct capability from SIEM-based authentication monitoring and typically requires a dedicated SSPM (SaaS Security Posture Management) tooling investment. The governance and risk frameworks for SaaS access are examined in: Pillar 5: Managing Third-Party & SaaS Access Risk (coming soon).

Behavioural Analytics and UEBA

Identity-focused UEBA should baseline authentication timing, peer-group activity comparisons, application usage patterns, geographic access, session duration, and privilege usage per account. Detection logic should prioritise behavioural deviation from established baselines rather than static thresholds alonestatic rules produce the alert fatigue that causes SOC teams to reduce sensitivity and create gaps.

Contractor Lifecycle Controls

Implement automated deprovisioning tied to contract end dates, time-limited access with explicit renewal requirements, recurring access reviews (quarterly at minimum), separate contractor identity domains where feasible, and enhanced monitoring alerting on all third-party account activity. Dormant contractor credentials are a persistent, underappreciated exposure.

Privileged Access Management

Privileged access workflows should enforce just-in-time access with time-bound elevation, session recording for all privileged activity, administrative workstation restrictions, and approval-based privilege escalation. Standing privileged accessalways-on admin accountsshould be treated as a misconfiguration, not a convenience.

Support Desk Verification Controls

The MGM incident makes clear that helpdesk verification is a security control, not just an operational process.

Support workflows require stronger verification procedures including:

→ Callback validation to a known, pre-registered number (not a number provided in the inbound request)

→ Manager approval for MFA resets on privileged accounts

→ Phishing-resistant verification workflows where feasible

→ Automated notifications to account owners when MFA changes occur

→ Mandatory ticket correlationevery MFA change should reference a verified, pre-existing support ticket

Token Protection and Session Management

Implement token rotation, refresh token revocation on suspicious activity, session expiration controls appropriate to application sensitivity, and geographic session validation where feasible. For high-value SaaS platforms, consider Continuous Access Evaluation (CAE) where supportedthis allows identity providers to push real-time revocation to applications rather than relying on token expiry windows alone.

Industry and Strategic Context

Identity as the Operational Control Plane

Cloud adoption fundamentally altered enterprise security architecture. Applications, administrative workflows, and authentication systems increasingly operate through SaaS platforms, federated identity providers, cloud administrative consoles, and remote authentication workflows. Identity infrastructure effectively became the operational control plane for enterprise accessthe single layer through which all other access is mediated.

This is why identity compromise is so operationally efficient for attackers. Compromising the control plane grants access to everything it controls.

Ransomware Operational Evolution

Credential-based access offers operational advantages over traditional software exploitation. It requires less infrastructure, no exploit development, lower operational complexity, fewer malware artefacts, and faster access acquisition. Ransomware affiliates and access brokers have recognised this calculus. The infostealer-to-access-broker-to-ransomware pipeline is now a mature, industrialised supply chain.

AI-Enabled Social Engineering

Generative AI is increasingly enabling scalable phishing at reduced operational cost, multilingual social engineering, realistic vishing with synthesised voices, impersonation campaigns using AI-generated personas, and automated operational reconnaissance. The MGM-style help desk attack, which required skilled English-speaking social engineers in 2023, is becoming more accessible as AI tooling lowers the skill floor for convincing impersonation. Technical identity controls are becoming more important relative to awareness training alone.

SaaS Expansion and Identity Sprawl

Rapid SaaS adoption expanded unmanaged identity exposure across enterprises. Shadow IT, unmanaged OAuth applications, undocumented federated access relationships, and unreviewed third-party integrations continue increasing operational complexity for SOC teamsoften faster than governance programmes can track them.

Operational Convergence

Operational distinctions between cybercrime and nation-state intrusion tradecraft continue to narrow. Identity compromise methodologies now commonly overlap across ransomware groups, espionage operations, access brokers, financially motivated actors, and state-aligned campaigns. Attribution remains important for threat intelligence purposes, but defensive controls against identity-based initial access are largely technique-agnostic.

Why Traditional Vulnerability Metrics Miss Identity Risk

Most enterprise security programmes still measure exposure primarily through software vulnerability frameworksCVSS scoring, KEV prioritisation, and patch compliance metrics.

These models remain operationally important, but they do not adequately measure identity exposure.

Identity compromise often bypasses traditional software exploitation entirely. Attackers authenticate using legitimate credentials, stolen session tokens, OAuth grants, or socially engineered account recovery workflows.

There is no CVE for:

→ Vishing-based MFA resets

→ OAuth application abuse

→ Session token replay

→ Helpdesk impersonation

→ Contractor credential exposure

As a result, organisations can demonstrate strong vulnerability remediation performance while remaining highly exposed to identity-driven compromise. An organisation that patches 95% of critical CVEs within SLA but has no MFA on its Snowflake tenants, no monitoring of OAuth grants, and no helpdesk verification controls is not well-defendedit has simply optimised for the wrong threat model.

The issue is not that vulnerability management is obsolete. The issue is that identity exposure now operates alongside software exposure as a parallel, primary enterprise attack surface.

Modern security programmes require operational metrics for:

→ Exposed credential coverage (monitored via threat intelligence feeds and dark web monitoring)

→ MFA coverage quality (phishing-resistant vs. push-based vs. SMS by account privilege tier)

→ Unmanaged SaaS identities and OAuth application risk

→ Privileged session activity and just-in-time access adoption

→ Anomalous authentication behaviour detection coverage

→ Contractor and third-party access exposure and lifecycle hygiene

Traditional vulnerability telemetry measures software exploitability. Identity telemetry measures operational access risk. Security operations programmes require both.

Summary

Many enterprise security programmes remain structurally optimised for software vulnerability management and perimeter defence.

Modern intrusion operations increasingly target identity infrastructure instead.

Attackers authenticate using valid credentials, compromised sessions, OAuth permissions, support workflow abuse, and legitimate administrative tooling. These operations often generate limited traditional malware telemetry and may not trigger conventional exploit-based detections. The MGM Resorts compromisein which a $33 billion company was breached through a 10-minute phone call to its help deskis the most cited example, but the underlying technique is a daily operational reality across enterprise environments globally.

This changes SOC detection requirements significantly.

Identity telemetryincluding authentication events, SaaS audit logs, OAuth activity, conditional access evaluations, administrative changes, and session behaviourmust now be treated as primary security telemetry, with the same ingestion priority, normalisation investment, and detection engineering maturity as endpoint and network data.

The challenge is operational rather than conceptual. Most organisations already generate the required identity telemetry. The gaps typically exist in centralised ingestion, normalisation, behavioural correlation, cross-platform visibility, long-term retention, and detection engineering maturity.

Modern identity compromise detection relies heavily on behavioural analysis rather than signature-based detection. Attackers operate within legitimate SaaS workflows, through authorised cloud administration interfaces, across trusted third-party access relationships, and using valid sessions on approved authentication paths. There is nothing inherently anomalous about any individual eventthe signal is in the pattern, the context, and the deviation from established behaviour.

Organisations that adapt their telemetry pipelines, monitoring strategies, and investigation workflows around identity-centric operations are more likely to identify compromise before escalation into ransomware deployment, large-scale SaaS data exfiltration, or persistent cloud access operations.

Identity is no longer simply an access management problem.

It is a core enterprise security operations problemand it requires a SOC-level response.

• JLR Breach Operational Failure Analysis

• McKinsey AI Chatbot Breach Analysis (OFA): Shadow AI Exposure and Identity Governance Failure

In This Series - Coming Soon

• MGM Resorts Vishing Attack Analysis

• Okta Support System Breach Operational Analysis

• M&S Breach Operational Analysis

• How Attackers Bypass MFA in Real Environments

• Monitoring Identity Telemetry for Early Access Signals

• Third-Party & SaaS Access Risk

• Internet-Facing Infrastructure ExploitationEnterprise Initial Access Risk Guide

• RMM Tool Abuse as Initial Access: The MSP Backdoor Threatening Enterprise Networks

• Edge Device Telemetry Gaps Enable Nation-State Lateral Movement: SOC Detection Failures in Network Perimeter Infrastructure

About This Report

Reading Time: Approximately 15 minutes

Attribution Note

Threat actor activity, attribution, and operational patterns discussed in this article are derived from publicly available reporting, incident response disclosures, threat intelligence publications, and enterprise security research available at the time of writing (May 2026).

Attribution for incidents including MGM Resorts reflects the current state of public reporting and security researcher consensus. Where formal attribution has not been confirmed by law enforcement or the affected organisation, the article uses appropriately hedged language.

Operational techniques, attack timelines, and observed behaviours vary between environments and campaigns. Quantitative statistics referenced throughout reflect findings from cited industry reports and may differ across datasets, sectors, and reporting methodologies.

Statistics from the Verizon 2025 DBIR reflect the reporting period covered by that edition. Where the 2026 DBIR presents updated findings, this is noted explicitly in the article.

Author Information

Timur Mehmet | Founder & Lead Editor

Timur is a veteran Information Security professional with a career spanning over three decades. Since the 1990s, he has led security initiatives across high-stakes sectors, including Finance, Telecommunications, Media, and Energy. Professional qualifications over the years have included CISSP, ISO27000 Auditor, ITIL and technologies such as Networking, Operating Systems, PKI, Firewalls. For more information including independent citations and credentials, visit our About page.

Contact: This email address is being protected from spambots. You need JavaScript enabled to view it.

Editorial Standards

This article adheres to Hackerstorm.com's commitment to accuracy, independence, and transparency:

Fact-Checking: All statistics and claims are verified against primary sources and authoritative reports
Source Transparency: Original research sources and citations are provided in the References section below
No Conflicts of Interest: This analysis is independent and not sponsored by any vendor or organization
Corrections Policy: We correct errors promptly and transparently. Report inaccuracies to This email address is being protected from spambots. You need JavaScript enabled to view it.

Editorial Policy: Ethics, Non-Bias, Fact Checking and Corrections

Learn More: About Hackerstorm.com | FAQs

Source Transparency

• Verizon 2026 Data Breach Investigations Report (DBIR)

• Microsoft Digital Defense Report

• Google Cloud M-Trends 2025

• CrowdStrike Global Threat Report

• IBM X-Force Threat Intelligence Index

• CISA advisories and guidance

• Microsoft threat intelligence reporting

• Google Threat Intelligence reporting

• Okta security advisories and incident disclosures

• Mandiant incident response reporting (Snowflake, UNC5537)

• Unit42 threat intelligence reporting

• Cisco Talos reporting

• BeyondTrust Okta breach disclosure

• Cifas Fraudscape Report 2026

• FBI Internet Crime Complaint Center (IC3)

• NIST Special Publication 800-63-4 (2024)

• CISA Cybersecurity Advisories

• FFIEC Authentication Guidance

• PCI DSS Security Framework

• Research on Voice Biometric System Vulnerabilities

• Consumer Reports AI Voice Cloning Analysis

• International AI Safety Report 2026

Public incidents referenced:

• MGM Resorts (September 2023)Scattered Spider / ALPHV/BlackCat

• Caesars Entertainment (September 2023)

• Snowflake customer compromises (2024)UNC5537 / ShinyHunters

• Uber (2022)Lapsus$ affiliate

• Cisco (2022)Lapsus$ affiliate

• Rockstar Games (2022)Lapsus$ affiliate

• Okta support system breach (October 2023)

• Storm-1811 AiTM campaigns

MITRE ATT&CK techniques referenced:

Technique	Description
T1078	Valid Accounts
T1078.004	Valid Accounts: Cloud Accounts
T1098	Account Manipulation
T1110.003	Brute Force: Password Spraying
T1539	Steal Web Session Cookie
T1556	Modify Authentication Process
T1566	Phishing