Identity, Phishing

The industrialization of identity compromise: How attackers are scaling faster than defenders

A glowing white fingerprint is centered within a circular blue light interface on a dark digital grid background with neon blue lines.
Credit: Adobe Stock

A recent SC Media webcast discussed eSentire’s latest threat intelligence report and how the report shows that identity compromise, like other forms of cybercrime, has become industrialized. This change lets attackers scale their operations, lower skill barriers to entry, and dramatically increase their success rates.

At the center of this is a big shift in attacker strategy. The old ways of breaking into systems through malware or vulnerability exploits have been superseded. Attackers are now logging in using stolen credentials.

"The new attacker mantra is literally log in, don't break in," observed webcast host Mandy Logan, citing a statistic in the eSentire report of a 389% jump year-over-year in identity compromise.

This isn't all bad, as this shift in tactic has been partly driven by stronger endpoint defenses. Modern security tools such as EDR have made it harder for attackers to operate undetected on endpoints, forcing them to find less well-defended entry points.

Identity systems, especially those tied to cloud services and SaaS platforms, offer a more efficient path. Once compromised, a single identity can unlock access to multiple systems and sensitive datasets.

Compounding the problem is the commoditization of cybercrime. Techniques that once required advanced expertise to pull off are now widely available through underground marketplaces and subscription-based services.

Phishing-as-a-service platforms, for example, let even low-skilled attackers launch sophisticated campaigns that can bypass multi-factor authentication (MFA) by intercepting session tokens in real time.

The result is a highly efficient attack model. Attackers can move extremely quickly once credentials are stolen, making next-day log reviews ineffective.

"On average, from initial phish to when they got in and started to do things hands-on keyboard, it was around 14 minutes," noted Spence Hutchinson, Senior Manager of Threat Intelligence Research at eSentire.

Scalability is increasing. Attackers choose targets based on potential financial return, focusing on industries like legal, retail, and construction in which large transactions are common. They leverage compromised accounts as launchpads for further attacks, spreading phishing emails internally or establishing persistence through mailbox rules and new authentication devices.

Social engineering has also evolved. Today's attacks combine multiple techniques, such as email bombing followed by impersonation of helpdesk technicians via phone or messaging platforms. These tactics exploit the human tendency to panic and not think clearly under pressure, and many victims get tricked into granting access or installing remote tools themselves.

Meanwhile, legitimate enterprise tools are being weaponized. Remote monitoring and management (RMM) tools, for example, are now used by attackers to maintain persistence and move laterally within networks.

"This is stuff like AnyDesk, TeamViewer, ScreenConnect, these legitimate tools that are being deployed to these networks to gain remote access," said Hutchinson. "These are powerful tools. I refer to them as a Swiss army knife for attackers."

The industrialization of identity compromise extends to supply chain and third-party risks. Attackers target managed service providers (MSPs) and other high-privilege accounts, which provide access to multiple organizations simultaneously. These accounts are traded on Dark Web marketplaces, accelerating the attack lifecycle.

To counter these trends, organizations need to rethink their security strategies. Basic MFA is no longer enough; phishing-resistant methods such as FIDO2 and passkeys are becoming essential. Continuous monitoring of identity activity, strict enforcement of least privilege, and stronger controls over remote access tools are critical.

Equally important is speed. Defenders must be able to detect and respond to threats in near real time, leveraging AI and automation to analyze vast amounts of telemetry and surface actionable insights.

Ultimately, the industrialization of identity compromise is a turning point in cybersecurity. Attackers are operating faster, smarter, and at greater scale than ever before. To keep pace, organizations must treat identity as the new perimeter — and defend it accordingly.

Paul Wagenseil

Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Basic AuthenticationBiometricsCertificate-Based AuthenticationChallenge-Handshake Authentication Protocol (CHAP)Digest AuthenticationDigital CertificateDiscretionary Access Control (DAC)

You can skip this ad in 5 seconds