The Rise of Identity-Based Attacks: Why Your Firewall Isn't Enough Anymore | DOYB Technical Solutions

The most common image of a cyberattack involves someone finding a gap in the perimeter — exploiting a vulnerability, cracking through a firewall, or forcing entry through an unpatched system. That model still exists, but it's no longer the dominant one. Today, attackers are more likely to walk through the front door using credentials they already have.

Identity-based attacks — where threat actors use stolen, phished, or purchased credentials to authenticate as legitimate users — now account for the majority of confirmed breaches. The firewall doesn't flag a successful login. The SIEM sees a recognized user. The attacker is already inside.

How Identity-Based Attacks Work

The attack path is straightforward, and that's precisely what makes it effective. Attackers obtain credentials through phishing, credential stuffing (using breach data from other platforms), or purchasing them on criminal marketplaces. They then authenticate through legitimate access points — a VPN, a cloud application, a remote desktop environment — and operate within the environment as if they belong there.

Because the access appears legitimate, traditional perimeter defenses generate no alert. Detection depends on behavioral anomaly monitoring, identity-specific logging, and access pattern analysis — controls that many organizations haven't fully implemented.

Microsoft reports that identity is now the primary control plane for modern security environments — making it the most actively targeted attack surface. This isn't a trend that's emerging. It has already become the default attack methodology for both opportunistic and targeted threat actors.

The Three Vulnerabilities Attackers Exploit Most

Weak or misconfigured MFA

Multi-factor authentication is now table stakes, but implementation quality varies widely. SMS-based MFA is susceptible to SIM-swapping. Push notification fatigue attacks — where attackers repeatedly send MFA prompts until the user approves one — are increasingly common. Conditional access policies that are configured but not enforced consistently create gaps. MFA that is deployed but not audited provides a false sense of security.

Over-permissioned accounts

Most organizations accumulate permission sprawl over time. Users receive access for a project and never have it revoked. Service accounts are provisioned with administrative rights "to make sure it works" and those rights are never scoped back down. Former employees' accounts remain active in federated systems after offboarding. Each over-permissioned account represents leverage an attacker can exploit the moment they obtain the credentials.

No identity monitoring in place

Many organizations have identity platforms — Azure Active Directory, Okta, Google Workspace — but are not actively monitoring the logs those platforms generate. Sign-in anomalies, impossible travel events, unusual access times, and privilege escalation attempts all generate log data. Without something consuming and alerting on that data, the signals go unnoticed.

A Scenario That Happens More Than Organizations Realize

An employee reuses a password across their corporate email account and a personal subscription service. That subscription service suffers a breach — which happens thousands of times per year across the internet. The employee's email and password appear in a credential dump, which is purchased or discovered by a threat actor within days of the breach.

The attacker authenticates to the organization's Microsoft 365 environment using the employee's credentials. MFA is enabled, but the attacker triggers a push notification at 2:00 AM and the employee approves it half-awake. The attacker now has authenticated access to email, SharePoint, Teams, and any connected SaaS applications.

They spend the next several days reading email threads, identifying sensitive documents, and mapping the environment — all while appearing as normal user activity. The data leaves the environment through a legitimate email account. No perimeter alert fires. The organization discovers the incident weeks later, if at all.

This scenario is not a worst-case illustration. It is a recurring pattern documented in breach reports across every industry vertical.

What Effective Identity Defense Requires

1. Enforce phishing-resistant MFA where possible. Hardware security keys (FIDO2) and certificate-based authentication eliminate the push fatigue attack vector entirely. For environments that can't implement hardware keys universally, at minimum enforce number matching on authenticator apps and disable SMS-based MFA for privileged accounts.
2. Implement continuous identity monitoring. Configure Azure AD, Okta, or your identity platform to alert on anomalous sign-in behavior — impossible travel, sign-ins from new locations, unusual access times, and failed MFA followed by successful authentication. These signals are only useful if someone is watching them.
3. Apply least-privilege access consistently. Conduct a formal access review and remove permissions that are no longer needed. Service accounts should have only the permissions required for their function. Privileged accounts should require elevated authentication and should be separate from day-to-day user accounts.
4. Audit access quarterly. Permission sprawl accumulates continuously. A quarterly review of active accounts, group memberships, and privileged access assignments catches drift before it becomes exploitable. Automate offboarding to ensure accounts are disabled when employees leave.

The network security controls that organizations have invested in over the past decade remain relevant — but they are now supporting infrastructure, not primary defense. The primary defense layer for most organizations is identity, and it requires dedicated investment and attention.

Organizations working with DOYB on cybersecurity services receive identity posture evaluation as part of every engagement — because the identity layer is where most breaches begin.