Identity-based attacks are surging as remote and hybrid work becomes the norm and artificial intelligence (AI) super-charges threats. In the past year alone, weak identity controls played a meaningful role in 90% of cyber incidents, with attackers leaning on the area as the most reliable entry point and mechanism for lateral movement, according to Palo Alto Networks’ Global Incident Response Report 2026. 

In nearly two-thirds (65%) of cases, attackers used identity-based attacks as the initial access point for enterprise systems, with 33% of incidents beginning with phishing and social engineering. 

So, how do identity-based attacks work and what should businesses be doing to mitigate this evolving threat?  

Targeting Credentials and Authentication  

Identity-based attacks share one defining trait: “They target credentials and authentication mechanisms rather than vulnerabilities,” says Adrian Cheek, senior cybercrime researcher at Flare. “The attacker presents a valid credential and is treated as a legitimate user, making detection extraordinarily difficult – especially when combined with other reconnaissance, such as geo-location mapping,” he explains. 

Credential phishing remains the common attack method, with adversaries using fake emails, texts, or voice calls to extract login details. “Spear-phishing and vishing have grown noticeably more sophisticated, as demonstrated by Scattered Spider’s successful impersonation of IT support staff over the telephone,” Cheek says.  

More advanced techniques include pass-the-hash attacks, which reuse stolen cryptographic hashes to authenticate without the plaintext password, and session hijacking, where attackers steal active session tokens to impersonate users without triggering a login event.  

Other techniques to be aware of include man-in-the-middle interception of credentials in transit, and golden ticket attacks that forge Kerberos credentials to gain “almost unlimited Active Directory access”, says Cheek.  

Attackers Targeting Identities  

The types of attackers using identity-based methods vary, ranging from state-sponsored intelligence groups to opportunistic criminal operations. 

Of the nation state adversaries, groups such as Cozy Bear and Flax Typhoon conduct long-dwell intrusions aimed at intelligence gathering, pre-positioning within critical infrastructure, or sustained financial theft, says Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University.  

Meanwhile, Salt Typhoon has demonstrated capability against telecommunications providers, he adds. “These actors typically target specific privileged individuals rather than broad populations, using surgical credential attacks to avoid detection,” he tells SC Media UK. 

Organised cybercrime syndicates occupy the next tier, according to Curran. Groups such as Scattered Spider or Lapsus$ are financially motivated and have elevated identity attacks to their primary intrusion method, according to Curran.  

“Many such groups operate as access brokers, compromising networks and selling session access on dark web markets, rather than exploiting it directly. Ransomware operators frequently purchase this access downstream, making the identity compromise and the eventual extortion appear unrelated,” he explains. 

Targets include enterprises, government bodies, healthcare organisations and critical infrastructure providers. These are environments where privileged access “typically unlocks high-value data or operational control”, says Darren Guccione, CEO and co-founder at Keeper Security.   

However, attacks can often begin with individuals and small businesses that don’t have limited resources to implement cybersecurity measures. Executives, administrators and IT personnel are also targets because their credentials provide “coveted elevated access to sensitive systems,” Guccione explains.  

Evolving Threat  

Opportunities for adversaries are already evolving, as technology such as AI enables more sophisticated attacks. The evolution of generative AI is enabling attackers to automate “highly personalised phishing campaigns” and to create “convincing deepfake audio or video to deceive employees,” says Alex Martin, cyber services director at Reliance Cyber.  

Agentic AI presents “a whole new category of risk,” according to Martin. “For AI Agents to work, they need an identity, but these often break long-standing best practices – for example session tokens or credentials that never expire.” 

They will become rich targets for threat actors in the future, according to Martin. “This technological shift means that traditional, static defences will struggle to keep pace with the sheer speed and scale of automated identity threats.” 

Another evolving risk comes from infostealer malware, Flare’s Cheek adds. “These tools allow attackers to bypass traditional authentication flows entirely by stealing already authenticated sessions or login details.” 

At the same time, digital ecosystems are becoming more interconnected through SaaS integrations and third-party access. “Each new identity, integration or automated process expands the attack surface,” says Keeper Security’s Guccione. 

How to Mitigate Identity-Based Threats 

The threat is real and growing, but firms can take steps now to help reduce the risk of being caught out by identity-based attacks. Getting the basics right is important, says Reliance Cyber’s Martin.  

He says his firm speaks to “an alarming number” of organisations who have not federated identities across critical platforms. “This is exposing a wide and difficult to manage attack surface.” 

Martin thinks using a central identity provider with robust security monitoring and alerting – and robust authentication – is a must. “The big ones all do this, such as Microsoft, Google and Okta.” 

Effective defence against identity-based attacks requires treating identity as the primary security perimeter – a recognition that the network boundary is “no longer a meaningful control,” says Ulster University’s Curran.  

The architectural foundation for this is Zero Trust, as formalised in NIST SP 800-207, he says. “Every authentication request is treated as potentially hostile regardless of network origin, and access decisions are made on the combined trustworthiness of the identity, the device, and the contextual risk signals at the moment of request.” 

The single highest-impact technical control currently available is the deployment of phishing-resistant multi-factor authentication based on FIDO2/WebAuthn passkeys or hardware security keys, Curran says. “Privileged access management, combined with a zero standing privilege model, removes the value of harvested credentials by ensuring that standing privileged access simply does not exist,” he advises. 

Incident response planning should address identity compromise scenarios, including mass credential rotation, bulk revocation of OAuth grants and emergency disabling of service accounts, Curran says. “Regular simulation exercises, including social engineering drills and credential exposure tabletops are essential to validate that these controls function under realistic conditions.” 

Kate O'Flaherty Cybersecurity and privacy journalist