Credential abuse accounted for 22% of breaches in 2025, a signal the ordinary username-and-password model is no longer a reliable gatekeeper.
How attackers are shifting the target from infrastructure to identity
Organizations now manage thousands of human and non‑human identities across cloud services, SaaS applications, endpoints and remote environments, and that scale is creating blind spots. The source describes a familiar calculus: compromising an account is often faster and quieter than exploiting infrastructure vulnerabilities directly. For defenders, the challenge is detecting malicious activity that is tied to a legitimate identity — a problem made worse by hybrid work, BYOD and expanded third‑party access, which limit visibility into who has access to what and whether those access paths can be trusted.
MFA fatigue, session hijacking and the evolving playbook
Multi‑factor authentication (MFA) remains a critical control, but attackers have adapted. One technique, MFA fatigue (also called prompt bombing), repeatedly triggers MFA approvals until a user accepts. The source cites a well‑known 2022 incident in which attackers used repeated prompts against an Uber employee; approval of one prompt permitted privilege escalation and broad cloud compromise. Other adversaries bypass MFA by stealing authenticated session tokens via adversary‑in‑the‑middle frameworks and session hijacking tools, effectively “phishing the session, not the password.”
Phishing campaigns are becoming harder to spot
Phishing for credentials is still prolific and more sophisticated. Threat researchers at Outpost24, the parent company of Specops, uncovered a campaign that used a legitimate Cisco domain in a multi‑chain redirect to make fraudulent login portals appear credible and to evade detection. Verizon’s Data Breach Investigation Report is cited in the source as finding stolen credentials are involved in 44.7% of breaches, underscoring how effective credential theft remains for attackers who combine legitimate hosting services, trusted domains, reverse proxies and AI‑generated content to mimic real login pages.
Endpoints are the expanded and often invisible attack surface
As employees access corporate resources from personal laptops, unmanaged mobile devices and systems outside traditional controls, IT loses sight of device posture. The source highlights infostealer malware as a major contributor to account takeover activity, harvesting credentials, browser‑stored passwords and authenticated session cookies directly from user devices. This dynamic forces many organizations into an uneasy choice: block access from devices that do not meet security standards and risk disrupting users, or allow access and accept that some devices may already be compromised. Most choose a middle ground that leaves the underlying trust problem unaddressed.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: Expect to treat authentication as the beginning, not the end, of trust decisions. The source advocates continuous verification models that assess device posture, session risk and behavioral signals throughout the entire access lifecycle.
- Procurement and IT leaders: The material highlights solutions that integrate with existing identity providers, VPNs and SSO tools to extend — rather than replace — current setups. Specops Device Trust is described as an example that binds users to trusted devices, continuously verifies posture and allows policy coverage across corporate and personal devices.
- End users: The account takeover risk landscape means users may see more contextual checks and remediation workflows that aim to fix device issues without full access disruption; the source contrasts on‑access remediation with blunt responses like forced password resets or outright blocks.
The rise in account takeovers the source describes does not hinge on a single exploit class; it is the result of attacker adaptation, improved phishing techniques and gaps in device visibility. The prescription in the source is correspondingly structural: move from one‑time authentication to ongoing device and session verification, and fold device trust into identity decisions. Vendors such as Specops present features to do that — device authentication, continuous device verification, flexible device coverage and on‑access remediation — and they stress integration with existing identity infrastructure.
Whether organizations will shift from treating authentication as binary to treating trust as continuous is the central practical question the source leaves policymakers and IT teams to answer. For defenders, the immediate imperative is clear in the source: regain visibility into device posture and session risk or accept that credential and session theft will remain an efficient avenue for attackers.
