As organisations continue to expand their digital footprint across cloud platforms, remote work environments, and connected devices, the traditional idea of a fixed network perimeter has effectively disappeared. Employees, partners, and systems now access business-critical applications and data from virtually anywhere, often across multiple devices and environments. While this shift has unlocked gains in productivity and flexibility, it has also fundamentally changed the nature of cyber risk.
Today, identity sits at the centre of this new landscape. Every login, authentication request, and permission setting represents a potential entry point for attackers. Unlike traditional network-based attacks, identity-driven threats are harder to detect because they exploit legitimate access rather than obvious vulnerabilities. This means that even well-defended organisations can be exposed if identity security is not properly managed.
As a result, organisations must rethink how they approach security, shifting from perimeter-based defences to a model where identity is continuously monitored, verified, and protected at every stage of access.
Why attackers are targeting identity first
Cybercriminals increasingly focus on user identities as a way to break into corporate environments. Security operations teams recorded large volumes of alerts over the past year, with the majority related to identity. The most common detection was login activity falling outside expected patterns, such as access attempts from new geographic locations, unfamiliar devices, or at unusual times for the user, suggesting that someone other than the legitimate user is attempting to exploit compromised credentials to gain or maintain access.
Can’t be in two places at once
Logins that are physically impossible are one of the clearest warning signs of an active attack. For example, logins to the same employee account that are just minutes apart but appear to come from both Singapore and France require immediate investigation. These so-called impossible travel events almost always indicate a compromised account.
Hijacked accounts blend into normal IT activity
Once compromised, the subsequent behaviour involving a hijacked account can appear legitimate unless patterns of anomalous behaviour are identified and examined in detail. These types of anomalies are difficult to detect because attackers often rely on commercially available tools and closely mimic normal IT activity.
In Barracuda’s Managed XDR Global Threat Report, the most frequent alerts associated with hijacked accounts included anomalous logins in Microsoft 365 with 42,859 events recorded, followed by impossible travel events in Microsoft 365 with 22,343 events, and login attempts linked to account takeover totalling 5,131 events.
Threats detected and blocked by endpoint protection platforms on computers, mobile phones, and other connected physical devices are also among the most common alerts seen across corporate IT environments.
Once attackers have gained access to an account, they will use it to move laterally through the network, escalate privileges, or bypass existing security controls.
How to strengthen identity protection
Attackers only need to exploit a single weak point to succeed. This may be an account left active when the user left, a misconfigured security setting, or a device without adequate protection. For organisations with limited resources and a fragmented set of security tools, identifying these risks early enough remains a significant challenge.
Several measures can significantly reduce the risk of a breach. These include using multi-factor authentication, tightly controlling how permissions are assigned and changed, and closely monitoring anomalous behaviour and suspicious login activity. Adopting an approach that provides visibility across networks, devices, servers, cloud storage, and email also plays a role in limiting exposure.
The aim of these measures is to help organisations, particularly those lacking security resources, better understand how attacks unfold in real-world environments and where common security gaps are most likely to be exploited.
