Identity and access management is under attack
It is a common narrative in cybersecurity: Implement multi-factor authentication (MFA), train users to spot phishing, and you have secured the front door. However, the reality around developing cybercriminal capabilities has rendered this tactic less viable than ever.
Emboldened by emerging AI technologies, attackers have learned that breaking through MFA is only one option, and increasingly, they are not bothering to try.
Organizations are being breached despite robust MFA deployments.
Users follow the prescribed protocol perfectly, logging in through familiar sites, approving authentication prompts, entering the verification codes they are sent, yet attackers still find a way through.
MFA remains valuable, but it works best as one layer among many. Identity as security must be reexamined and treated differently.
How AI is making phishing attacks more effective
According to the Cybersecurity and Infrastructure Security Agency (CISA), more than 90% of successful cyberattacks begin with phishing, and AI technologies have only increased this.
Phishing campaigns are more targeted and most worrisome, more believable. With the help of AI, more phishing emails reach inboxes, and click rates have increased.
Over the past year, Microsoft 365 has become one of the most targeted platforms for credential theft, in large part because of how deeply it is embedded in daily business operations. The structure of recent Microsoft 365 campaigns demonstrates the way some adversaries now operate.
This is the age of adversary-in-the-middle (AitM) attacks.
Rather than striking at MFA directly, attackers construct convincing phishing pages positioned between legitimate login servers and users. When a user enters credentials and passes MFA, they see what appears to be a normal sign-in flow. Behind the scenes, the attacker relays traffic directly to Microsoft, intercepting the authenticated session.
Once a session token is captured, the attacker no longer needs the password or one-time code. They are, for all intents and purposes, the logged-in user. They can access email inboxes, read sensitive conversations, and orchestrate business email compromise attacks.
Breaches at Okta reveal that attackers sent phishing emails directing users to fake login pages, harvesting both credentials and MFA codes simultaneously.
Armed with these, attackers pierced the identity layer and, in some cases, gained access to the entire ecosystem of applications connected to it.
The danger here extends far beyond one compromised account. Identity systems act as trust anchors. If placed as the sole guard between users and email, collaboration tools, development platforms, admin consoles, and cloud infrastructure, a breach ripples across the entire organization.
The risks of OAuth phishing and third-party application abuse
Developers face a separate risk through OAuth phishing.
Attackers trick users into authorizing malicious applications, requests that seem routine in environments where third-party integrations are normal and time and attention are stretched.
Once permission is granted, the attacker gains all privileges attached to that token.
They can manipulate repositories, access workflows, and potentially reach secrets or automation logic without triggering the suspicious login alerts defenders are trained to catch.
Identity security requires more than MFA
In practice, trust goes beyond strong authentication upon entry.
If an attacker makes it through initial authentication, this raises serious questions: How long does the session persist? What can a browser reach from that session? Which tokens can be created, reused, or refreshed? Who has permission to grant access, and from where?
These details determine whether MFA acts as a barrier or simply a checkpoint the adversary has already factored into their strategy. If questions need to be asked at all, it’s the latter.
Device-level control is what turns MFA from a checkpoint into a genuine barrier. A resilient identity strategy has genuine value, and the two work best together.
Continuous verification is the next step in identity security
MFA has not failed as a concept; organizations have simply given it too much credit.
Passing an MFA prompt does not mean a session is trustworthy for its entire lifespan. It does not guarantee that an OAuth grant is safe, nor does it prevent a browser from becoming a bridge between a legitimate login and a compromised machine.
The response must be pragmatic. Lock down the login, absolutely, but also lock down the endpoint.
Constrain what applications can do. Limit what a hijacked session can accomplish. Assume compromise, so that when essential layers like MFA are bypassed, that compromise is already accounted for.
Attackers know that authentication is only one checkpoint in a longer chain. A robust identity strategy must be built the same way.
The next step is continuous verification, ensuring any sign of compromise can be met with an appropriate and immediate response.
How Zero Trust strengthens IAM
Zero Trust assumes breach and encourages behaving in a way that minimizes its impact. Control what executes on compromised devices, what it is allowed to touch, and where it can go next.
ThreatLocker achieves this with:
Allowlisting
Block the follow-on attacks that make identity breaches so damaging.
Attackers typically rely on scripts, helper utilities, remote access tools, or malicious payloads. In other words, tools that should never run on properly managed devices.
Block those tools from executing, and the attackers’ options narrow dramatically.
Ringfencing™
Provide a second layer by controlling which legitimate applications are allowed to do what.
A browser might need access to Microsoft 365 or GitHub, but that does not mean it should launch PowerShell, access sensitive local files, or communicate freely with other running processes.
Severing unnecessary connections blocks attackers from using trusted applications as springboards for further exploration, persistence, or lateral movement.
Privileged Access Management
The third layer is to control what users can perform certain actions.
If a compromised account attempts to install software, change system settings, or escalate to administrator privileges, those actions get blocked or routed through strict approval workflows.
Privileged Access Management creates friction for attackers, slowing them down and creating visible indicators of compromise where many organizations would otherwise see nothing.
To see how ThreatLocker can enhance your organization’s identity security, schedule a customized demo today.
