Stolen Credentials: Why Identity Security Is Critical
Key Takeaways
- Attackers in 2026 primarily target stolen identities rather than technical vulnerabilities — Adversary-in-the-Middle (AitM) attacks bypass even standard MFA methods
- SMS-based one-time codes and push notifications can be defeated by AitM attacks and MFA fatigue — FIDO2 keys and passkeys are phishing-resistant because they are cryptographically bound to the legitimate domain
- Privileged Identity Management (PIM) in Entra ID reduces the damage window of a compromised admin account by making elevated rights time-limited and on-demand
- Conditional Access should be fully utilised, not just enabled — context-based rules for device, country, and time significantly improve detection of suspicious sign-ins
- Simultaneous logins from different countries or bulk file access are indicators of compromised accounts — automated detection is essential for catching these patterns
The attack pattern has shifted. Rather than exploiting technical vulnerabilities in systems, attackers are increasingly relying on stolen credentials. Compromised usernames and passwords, hijacked sessions, and Adversary-in-the-Middle (AitM) attacks, where attackers position themselves between the user and the login page, are among the most common attack vectors in 2026.
Why traditional safeguards are no longer sufficient
Multi-factor authentication (MFA) has long been the most important recommendation for protecting user accounts. Fundamentally, it still is. But not every MFA method provides the same level of protection. SMS-based one-time codes and smartphone push notifications can be bypassed through AitM attacks and so-called MFA fatigue, where attackers repeatedly send push requests until the user approves out of frustration.
Imagine someone has copied your company badge and uses it to enter the building unnoticed. The door is locked, the key works, everything looks normal. This is exactly how identity-based attacks work: the attacker logs in with valid credentials and moves through your systems without triggering any alarms.
What companies can do
Deploy phishing-resistant MFA. FIDO2 security keys and passkeys protect against AitM attacks because they are cryptographically bound to the legitimate login page. An attacker operating a fake login page cannot intercept the authentication. For privileged accounts (administrators, IT management), this transition should be a priority.
Use Conditional Access consistently. Conditional Access policies in Microsoft Entra ID allow login attempts to be evaluated based on context. If a user logs in from an unknown device, an unusual country, or outside business hours, an additional verification step or block can be triggered. Many companies have Conditional Access enabled but only use a fraction of its capabilities.
Implement Privileged Access Management (PAM). Administrative rights should not be permanently assigned. With Privileged Identity Management (PIM) in Entra ID, administrator rights are only activated on a time-limited, on-demand basis. This reduces the window during which a compromised administrator account can cause damage.
Establish access monitoring. Unusual login patterns, such as simultaneous logins from different countries or bulk access to files, should be detected automatically. Microsoft Entra ID Protection and Sentinel provide integrated tools for this purpose.
Recommendation
Start with an assessment of your current MFA methods and Conditional Access configuration. Often, the level of protection can be significantly increased with existing licences and manageable effort. In particular, transitioning privileged accounts to phishing-resistant authentication is a high-impact step with relatively low effort.
Frequently Asked Questions
What is an AitM attack and why does it bypass standard MFA?
In an Adversary-in-the-Middle attack, the attacker positions themselves between the user and the real login page. The user enters their credentials and MFA code on a fake page — the attacker relays them to the real site in real time and hijacks the authenticated session. FIDO2 keys prevent this because the authentication is cryptographically bound to the legitimate domain and cannot be intercepted by a fake site.
Which accounts should be prioritised for phishing-resistant MFA first?
Administrator accounts, IT management accounts, and accounts with access to sensitive data or financial transactions should be migrated first. These accounts are the most attractive targets for attackers, and a compromise has the largest potential impact. A phased rollout for standard users can follow once privileged accounts are secured.
How does Privileged Identity Management (PIM) differ from standard role assignment?
With standard role assignment, an administrator has their rights permanently and immediately. With PIM, rights are only activated on request for a defined period. The activation can require approval, and every activation is logged. Even if the account is compromised, an attacker initially has no administrative rights — significantly limiting what they can do.
What are typical signs that an account in our environment has been compromised?
Warning indicators include: login from a country where the user does not work; sign-in at an unusual time such as 3am; simultaneous authentications from different geographic regions; sudden bulk access to files; or large volumes of email being sent. Entra ID Protection detects these patterns automatically and can trigger risk-based responses.