Why Account Takeover Attacks Have Become Attackers' Preferred Entry Point
Account takeover attacks have quietly become one of the most effective and disruptive threats facing organizations today. Rather than exploiting complex software vulnerabilities, attackers are increasingly choosing a simpler path: stealing or abusing legitimate credentials to walk straight through the front door. According to the Verizon Data Breach Investigations Report, stolen credentials are now involved in 44.7% of breaches, and credential abuse accounted for 22% of breaches in 2025 alone. For IT decision makers, privacy professionals, and security teams, those numbers demand attention.
The structural conditions enabling this trend are well understood, even if they remain difficult to address. Organizations now manage thousands of human and non-human identities spread across cloud platforms, SaaS applications, remote endpoints, and contractor networks. Hybrid working, Bring-Your-Own-Device (BYOD) policies, and third-party access integrations have collectively eroded the clean perimeter that traditional security architectures were built around. The result is that security teams frequently lack real-time visibility into who has access to what — and critically, whether that access can actually be trusted at any given moment.
For attackers, this complexity is an invitation. Compromising an account through credential theft or session hijacking is often faster, quieter, and more scalable than hunting for unpatched infrastructure vulnerabilities. And once inside, a valid identity provides cover that malicious network traffic simply does not.
MFA Is No Longer Enough: How Attackers Are Bypassing Multi-Factor Authentication
Multi-factor authentication remains one of the most important defenses against unauthorized access, and security professionals should still enforce it broadly. But attackers have spent years developing techniques specifically designed to circumvent it, and those techniques are now widely deployed in real-world campaigns.
One of the most prevalent is MFA fatigue, also known as prompt bombing. The technique is straightforward: an attacker who already holds valid credentials triggers a flood of MFA push notifications to the victim's device, betting that frustration or confusion will eventually cause the user to approve one. A well-documented example occurred in 2022, when attackers targeted an Uber employee with repeated MFA prompts until one was approved. That single approval gave the attackers a foothold from which they escalated privileges, moved laterally through Uber's environment, and ultimately compromised large portions of its cloud infrastructure while exposing employee data.
Beyond prompt bombing, threat actors are increasingly deploying adversary-in-the-middle (AiTM) frameworks and session hijacking toolkits that bypass MFA entirely. Rather than stealing a password and triggering an authentication challenge, these tools intercept the authenticated session token after a legitimate login has already completed. The attacker never needs to solve the MFA challenge — they inherit the authenticated session, which cloud services treat as trusted by default.
"Credentials alone no longer tell you who is actually on the other end of a connection," noted one identity security researcher familiar with AiTM campaign trends. "Attackers aren't breaking authentication — they're waiting until authentication is done and then stepping in."
Research from Microsoft's Security Blog has consistently highlighted AiTM phishing kits as a growing threat to enterprise environments, particularly those relying solely on app-based push notification MFA without number matching or phishing-resistant FIDO2 keys.
Credential Phishing Has Evolved Far Beyond Obvious Fakes
Phishing campaigns targeting credentials have grown substantially more sophisticated, making detection difficult even for technically aware users. Modern attackers no longer rely on crude lookalike domains or poorly formatted emails that trained employees can spot. Instead, they leverage legitimate hosting infrastructure, trusted domain reputation, reverse proxies, and AI-generated content to construct phishing pages that are visually and technically indistinguishable from genuine login portals.
Threat researchers at Outpost24 recently uncovered a campaign that exploited a legitimate Cisco domain through a multi-chain redirect attack, specifically engineered to evade URL reputation filters and maximize perceived credibility. The technique chains multiple redirects through trusted domains before landing users on a fake credential-harvesting page — a method that defeats many traditional URL scanning tools.
This matters for organizations that have invested in email security gateways and user awareness training. Those controls still have significant value, but they were designed for a different threat landscape. When the phishing link passes through a legitimate Cisco domain, standard browser warnings and link-checking tools may not flag it. According to analysis from Proofpoint's threat intelligence, business email compromise and credential phishing remain the top causes of initial access, with attackers continuously rotating infrastructure to outpace detection signatures.
The GDPR dimension is also significant for European organizations: a credential phishing breach that exposes customer or employee personal data must be reported to the relevant Data Protection Authority within 72 hours under Article 33. Organizations that lack the detection capabilities to identify a phishing-driven account takeover quickly face both security and regulatory exposure simultaneously.
BYOD Policies and Unmanaged Devices Are Widening the Attack Surface
The endpoint has become one of the most contested battlegrounds in identity security. Employees routinely access corporate SaaS applications and cloud infrastructure from personal laptops, home computers, and unmanaged mobile devices that fall entirely outside IT's visibility and control. This creates a fundamental trust gap: the identity provider may authenticate the user successfully, but it has no insight into the security posture of the device they're using.
Infostealer malware has emerged as a particularly efficient tool for exploiting this gap. Once installed on an endpoint — typically through a malicious download, a compromised browser extension, or a phishing attachment — infostealers silently harvest stored passwords, browser session cookies, and authentication tokens. These harvested credentials and cookies are then sold on underground marketplaces or used directly by the attacker to initiate account takeovers against corporate environments. Notably, session cookies enable attackers to bypass MFA entirely, as the token represents an already-authenticated session.
The challenge for IT and security teams is one of competing priorities. Enforcing strict device compliance controls — blocking access from any device that lacks current OS patches, active endpoint detection software, or approved security tooling — is technically sound but organizationally disruptive in a hybrid work environment. Conversely, permissive access policies that prioritize user convenience accept that some percentage of connecting devices may already be silently compromised.
High-profile incidents at organizations including Clorox and Marks & Spencer have reinforced the real-world cost of this tradeoff. Both cases illustrated how identity-based intrusions can cascade into significant operational disruption and reputational damage when device trust is not factored into access decisions.
| Attack Vector | Technique | MFA Bypassed? | Primary Defense |
|---|---|---|---|
| Credential Phishing | Fake login pages via trusted domains | Sometimes | Phishing-resistant MFA (FIDO2), URL filtering |
| MFA Fatigue / Prompt Bombing | Repeated push notifications until approved | Yes | Number matching, conditional access policies |
| AiTM Session Hijacking | Intercepts post-auth session token | Yes (entirely) | Token binding, continuous session verification |
| Infostealer Malware | Harvests stored cookies and passwords from device | Yes | Device posture checks, EDR enforcement |
| Credential Stuffing | Automated login attempts with breached credentials | No | Breached password blocking, rate limiting |
Why Continuous Verification and Zero Trust Identity Security Are Now Necessary
The fundamental flaw in most current identity security architectures is that they treat authentication as a binary, one-time event. Once a user successfully logs in, the system extends trust for the duration of the session — regardless of what changes on the device or in the user's behavior during that time. This model made reasonable sense in a perimeter-based world where verified users sat behind a corporate firewall. It makes considerably less sense when users authenticate from coffee shops, home networks, and personal devices running unknown software.
The security industry's response to this challenge has coalesced around Zero Trust principles, the core of which is the axiom "never trust, always verify." Rather than granting broad session-level trust after authentication, Zero Trust architectures continuously re-evaluate access decisions based on a combination of identity signals, device posture, behavioral patterns, and contextual risk indicators throughout the session lifecycle.
For developers and small business owners building on cloud infrastructure, this has practical implications. Identity providers like Okta, Microsoft Entra ID, and open-source alternatives increasingly support conditional access policies that can enforce device compliance checks, restrict access based on network location, and trigger step-up authentication when risk signals change mid-session. These capabilities represent the operational implementation of continuous verification principles. The NIST Zero Trust Architecture framework (SP 800-207) provides a solid technical foundation for organizations designing or retrofitting these systems.
From a GDPR and data sovereignty perspective — areas of particular relevance to European organizations and those operating under EU law — continuous verification also supports demonstrably stronger access controls that can form part of a documented technical and organizational measures (TOMs) framework. Supervisory authorities increasingly expect organizations to demonstrate proactive, layered access governance rather than relying solely on password policies and standard MFA.
