GoKawiilOrganizations now manage thousands of human and non-human identities across cloud services, software-as-a-service applications, endpoints and remote environments. As hybrid working, Bring-Your-Own-Device (BYOD) and third-party access continue to expand, security teams are losing visibility over who has access to what and whether that access can be trusted.
Attackers are taking advantage of that complexity, as compromising an account is often faster and quieter than exploiting infrastructure vulnerabilities directly. For defenders, detecting malicious activity tied to a legitimate identity remains one of the biggest security challenges today.
So, what’s driving the rise in account takeover attacks, and how can organizations protect their identities?
Phishing the session, not the password
Credential abuse remains one of the most reliable ways for attackers to gain access to an organization, accounting for 22% of breaches in 2025. Attackers obtain usernames and passwords through infostealer malware, phishing campaigns or credential dumps from previous breaches.
While multi-factor authentication (MFA) is still one of the most important defenses against account compromise, attackers have adapted their tactics to target the authentication process itself.
One common technique is MFA fatigue, also known as prompt bombing. This involves repeatedly triggering MFA approval requests until the user eventually accepts one, usually out of frustration at the barrage of notifications they’re receiving.
A well-known example came in 2022, when attackers targeted an Uber employee with repeated MFA prompts until one was approved.
That initial access allowed the attackers to escalate privileges and move deeper into Uber’s environment, ultimately compromising large parts of its cloud infrastructure and exposing employee data.
Attackers are also using adversary-in-the-middle frameworks and session hijacking tools to bypass MFA entirely by stealing authenticated session tokens after login.
... continue reading