Your Password is the New Perimeter as Identity Attacks Dominate

OTTAWA, ON – March 10, 2026 – The digital keys to the kingdom are no longer complex exploits or novel malware, but the everyday passwords and identities of employees. A landmark 2026 report from cybersecurity firm Field Effect reveals a dramatic shift in the threat landscape, finding that over 80% of cyber incidents investigated in the past year originated from compromised cloud identities.

This finding signals a fundamental change in how threat actors operate, moving away from breaking down digital walls and instead simply walking through the front door using stolen keys. Based on frontline incident response data, the report shows attackers are increasingly bypassing traditional security by abusing trusted accounts, legitimate collaboration software, and standard enterprise workflows.

"In many of the incidents we investigated in 2025, attackers didn't exploit a vulnerability. They logged in using valid credentials," said Earl Fischl, Director of Security Services at Field Effect. "Identity has effectively become the dominant attack surface. Once attackers gain access to trusted accounts, they can blend into normal activity and move through an organization much more easily."

The Identity Battleground

The era of relying solely on firewalls and antivirus software to protect corporate networks is officially over. The new battleground is identity. This shift is corroborated by multiple industry analyses, which show a steep decline in malware-based attacks in favor of "living off the land" techniques. Other industry reports have noted that as many as 79% of all cyberattack detections in 2024 were malware-free, highlighting a clear trend toward exploiting valid credentials and built-in system tools.

This strategy allows adversaries to remain undetected for longer periods. By using legitimate accounts, their malicious activities are often indistinguishable from the daily noise of a busy corporate network. The underground economy for these credentials is booming. One recent report on identity exposure found over 53 billion distinct identity records circulating on the dark web, a 22% increase from the previous year. This vast repository of stolen usernames, passwords, session cookies, and personal information provides attackers with a ready-made arsenal to impersonate employees and bypass security controls, including some forms of multi-factor authentication (MFA).

AI: The Hacker's New Accelerator

Pouring fuel on the fire is the rapid weaponization of generative artificial intelligence. Field Effect's report highlights that while AI has not invented entirely new attack methods, it has dramatically accelerated their speed, scale, and sophistication. This makes potent cyberattacks accessible to a wider range of less-skilled actors.

"AI did not necessarily introduce entirely new attack techniques," Fischl noted. "What it did was dramatically accelerate the ones attackers were already using, making them faster and easier to scale."

Generative AI is being used to craft hyper-realistic and personalized phishing emails at an unprecedented rate. Research from other major tech firms indicates that AI can reduce the time needed to create a convincing phishing email by as much as 99.5%. This capability is also fueling a surge in voice phishing, or "vishing," with some security vendors reporting a 442% increase in such attacks, partly driven by AI-powered voice cloning and impersonation scripts. Beyond social engineering, AI automates reconnaissance, scans networks for vulnerabilities, and helps validate exploit code, turning cybercrime into an industrialized, highly efficient operation.

Trusted Tools Turned into Weapons

In today's hybrid work environment, the very tools designed for collaboration and productivity are being turned against organizations. The Field Effect report details multiple campaigns where attackers exploited legitimate platforms like Microsoft Teams, Zoom, and Quick Assist to gain initial access and escalate privileges.

One particularly insidious campaign involved threat actors creating new Microsoft 365 tenants to impersonate a company's internal IT help desk. They then initiated vishing calls through Microsoft Teams, convincing employees to grant them remote access via Quick Assist. Once inside, attackers used PowerShell scripts to harvest more credentials, move laterally across the network, and ultimately deploy ransomware.

This tactic is especially effective because it leverages the inherent trust employees place in their company's IT support and collaboration software, bypassing traditional email security filters. Beyond these social engineering schemes, edge infrastructure—the routers, firewalls, and VPN appliances that connect an organization to the internet—remains a high-value target. The report describes a sustained campaign targeting SonicWall SSL VPN appliances, where attackers reused previously exposed credentials to log directly into high-privilege systems. In several instances, this access was later sold to or leveraged by the notorious Akira ransomware group, demonstrating a direct link between credential abuse and devastating financial attacks.

The High Cost of Compromise and the Path Forward

The financial and operational consequences of these identity-based breaches are staggering. While global averages hover around $4.44 million per incident, the cost for U.S. companies has hit a record-breaking $10.22 million, according to recent industry-wide studies. Breaches originating from stolen or compromised credentials are among the most expensive, costing an average of $4.67 million and taking months to identify and contain.

To counter this evolving threat, experts urge a fundamental pivot from perimeter-based defense to an identity-centric security model built on Zero Trust principles. This approach assumes no user or device is inherently trustworthy and requires continuous verification for every access request. Key mitigation strategies include enforcing phishing-resistant multi-factor authentication (like FIDO2 hardware keys), gaining deep visibility across all environments, and diligently patching exposed systems.

Ironically, the same AI technology fueling attacks can also be a powerful defensive tool. Organizations that extensively use AI and automation in their security operations have been shown to identify and contain breaches significantly faster, saving nearly $1.9 million on average compared to those that do not. Ultimately, the new reality demands a proactive and layered defense that acknowledges identity as the primary control plane.

"Organizations cannot control an attacker's intent or capabilities," Fischl concluded. "But they can reduce the opportunities attackers rely on by strengthening identity security, improving visibility across their environments and addressing exposed infrastructure."