1. Phishing and social engineering 

These are the oldest and deadliest tricks in the book. Attackers will always pose as a bank, a boss, or a brand you trust. They create fake login portals or password reset pages to harvest your credentials, or they might play on your emotions and sense of urgency to pry loose credentials directly. With generative AI, phishing emails and voice deepfakes are more believable than ever before. 

 2. Credential-based attacks 

Once an attacker has valid credentials, they can hop through networks with relative ease using real identities. Here are some examples:

• Credential stuffing: Attackers reuse stolen username–password pairs from one breach across other websites and services. 

• Password spraying: Attackers try passwords like “Winter2025!” against thousands of accounts to see what sticks. 

3. Directory and infrastructure exploits 

Active Directory (AD) and cloud identity systems are juicy targets for attackers. An attacker who gains access to AD can create backdoor accounts, escalate privileges, and maintain persistence for the long term. Adversary-in-the-Middle (AiTM) attacks can also let an adversary intercept authentication tokens or session cookies in real-time. 

4. Identity theft and cloning 

This can include financial identity theft (opening new lines of credit), medical ID theft (billing unexpected medical treatments to someone else’s insurance), or synthetic identity creation (mixing fake and real information into a new identity). 

For enterprises, this could look like fraudulent vendor accounts set up to invoice the organization. This is just the tip of the iceberg, though. Identity threats are continually evolving and mutating. But this gives you a baseline for understanding where they live. 

Here are just a few identity threat examples in the real world. 

Example: Phishing email spoofs Microsoft 365

Click once, and an attacker has an employee’s username and password. They pivot to perpetuating a BEC scam, sending internal “CEO requests” for wire transfers. 

Example: Malicious inbox rules and BEC

Business Email Compromise (BEC) doesn’t always start with a flashy phishing link. Sometimes threat actors create malicious mailbox rules in Outlook or Microsoft 365 to auto-forward invoices, delete security alerts, or hide messages from IT. These tampered mailboxes are just the start of financial fraud and data theft. To stop BEC before it escalates, monitoring for unusual or hidden inbox rules is crucial.

Example 2: Password reuse and credential stuffing 

A healthcare worker uses the same Netflix password for work. The password was breached elsewhere, stuffed into a credential-stuffing script, and HIPAA-protected data was breached. 

Example 3: Adversary-in-the-Middle (AiTM) 

A session cookie is hijacked over an insecure Wi-Fi connection. This lets an attacker log into cloud dashboards without needing the password. 

As you can see, all these examples are about getting around traditional defenses. To an automated system or firewall, all the user account credentials were legit, and only the authentication process was bypassed.

Multi-factor authentication (MFA) 

This one is a no-brainer. MFA is something every identity system should have to stop automated attacks. According to Microsoft, enabling MFA can prevent 99.9% of attacks on your accounts. 

Identity threat detection and response (ITDR) 

This is where you step from offense to defense to offense again. Identity threat detection systems monitor for suspicious behavior like geographically impossible logins, unusual privilege escalation, dormant accounts suddenly active again, or new remote desktop protocols. The best solutions, like Huntress Managed ITDR, can also automate containment, so you’re not left frantically blocking systems at 2 am. 

Zero Trust architecture 

Forget “trust but verify.” It’s never trust, always verify in today’s world. Zero Trust means that every login, device, and access request is verified, all the time. 

Security awareness and training 

Last line of defense? Not at all. Your team members are the front line of defense, but only if they know what to look for. Train them to recognize phishing emails and voice deepfakes, question urgent or unexpected requests, and verify through secondary channels. Huntress Managed Security Awareness Training (SAT) gets your team to do this.

Strong password hygiene and management 

Password managers, strong random password generation and rotation, and rules against password reuse are vital. Weak, reused, or shared passwords remain the most common attack vector. 

Harden up your infrastructure.

Patch your identity systems. Audit privileged accounts and dormant user access. Attackers love unmanaged identity sprawl. 

• Turn on MFA everywhere you can

• Deploy ITDR to catch suspicious logins and session hijacks

• Monitor mailboxes for tampered inbox rules to stop BEC early

• Train employees with Managed Security Awareness Training (SAT) to recognize phishing attempts

• Adopt Zero Trust across users and devices

• Rotate and strengthen passwords using a password manager

• Regularly audit and patch identity systems

Today’s networks are spread across remote workers, SaaS applications, and hybrid clouds. Credentials are the universal “golden ticket” into these environments. If you don’t have strong identity threat protection, attackers don’t need to break in. They can just log in. 

 
Huntress Managed ITDR actively monitors,  detects, and remediates identity attacks before they spiral, while Huntress Managed Security Awareness Training teaches your employees to recognize phishing and social engineering. Schedule a demo today to see Huntress in action.