The dirty secret of identity management systems? The very tools designed to protect your crown jewels are being used to jump the castle moat and break down the drawbridge. Cybercriminals don’t hack your systems — they log in.
Identity and access management (IAM) underpins the digital world, protecting business data and managing risks. These systems designed to establish trust have become the easiest targets for attackers, turning security into a high-stakes game of cat and mouse.
This question is no longer theoretical. In late 2023, the MOVEit hack exposed millions of employee records, providing attackers with detailed data for phishing and social engineering. At the same time, phishing campaigns leveraging Cloudflare services surged 257%, as reported by Fortra. CyberArk highlighted that 95% of organizations faced identity-related breaches last year, with adversary-in-the-middle (AiTM) attacks neutralizing MFA protections.
Incidents illustrate a growing reality: attackers are weaponizing trusted tools and platforms, exploiting not only IAM systems but also the growing adoption of cloud environments, creating a crisis that cybersecurity professionals must address.
Trust abused: When legitimate platforms turn malicious
Platforms like Cloudflare — long regarded as paragons of web security — are being weaponized by attackers. According to Fortra’s Suspicious Email Analysis team, phishing campaigns leveraging Cloudflare’s Pages and Workers services surged 257% between 2023 and 2024. By abusing legitimate features like SSL/TLS encryption and Cloudflare’s global content delivery network, attackers make their phishing sites look credible to both users and URL filtering systems.
One attack, Fortra noted, even included a CAPTCHA-like human verification page to add an illusion of legitimacy. These tactics erode the trust users place in widely-used platforms, creating a dangerous new threat landscape.
Identity: The double-edged sword
IAM systems, designed to protect organizations, are now under siege. A report from CyberArk revealed that 95% of organizations suffered two or more identity-related breaches in the past year.
Attackers no longer brute-force their way into systems; they “log in” with stolen credentials, often bypassing multi-factor authentication (MFA) through methods like adversary-in-the-middle (AiTM) attacks. Tyler Hudak, director of incident response at Inversion6, explained that AiTM attacks proxy user credentials to legitimate sites, effectively neutralizing MFA protections. It’s a reminder that IAM vulnerabilities can turn trust into a liability.
Automation: A cybercriminal’s best friend
The rise of phishing-as-a-service (PhaaS) platforms like Rockstar 2FA is accelerating the automation of cyberattacks. These platforms leverage AI to rapidly create phishing campaigns, generating custom decoy pages to fool even advanced security tools.
“These sophisticated platforms use AI to personalize messaging and serve decoy pages to evade detection,” said Itzik Alvas, CEO of Entro Security. As AI tools like ChatGPT and FraudGPT become more accessible, the scale and speed of these attacks will only increase, leaving unprepared organizations vulnerable.
The human cost of data breaches
Identity breaches have real-world consequences. The MOVEit hack, one of the largest data breaches of 2023, exposed millions of records from major companies, including Amazon and MetLife.
The stolen data — ranging from email addresses to organizational structures — became a goldmine for attackers engaging in phishing and social engineering. “Third-party software remains one of the largest and least manageable cybersecurity risks organizations face,” warned Joe Silva, CEO of Spektion.
The breach underscores the need for organizations to prioritize vendor risk management and continuously monitor their attack surface.
Solutions: Moving beyond legacy defenses
As attackers evolve, so must defenses. Legacy MFA solutions, such as SMS-based codes, are increasingly vulnerable to attacks like MFA fatigue and session hijacking. Experts, including Google Cloud’s Mayank Upadhyay, are advocating for phishing-resistant authentication methods like Passkeys and hardware tokens. Okta’s 2024 Secure Sign-In Trends Report noted that such methods not only enhance security but also improve user experience, making them critical for modern IAM strategies. “Once you’ve experienced passwordless authentication, you’ll never want to go back,” said Okta CEO Todd McKinnon.
Zero Trust architecture, which assumes that every access attempt could be malicious, is also gaining traction. By implementing continuous authentication and monitoring user behavior beyond the initial login, organizations can thwart attackers who have already breached their perimeter. Privileged Access Management (PAM) strategies, as outlined in the PAM Maturity Model, further enhance security by restricting access to sensitive resources on a just-in-time basis.
A Privileged Access Management (PAM) Maturity Model provides a structured framework that organizations can use to assess and enhance their control over privileged accounts and credentials. It outlines the journey from basic, essential practices, such as secure password storage and access logging, to advanced strategies, including automated access provisioning, just-in-time privilege assignment, and full Zero Trust integration.
This model helps organizations understand where they currently stand, identify gaps, and chart a path toward robust, scalable security solutions that minimize risks associated with misuse of privileged accounts.
Urgency for action
The identity crisis is not a distant threat—it’s here, and it’s growing. Cybercriminals are exploiting trusted platforms, automating their attacks, and targeting IAM systems with devastating precision. For cybersecurity professionals, the path forward is clear: adopt phishing-resistant MFA, enforce Zero Trust principles, and reimagine IAM as both a security tool and a critical business enabler.
Organizations must embrace modern identity management solutions that not only defend against breaches but also foster resilience and scalability in a cloud-first world. By addressing legacy blind spots, harmonizing distributed platforms, and fortifying trust through robust security frameworks, businesses can transform identity management from a liability into a strategic advantage—securing their digital future in an era of relentless threats.
The stakes couldn’t be higher. As companies rely more on a distributed patchwork of cloud platforms, including various PaaS and XaaS solutions, the complexity of managing identities grows exponentially. Legacy tools like Active Directory struggle to keep pace, creating blind spots in IAM systems. This isn’t just a technical failure — it’s a societal one.
A report from Strata Identity and the Cloud Security Alliance found that 75% of organizations manage two or more identity providers (IDPs), and 11% manage five or more. This fragmentation adds significant complexity, with 71% of respondents citing legacy system incompatibilities as barriers to modernizing IAM systems. Additionally, 40% struggle to monitor user behaviors effectively across such distributed platforms.
A Privileged Access Management (PAM) Maturity Model provides a structured framework that organizations can use to assess and enhance their control over privileged accounts and credentials. It outlines the journey from basic, essential practices, such as secure password storage and access logging, to advanced strategies, including automated access provisioning, just-in-time privilege assignment, and full Zero Trust integration. This model helps organizations understand where they currently stand, identify gaps, and chart a path toward robust, scalable security solutions that minimize risks associated with misuse of privileged accounts.
(Editor’s Note: A portion of this content used a large language model to distill a single source of original content, such as a transcript, data, or research report. This content was conceived, crafted and fact-checked by a staff editor, and any sourced intellectual property used is clearly credited and disclosed.)
