Attackers Aren’t Breaking In Anymore. They’re Signing In.

There was a time when cybersecurity felt easier to understand.

The threat was outside of your walls. A malicious file. A suspicious IP address. A brute-force attempt hammering at the gate. Security, at least in theory, was about building stronger walls and watching the perimeter.

That’s no longer how many of the most consequential attacks begin.

Now, the attacker often doesn’t break in.

They sign in.

That shift is one of the most important changes happening in cybersecurity right now. Google Cloud’s latest Threat Horizons reporting found that in incidents involving major cloud and SaaS-hosted environments, identity issues were exploited for initial access in 83% of cases in the second half of 2025.

That number should make every business leader pause.

Because it tells us that the battleground has moved. The center of gravity is no longer just the network edge, the firewall, or the endpoint. It’s identity. It’s the login. The token. The authorization flow. The quiet moment when a system decides, “Yes, this person belongs here.”

That’s the new front line.

And what makes this so dangerous is that modern identity attacks often don’t look dramatic. They don’t always arrive with flashing red lights. They look normal. Familiar. Routine. A sign-in request. A verification step. A legitimate application flow.

That’s exactly why they work.

Earlier this month, Microsoft disclosed an AI-enabled device code phishing campaign that abused a legitimate Microsoft authentication flow to compromise organizational accounts at scale. Instead of simply stealing passwords, attackers generated live device codes and tricked users into completing a real authorization sequence that handed over access. Microsoft said the campaign achieved a higher success rate through automation and dynamic code generation that got around the normal 15-minute expiration window for device codes.

That’s worth sitting with for a second.

This wasn’t the old model of cybercrime, where someone smashes against the door and hopes to get lucky. This was something much more subtle and much more modern: using trust itself as the attack path.

And that’s really the story here.

For years, security conversations centered on keeping bad actors out. But now, a growing share of the risk lives inside the systems that determine who gets access in the first place. Identity has become the new perimeter because trust has become the new target.

That also helps explain why so many organizations are realizing that MFA alone isn’t the finish line. CISA continues to push phishing-resistant MFA because many common methods can still be defeated by modern phishing techniques and session-based attacks.

In other words, stronger authentication changed the fight. It didn’t end it.

Attackers adapted. They followed the trust layer.

And this is where the implications get bigger than just security teams.

Identity compromise isn’t just an IT issue. It’s an operational one. Once someone gains trusted access, they’re no longer just poking at infrastructure. They’re stepping into workflows. Email. Files. Approvals. Financial processes. Cloud apps. Internal systems. In many cases, the attacker doesn’t need to be noisy because the access already looks legitimate on the surface.

That’s what makes this such an important shift for leadership teams to understand. The old question was, “Can we keep attackers out?” The better question now is, “If someone abused identity to get in, how quickly would we know?”

That's a very different kind of problem.

And it’s not limited to massive enterprises with household names. Verizon’s 2025 Data Breach Investigations Report analyzed 22,052 real-world security incidents and 12,195 confirmed breaches, the highest number of breaches it has ever examined in a single report.  The lesson there is straightforward: attackers go where access is attainable, useful, and monetizable. They don’t need prestige. They need opportunity.

That’s why identity security can’t be treated as a one-time configuration exercise anymore.

It has to be watched like a live threat surface.

That means paying attention not just to whether a login technically succeeded, but whether the broader behavior around it makes sense. Are tokens being used in strange ways? Are inbox rules suddenly changing? Are OAuth permissions being granted where they shouldn’t be? Is there unusual access to cloud apps, endpoints, or data after what appears to be a routine sign-in?

That’s where the conversation starts to shift from prevention to detection. And that’s also where managed detection and response becomes much more relevant.

Not as a slogan. Not as a checkbox. As a practical way to deal with a more complicated reality.

Because when attacks are built around identity abuse, the challenge isn’t just stopping malware or blocking known bad infrastructure. It’s correlation. Context. Speed. It’s being able to connect a suspicious sign-in, unusual token activity, mailbox manipulation, endpoint behavior, and cloud signals into one coherent story before the incident spreads.

That’s what a strong managed detection and response capability can help companies do. It helps bring visibility across the identity layer and the surrounding environment so suspicious activity can be detected earlier, investigated faster, and contained before it turns into something far more damaging.

And that may be the biggest shift of all.

Cybersecurity isn’t just about keeping attackers outside the walls anymore.

It’s about knowing, with confidence, whether the person already inside was ever supposed to be there at all.