Identity Is Now the Perimeter

For a long time, the standard model for keeping a business secure was built around the network edge. You put a firewall up, you controlled what came in and out, and if something was inside the network you broadly trusted it. That model has slowly been eroded with the introduction of cloud services, remote work and SaaS tools scattered across dozens of vendors, making the network boundary difficult to define, let alone defend.

What has replaced it is something simpler and harder to protect - identity. If an attacker gets hold of valid credentials, they do not need to rely on complex attack chains, weak external security, 0-day attacks, they can just log straight in.

The Stryker attack earlier this year illustrated this as clearly as anything in recent memory. Thousands of devices were wiped across 79 countries with no malware deployed, no software vulnerabilities exploited. The attackers obtained administrator credentials, logged into Microsoft Intune, issued a remote wipe command, and the platform did exactly what it was designed to do.

How Credential Theft Works

There are a few ways attackers get hold of credentials, and they are worth understanding because each one has different defences.

Infostealers are malware that run quietly on an infected device, harvesting saved passwords, session cookies and browser data without the victim having any idea. The stolen data gets packaged and sold on criminal markets, where it can be purchased for a few hundred dollars and used weeks or months later. We wrote about infostealers in detail earlier this year, including the NCSC's response to a large Lumma Stealer campaign that affected tens of thousands of New Zealanders.

Phishing is still the most common entry point for credential theft. Attackers impersonate a known service and direct the victim to a fake login page where they enter their username and password, which get sent straight to the attacker. Modern attack platforms also perform full authentication flows that use MFA and once complete, provide session tokens to the attacker.

Password spraying and brute force are less targeted. Attackers take a list of known usernames and try a small number of common passwords against each one, often slowly enough to avoid triggering account lockout policies. Check Point Research observed hundreds of logon and brute-force attempts against Stryker's VPN infrastructure in the period before the attack.

Credential stuffing uses username and password combinations from previous data breaches. If someone reused a password across services and one of those services was previously breached, their credentials may already be sitting in a public database, with freely available tools to automate using them at scale.

Insider recruitment is less talked about but increasingly common. Rather than stealing credentials through technical means, attackers simply pay someone who already has them. This happens through dark web forums and encrypted channels like Telegram, where criminal groups post advertisements offering anywhere from a few hundred dollars to thousands or more for access credentials or privileged system access at specific companies.

Accenture reported a 69% increase in 2025 in insiders offering their access to hackers compared to the year prior. The most documented recent case is Coinbase in May 2025, where attackers bribed overseas customer support agents to hand over their login credentials to internal tools, eventually exposing data on nearly 70,000 customers and costing the company an estimated $180 million to $400 million to remediate. The agents were using entirely legitimate credentials and authorised tools, so nothing triggered an alert for months. A less successful example is the attempt to recruit a Tesla employee in 2020 to install ransomware from the inside which failed because the employee reported it.

Why MFA Is Not Enough on Its Own

Multi-factor authentication has become the standard advice for protecting accounts, and it is genuinely useful against basic credential attacks, but there are techniques that get around it and attackers are using them routinely.

Adversary-in-the-middle (AiTM) phishing is the most common bypass. The attacker sets up a proxy between the victim and the real login page, so the victim completes a legitimate MFA challenge, they receive the push notification or enter the code, and everything looks normal. What the attacker captures is the session token that gets issued after authentication completes, which is what browsers use to stay logged in. With it, the attacker can access the account without needing the password or the MFA code at all, and standard push-based MFA and SMS codes are both vulnerable to this.

MFA fatigue works differently. The attacker already has the victim's password and repeatedly sends MFA push approval requests to their phone, often in the middle of the night, until the victim approves one just to make it stop. Scattered Spider, the group behind several high-profile attacks on MGM and Caesars Entertainment, used this technique to gain initial access.

Session token theft is what infostealers are built for. Rather than intercepting tokens in transit, they pull them directly from the browser on the infected device, giving the attacker a valid authenticated session without ever touching the password or the MFA code.

The only type of MFA that is resistant to all three of these is phishing-resistant authentication. FIDO2 hardware security keys (like a YubiKey) and Windows Hello for Business are the main options, and they work by tying the authentication to the specific website domain and the specific device, so a fake login page cannot capture anything useful and a stolen token cannot be replayed from a different machine. Microsoft's own hardening guidance, published in direct response to the Stryker attack, explicitly requires phishing-resistant MFA for all privileged accounts.

What Attackers Do Once They Are In

Once an attacker has a valid login, the next question is what they can reach from there and how they can expand their access.

Privilege escalation means moving from a lower-privilege account to a higher one. An attacker who compromises a standard user account will look for ways to gain administrator access through misconfigured permissions, legacy service accounts with excessive rights, or tools like Mimikatz that can extract credential hashes from memory on a compromised Windows machine.

Lateral movement means using access on one system to reach others. If an attacker can log into one workstation, they will look for shared credentials, accessible file shares, internal applications and cloud management consoles, and in environments where credential reuse is common or where admin accounts are used for day-to-day work, that movement can happen quickly.

Living off the land is the phrase used for attacks that rely entirely on tools already present in the environment. Because the activity looks like normal administration, it is much harder for security teams to spot, which is exactly what happened at Stryker where the attackers used Intune's own remote wipe feature and did not bring anything new into the environment at all.

This is partly why identity-based attacks are harder to catch than malware. Antivirus software looks for known bad files and has nothing to flag when an attacker is operating entirely through legitimate credentials and legitimate tools.

Controls That Actually Help

Phishing-resistant MFA on administrator accounts. This is the most important single control for privileged access, and FIDO2 keys or Windows Hello for Business should be required for any account with administrative rights over critical systems such as email platforms, device management consoles, cloud environments and identity providers like Azure Active Directory / Entra ID.

Separate admin accounts. Administrator accounts should be distinct from everyday user accounts and should not be used for email, web browsing or anything outside of administrative tasks. If an administrator's daily-use account is compromised, it should not come with domain admin rights attached to it.

Conditional Access policies. In Microsoft environments, Conditional Access lets you define rules about when and how accounts can authenticate. You can require compliant devices, restrict logins from outside known locations, block legacy authentication protocols and require step-up authentication for sensitive actions, all of which significantly reduce what a stolen credential can actually do.

Privileged Identity Management (PIM). PIM lets you assign admin roles on a just-in-time basis, so instead of an account permanently holding elevated permissions, a user requests them when needed, they are approved for a defined time window and then they expire. If that account is compromised outside that window, the elevated rights simply are not there to abuse.

Multi-person approval for destructive actions. Microsoft Intune, and several other management platforms, include controls that require a second administrator to approve irreversible actions like remote wipes. This control was not enabled in Stryker's environment, and enabling it limits what a single compromised account can do unilaterally, no matter how privileged that account is.

Credential exposure monitoring. Services that scan infostealer log dumps and dark web markets for your organisation's domains can alert you when an employee's credentials appear in stolen data. If you know about it before the attacker uses it, you can rotate the credentials and investigate the source, and the window between credentials being stolen and being used is often weeks, giving you time to act. Our New Zealand based partner

nWebbed offer this service at a very manageable price (nWebbed - Dark Web Intelligence)

Least privilege access. Every account should have access to what it needs to do its job and nothing more. A compromised marketing account should not have a path to financial systems or cloud administration, and auditing permissions regularly to remove excess access reduces the blast radius of any single compromised account.

Regular penetration testing. A penetration test checks how far a compromised account can actually travel through your environment, whether session tokens are properly invalidated, whether lateral movement is possible from a standard workstation, whether admin consoles have the right controls enabled and whether your detection tools would notice an attacker moving around using legitimate credentials. The gap between what organisations think is locked down and what actually is tends to be larger than expected.

New Zealand's NCSC has flagged credential-based attacks and business email compromise as the primary drivers of financial losses in their recent reporting, with direct losses hitting $26.9 million in 2024/25 and infostealers being the most common way those initial credentials get stolen.

For most NZ businesses, the identity layer sits inside Microsoft 365 or Google Workspace, and both platforms have the controls described above available. Most of them are not on by default, because the defaults are set to be accessible rather than locked down.

AI tools and agents inside organisations are increasingly connecting to email, calendars, file storage and code repositories with some form of account access, and in most cases that access is granted quickly without much thought about what the tool actually needs. Security teams are starting to treat AI integrations as identity risks, as an agent with overly broad permissions is just another account that can be compromised or misused, and it is worth auditing what your AI tools have access to before that becomes a problem.

The practical shift for those responsible for defending their organisation is moving from asking "can someone get into our network?" to asking "what can someone do with a set of stolen credentials?". In most environments, the answer to that second question is more than it should be.

Tightening the identity layer with strong authentication, scoped permissions, monitoring for stolen credentials and regular testing to confirm it all holds up addresses the way most attacks actually start.

Sources include Microsoft Security Blog, NCSC New Zealand Cyber Threat Report 2025, Check Point Research, SecurityWeek, Cybersecurity Dive, Forrester, and Stryker's public disclosures.