Your Next Breach Will Look Like Business as Usual

IDENTITY & ACCESS MANAGEMENT SECURITY CYBERATTACKS & DATA BREACHES THREAT INTELLIGENCE COMMENTARY Your Next Breach Will Look Like Business as Usual These are the fundamental detection model shifts cybersecurity teams need to make to keep up with the rising number of credential-based attacks. Jeanette Miller-Osborn,Field Cyber Intelligence Officer,Dataminr April 10, 2026 5 Min Read SOURCE: YUEN MAN CHEUNG VIA ALAMY STOCK PHOTO OPINION Your perimeter is hardened, your SOC is on high alert for zero-days, and your firewalls are pristine. But while you're watching the fences, the adversary is walking through the front door with a smile and a valid employee ID. In the modern threat landscape, attackers aren't always "breaking in" — they're simply logging in. Nearly one in three cyber intrusions now involve valid employee credentials, making this a leading attack vector. Armed with stolen credentials and supercharged by AI, threat actors are now operating as a trusted colleague, turning the very identity of your workforce into your greatest vulnerability. Credential theft isn't new. What's changed is the scale and the degree to which AI has made these attacks faster, cheaper, and easier to execute. Phishing campaigns that once required real technical skills can now be generated at volume in minutes. Stolen credentials can be tested and deployed across platforms automatically. The result is a threat that's hard to detect because it doesn't look malicious, and thanks to AI, it's accelerating. Related:Microsoft Proposes Better Identity, Guardrails for AI Agents Security teams often underestimate how professional the credential-theft ecosystem has become. Threat actors have built business models around finding and validating stolen credentials, then selling that access to others. Buyers aren't just financially motivated cybercriminals anymore. They include nation-state actors buying and using credentials from Dark Web forums to launch intrusion campaigns that look like standard cybercrime to evade attribution. This professionalization is what makes the supply chain such a dangerous target. In a landscape of interrelated dependencies, a single set of credentials can act as a master key. Attackers understand this "network effect" perfectly. They are collaborating, sharing scripts, and selling access to one another to maximize their profit with the lowest possible risk. Meanwhile, defenders are falling short because we aren't sharing information with that same level of transparency. While attackers operate like a professional enterprise, security teams are often siloed by private vendor frameworks and a lingering culture of victim-blaming. This lack of communication makes it easier for attackers to carry out supply chain attacks. Attackers are collaborating to get in, while we are too isolated to notice the patterns. Loading... AI has changed the economics of credential theft by stripping away barriers to entry that used to keep less-sophisticated actors at bay. In the past, launching a credential-based attack at scale required real technical skill; you had to write custom scripts to validate logins, move through a network without being caught, and blend your activity into normal traffic patterns to avoid detection. Related:More Attackers Are Logging In, Not Breaking In Now, that technical hurdle is gone — not just for getting in, but for staying in. AI tools allow an attacker to take a file of stolen credentials and automate their deployment across platforms instantly. Once inside, AI-assisted tooling can generate convincing behavioral patterns, mimic normal user activity and help attackers navigate a network in ways that look indistinguishable from legitimate operations — tasks that once demanded advanced tradecraft and custom tools. Whether they are performing a mass "spraying" attack or a targeted intrusion, they can now do it at a velocity that traditional defenses weren't built to stop.  According to research, the volume of information-stealing malware — the primary way these credentials are stolen in the first place—has surged 84% over the last year. With more credentials being stolen and AI making them easier to weaponize, the "blind spot" for security teams is only getting wider. Shifting the Detection Model  Closing that gap requires a fundamental shift in the detection model itself. If an attacker is authenticated using real credentials and operating during business hours, traditional alarms often stay silent. To regain the advantage, practitioners should prioritize these measures: Related:Delinea's StrongDM Acquisition Highlights the Changing Role of PAM Move identity monitoring upstream: Dark Web and underground forum monitoring needs to be integrated into active response workflows — not monthly reports. The moment a match surfaces externally, it should trigger automated credential rotation and mandatory multifactor authentication (MFA) long before that credential reaches your production environment.  Implement “phish-resistant” MFA: Traditional SMS or push-based MFA can no longer stop modern adversary-in-the-middle attacks. Move toward FIDO2-compliant hardware keys or certificate-based authentication. If the "something you have" can be intercepted by a proxy, it's not a secure second factor anymore. Treat authentication as a continuous process: Move away from the "binary" login where a user is trusted indefinitely after one successful MFA prompt. Adopt Continuous Adaptive Trust models that re-evaluate risks in real-time based on behavioral signals, such as sudden changes in typing cadence, unusual file access, or "impossible travel" logins from different locations. Harden the help desk against AI social engineering: AI-generated voice cloning is making the “forgot my password” call a massive vulnerability. Establish out-of-band verification processes for help desk tickets, such as requiring a video call with a known supervisor or a physical token to ensure the person requesting a credential reset isn't an AI-powered imposter. Audit for "identity sprawl": Inventory third-party integrations and service accounts, which often rely on static credentials that bypass MFA and are rarely rotated. Enforce the principle of least privilege and ensure every service account has a defined expiration date and a designated human owner. Elevate credential compromise as a priority signal: When a compromised credential surfaces, the response should be immediate and holistic. This means not just changing one password, but conducting a look back for "What did this identity access in the 48 hours prior to the alert?" Security teams must treat a "valid login" alert with the same urgency as a malware detection.  The increasing shift to credential-based attacks is a calculated move toward the path of least resistance: low risk, highly automated, and devastatingly effective at bypassing even the most hardened perimeters. If we fail to evolve our verification models, we are essentially leaving the keys in the ignition. We must stop viewing identity as a static gate and start treating it as a continuous, high-priority signal, or we will continue to ignore the warning signs until the high cost of a breach makes them impossible to miss. Read more about: Opinion About the Author Jeanette Miller-Osborn Field Cyber Intelligence Officer, Dataminr Jeanette Miller-Osborn co-created the MITRE ATT&CK framework, has testified before the U.S. Senate on cyber defense, and has spent two decades on the frontlines of threat intelligence — from the U.S. Air Force to MITRE to Unit 42 to Dataminr, where she now serves as Field Cyber Intelligence Officer. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Gartner IGA Voice of the Customer 2026 Access More Research Webinars Zero Trust Architecture for Cloud environments: Implementation Roadmap Tips for Managing Cloud Security in a Hybrid Environment? Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up Building a Robust SOC in a Post-AI World More Webinars You May Also Like IDENTITY & ACCESS MANAGEMENT SECURITY Identity Security 2026: Four Predictions & Recommendations by Todd Thiemann DEC 31, 2025 IDENTITY & ACCESS MANAGEMENT SECURITY Orgs Move to SSO, Passkeys to Solve Bad Password Habits by Nate Nelson, Contributing Writer NOV 13, 2025 IDENTITY & ACCESS MANAGEMENT SECURITY NIST Digital Identity Guidelines Evolve With Threat Landscape by Arielle Waldman AUG 14, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS RSAC 2026: AI Dominates, But Community Remains Key to Security byKristina Beek,Rob Wright APR 2, 2026 THREAT INTELLIGENCE Axios Attack Shows How Complex Social Engineering Is Industrialized byAlexander Culafi APR 6, 2026 5 MIN READ ICS/OT SECURITY Iranian Threat Actors Disrupt US Critical Infrastructure via Exposed PLCs byElizabeth Montalbano APR 8, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Loading... Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE