top of page
Search

CrowdStrike 2025 Threat Hunting Report – part 5: Identity Hunting

  • Writer: Katarzyna Celińska
    Katarzyna Celińska
  • Aug 28
  • 2 min read

Adversaries increasingly exploit valid accounts, weak authentication, and misconfigured identity systems to bypass traditional defenses.

 

Identity as the Primary Attack Vector

The report reveals that:

71% of all interactive intrusions involved valid account abuse

68% of identity-based attacks bypassed MFA, often using session token theft

Identity compromise allows adversaries to move laterally and blend into normal user behavior

Adversaries like Scattered Spider specialize in help desk social engineering—tricking support teams into resetting MFA, then quickly enrolling rogue devices. Once in, they pivot across SaaS, endpoints, and cloud with legitimate credentials.

 

ree

Detecting Identity Abuse

Identity misuse rarely shows up on endpoints alone. Instead, it requires correlating signals across domains:

Endpoint: Adversaries minimize their footprint by pivoting off endpoints quickly

Identity Systems: Compromised accounts used outside normal working hours or enrolled in new MFA devices

Cloud: Suspicious VM creation, MFA resets, or SSPR enumeration revealing phishing attempts

SaaS Applications: Unusual access to platforms like SharePoint, OneDrive, or privileged access management systems

Defenders must piece together these signals across logs, identity telemetry, and SaaS activity.

 

The Rise of Vishing

Identity attacks increasingly start with vishing.

Vishing rose by 442% in late 2024, with record levels persisting into 2025.

Attackers use vishing to impersonate employees or IT staff, tricking help desks into granting access or resetting MFA.

 

Identity is a critical element of cybersecurity. Attackers know that once they own an account, they can bypass endpoint defenses, move through cloud environments, and access sensitive SaaS platforms without raising alarms.

The speed of groups like Scattered Spider—completing an intrusion chain in under 5 minutes—shows why identity defense must evolve. For defenders, identity hunting is about correlation, tying together endpoint, cloud, SaaS, and IAM activity. Without this measure, organizations may overlook the subtle indicators of an adversary who is already within.

 

 
 
 

Comments

Stay in touch

kontakt@itgrc.pl

BW ADVISORY sp. z o.o. 

ul. Boczańska 25
03-156 Warszawa
NIP: 525-281-83-52

Privacy policy

  • LinkedIn
  • Youtube
bottom of page