Identity Is the New Perimeter: Reducing Account Takeover Risk in 2025

Why Identity Attacks Dominate Today’s Threat Landscape

The traditional security model assumed that if users and devices were inside the network, they could be trusted. That boundary has dissolved. Cloud adoption, remote work and SaaS have shifted critical data and workflows beyond the corporate perimeter. Today, identity is the real perimeter.

Recent threat reports show that the majority of breaches now involve a human element, often via stolen or abused credentials, rather than purely technical exploits. Attackers focus on phishing, session hijacking and MFA fatigue to impersonate legitimate users and move laterally across cloud and on-prem environments.(see: Microsoft)

Once inside, a compromised identity can be more powerful than a traditional malware infection. A single privileged account can grant access to email, collaboration platforms, production workloads and financial systems, often without triggering obvious alarms.

From stolen passwords to full session hijacking

Modern account takeover rarely stops at guessing or stealing a password. Attackers:

• Buy credential dumps and session tokens from underground markets
• Use adversary-in-the-middle proxies to capture MFA challenges
• Exploit OAuth consent flows to grant rogue access to mailboxes and cloud apps
• Replay session cookies to bypass login altogether

These techniques bypass many legacy controls that still assume a clear distinction between “inside” and “outside” the network.

How identity attacks bypass traditional network controls

When most business systems live in Microsoft 365, Google Workspace, Salesforce or industry SaaS, traffic may never traverse your data centre. A user connecting from home to a cloud app over HTTPS looks very similar to an attacker using stolen credentials from another country.

This is why identity security has become a core focus of modern zero trust architectures. Instead of implicitly trusting connections from certain networks, you continuously evaluate the identity, device posture and context of each access request.

Common Gaps in Enterprise Identity Security

Despite large investments in IAM platforms and single sign-on, many organisations still have significant identity security gaps.

Weak or misconfigured MFA

Multi-factor authentication is now a baseline requirement, yet implementations vary greatly in quality. Common issues include:

• Allowing easily phishable methods such as SMS codes as the only second factor
• Enabling “MFA remembered devices” for long periods, which attackers exploit
• Failing to enforce MFA for high-risk actions such as changing forwarding rules or registering new devices

Where possible, organisations should move towards phishing-resistant methods such as FIDO2 security keys or platform authenticators for high-value accounts.

Privilege creep and shadow admins

Over time, users accumulate permissions as they change roles or work on urgent projects. Without regular reviews, this privilege creep leads to:

• Multiple untracked global admin accounts
• Shared service accounts with broad access and weak controls
• Third-party integrations that still have production-level permissions years later

These accounts are prime targets for attackers, and often fall outside normal identity lifecycle processes.

Silos between IAM, PAM and security operations

Identity and access management (IAM), privileged access management (PAM) and security operations are frequently run as separate initiatives. That can leave blind spots when:

• IAM teams manage accounts but do not see attack telemetry from SIEM or EDR
• SOC analysts detect suspicious activity but lack identity context, such as ownership or privileges
• Joiner-mover-leaver processes are not integrated with security tools

Aligning these disciplines is a prerequisite for effective identity threat detection and response.

Designing a Modern Identity Security Strategy

A modern identity security strategy goes beyond onboarding accounts and enforcing basic MFA. It combines strong authentication, continuous monitoring and zero trust principles.

Strong authentication and phishing-resistant MFA

Foundations include:

• Enforcing MFA for all remote access and SaaS applications
• Using phishing-resistant methods (FIDO2 keys, device-bound passkeys) for administrators and sensitive roles
• Blocking legacy protocols that do not support modern authentication
• Implementing conditional access policies based on device posture, location and risk signals

For Microsoft environments, this often starts with hardening Azure AD / Entra ID policies and aligning them with recommendations from vendors and standards bodies such as the Cloud Security Alliance.

Identity Threat Detection and Response (ITDR) in practice

Even strong MFA cannot fully prevent identity abuse. Identity Threat Detection and Response focuses on:

• Monitoring risky sign-ins, impossible travel and suspicious consent grants
• Detecting anomalous use of privileged roles and service accounts
• Correlating identity events with endpoint and network telemetry

Organisations can extend existing SIEM and MDR investments to include identity-centric detections. DACTA’s Managed Detection & Response (MDR) services, for example, integrate identity signals alongside endpoint and network events to provide 24×7 monitoring of suspicious activity.

Applying zero trust principles to identity

Zero trust is often summarised as “never trust, always verify.” Applied to identity, that means:

• Authenticating and authorising every access request, regardless of network location
• Minimising standing privileges through just-in-time access where possible
• Continuously evaluating risk based on behaviour and context
• Applying least privilege to human and machine identities

Rather than a single project, zero trust identity becomes an ongoing design principle for new systems and integrations.

A 90-Day Plan to Reduce Account Takeover Risk

Security leaders do not need to wait for a multi-year transformation to make progress. A focused 90-day effort can reduce account takeover risk substantially.

Step 1: Assess identity posture across key systems

Start by mapping:

• Identity providers (Entra ID, Okta, on-prem AD, others)
• High-value applications (email, ERP, CRM, core SaaS)
• Existing MFA coverage and methods
• Admin accounts and privileged roles

Quick wins often emerge from simply consolidating redundant accounts and closing gaps where critical systems lack MFA.

Step 2: Harden Microsoft 365, VPN and core SaaS

For many organisations, Microsoft 365 and VPN access remain primary attack paths. Focus on:

• Enabling conditional access policies for risky sign-ins and locations
• Enforcing MFA for all remote access
• Disabling legacy authentication protocols
• Reviewing and revoking unused OAuth app consents

Where possible, extend similar controls to other critical SaaS platforms.

Step 3: Integrate identity signals into security monitoring

Work with your security operations team or MDR provider to:

• Ingest identity provider logs into your SIEM
• Create alerts for risky patterns such as impossible travel or repeated MFA prompts
• Correlate identity anomalies with endpoint detections and data access patterns

DACTA’s Risk Assessment services can help you prioritise these efforts based on actual business impact, while Security for Microsoft offerings focus specifically on protecting Microsoft-centric environments.

Conclusion: Treat Identity as Critical Infrastructure

As the perimeter dissolves, identity becomes the fabric that holds your security model together. Reducing account takeover risk in 2025 is not just a technical exercise. It touches governance, user experience and how your organisation designs access to data and systems.

By hardening authentication, monitoring identity signals and applying zero trust principles, security leaders can significantly reduce the blast radius of a compromised account. For organisations that want a structured path forward, partnering with specialists such as DACTA to align identity security with broader detection, response and governance efforts can accelerate progress while keeping business needs in focus.

‍