The call came at 6:42 PM on a Friday — the kind of timing that tells you it's not a drill. A mid-market healthcare company's security team had flagged something unusual: a service account for their cloud data warehouse was running queries it had never run before. Not just a few queries — thousands. Systematically pulling patient records, billing data, and insurance information across every table in the environment.
The service account credentials had been valid. MFA wasn't enforced on it — it was a machine identity, after all. The queries came from a legitimate IP range, one that matched the company's corporate VPN. Every authentication event looked clean. There was no malware, no exploit, no lateral movement through the network. Just a compromised credential, used exactly the way it was designed to be used.
By the time the team confirmed it was unauthorized access, 3.2 million records had been staged for exfiltration. The attacker had been inside for eleven days.
"There was nothing to detect. No signature, no anomaly in the traditional sense. The credential was valid. The access was authorized. The queries were well-formed. It looked exactly like normal operations — because from the system's perspective, it was." — Incident responder, post-breach debrief
The credential economy is booming
This story isn't unusual. It's becoming the default pattern for how breaches happen.
According to Verizon's 2025 Data Breach Investigations Report, over 80% of web application breaches now involve stolen credentials. IBM's Cost of a Data Breach Report pegs credential-based attacks as the most common initial access vector for the third consecutive year, with an average cost of $4.81 million per incident.
The reason is economics. Why spend weeks crafting a zero-day exploit when you can buy valid credentials for $10 on a dark web marketplace? Initial access brokers — specialized threat actors who compromise credentials at scale and sell access to other criminal groups — have turned credential theft into an industrial operation. CrowdStrike's 2025 Global Threat Report documented a 20% year-over-year increase in access broker advertisements on underground forums.
The supply chain is ruthlessly efficient: infostealers harvest credentials from endpoint malware, phishing kits capture them in real-time, and data breach dumps recycle them across services where passwords are reused. By the time a credential reaches the buyer, it's been validated, categorized by target organization, and priced based on the level of access it provides.
A VPN credential for a mid-market company? $200. An admin credential for a SaaS platform? $1,500. A service account with access to a production database? Priceless — or at least, priced like it.
Why traditional defenses miss identity attacks
The fundamental challenge with credential-based attacks is that they look legitimate. This isn't a failure of your security tools — it's a category problem.
Traditional security architectures were built around the concept of a network perimeter. Firewalls, IDS/IPS, network segmentation — these tools assume that the threat is "out there" and needs to breach a boundary to get "in here." They're extraordinarily good at detecting that boundary crossings: port scans, exploit attempts, malware delivery.
But identity attacks don't cross boundaries. They walk through the front door with a valid key.
Consider what a credential-based attack looks like from the perspective of each tool in your stack:
- Firewall: Sees an authenticated connection from an expected IP range. Nothing to flag.
- EDR: No malicious process, no suspicious binary, no behavioral anomaly on the endpoint. Clean.
- SIEM: Ingests a successful authentication event. One of ten thousand that day. Logged and forgotten.
- IAM: The credential is valid. The permissions are authorized. Access granted.
Each tool does exactly what it's designed to do. The problem is that none of them are designed to answer the question that actually matters: is the person using this credential the person it was issued to?
The pattern we keep seeing
After investigating dozens of credential-based breaches, a clear pattern has emerged. It's not a single dramatic moment — it's a slow, methodical campaign that unfolds over days or weeks:
Step 1: Credential acquisition. The attacker obtains valid credentials through infostealer malware, phishing, or purchase from an initial access broker. This happens before the attack even begins — often weeks or months before the credential is used.
Step 2: Low-and-slow access. The attacker authenticates using the stolen credential, typically during business hours and from a geographically plausible location (using residential proxy networks or compromised infrastructure in the target's region). They don't rush. They browse. They learn the environment.
Step 3: Privilege discovery. Using the compromised account's legitimate permissions, the attacker maps what they can access. They query Active Directory, enumerate file shares, explore cloud storage buckets. Every action is authorized by the account's existing role.
Step 4: Lateral movement via identity. Rather than exploiting vulnerabilities to move laterally, the attacker harvests additional credentials from the compromised account's stored sessions, password managers, or SSO tokens. They move from identity to identity, not from machine to machine.
Step 5: Data access and exfiltration. The attacker accesses the target data using legitimate queries and download tools. There's no custom malware involved — they use the same applications your employees use every day.
This is why mean time to detect for credential-based breaches remains stubbornly high. MITRE ATT&CK maps these techniques — Valid Accounts (T1078), Access Token Manipulation (T1134), Unsecured Credentials (T1552) — but detection requires behavioral context that most tools simply don't have.
MFA is necessary but not sufficient
The reflexive response to credential-based attacks is "just enforce MFA everywhere." And yes — multi-factor authentication should be a baseline for every organization. The data is unambiguous: MFA blocks over 99% of automated credential stuffing attacks.
But the adversaries have adapted. The breaches that defined the past eighteen months all involved MFA bypass:
- MFA fatigue attacks: Bombarding users with push notifications until they approve one out of frustration.
- Adversary-in-the-middle (AiTM) phishing: Using reverse-proxy toolkits like Evilginx to capture both passwords and session tokens in real-time, completely bypassing MFA.
- SIM swapping: Social engineering telecom providers to redirect SMS-based MFA codes.
- Session token theft: Stealing post-authentication cookies from endpoints using infostealers like Raccoon, RedLine, or Lumma — rendering MFA irrelevant because the attacker never needs to authenticate.
MFA raises the bar. But sophisticated attackers are pole-vaulting over it. The organizations that got breached in the past year weren't the ones without MFA — they were the ones who treated MFA as the finish line rather than the starting line.
The structural insight: identity needs investigation, not just authentication
Here's what we've learned from sitting in dozens of post-breach war rooms: the problem isn't that organizations can't authenticate users. The problem is that no one is investigating authenticated sessions.
Authentication answers "is this credential valid?" Investigation answers "does this behavior make sense for this identity?"
The healthcare breach we opened with illustrates this perfectly. The service account was correctly authenticated. Its credentials were valid. Its permissions were authorized. But the behavior — querying every table in a data warehouse systematically, during a period when the legitimate application hadn't been updated — was deeply anomalous. That signal existed in the data. No one was watching for it.
This is a systemic problem. SOC teams are built to investigate alerts — things that are flagged as suspicious by a rule or a model. But credential-based attacks don't generate alerts because there's nothing technically wrong with the actions being taken. The investigation has to happen proactively, continuously, across every authenticated session in the environment.
No human team can do this. You'd need to monitor every login, compare it against historical baselines, cross-reference it with threat intelligence, and contextualize it against business operations — for every identity, every session, every minute of every day.
How n0limit approaches identity investigation
This is the problem we built n0limit to solve — and identity-based attacks are where machine-speed investigation shows its clearest value.
When n0limit ingests authentication events from your identity providers — Okta, Azure AD, Google Workspace, your VPN concentrators — it doesn't just log them. It investigates every single one. In real-time. At machine speed.
For each authenticated session, n0limit builds a behavioral profile: what does this identity normally do? When do they typically authenticate? From where? What resources do they access? How much data do they typically query? Then it compares the current session against that baseline — not with a static rule, but with a contextual understanding of what "normal" looks like for that specific identity.
In the healthcare scenario, n0limit would have flagged the anomaly within seconds: a service account executing query patterns that diverge from its established baseline, during a maintenance window that wasn't on the change calendar, accessing tables it had never touched before. Not as a single alert in a queue of thousands — as an investigated finding with full context, timeline, and a confidence-scored verdict.
The investigation that took the healthcare team eleven days happens in microseconds. Every identity. Every session. Every time.
The identity perimeter is here to stay
The network perimeter isn't coming back. With hybrid work, cloud-native architectures, and SaaS-first IT strategies, identity is the perimeter now. Every login is a potential breach. Every session is an attack surface.
The organizations that will weather the next wave of credential-based attacks aren't the ones with the most firewalls or the best endpoint agents. They're the ones that treat every authenticated session as something worth investigating — and that have the technology to actually do it.
The attacker who compromised that healthcare company didn't need an exploit. They didn't need malware. They didn't need to be sophisticated at all. They just needed a password — and the knowledge that nobody was watching what happened after the login succeeded.
That's the gap. And until it's closed, the breaches will keep coming.
REFERENCES
Verizon 2025 Data Breach Investigations Report — Credential-based attack analysis → IBM Cost of a Data Breach Report 2025 — Initial access vector breakdown → CrowdStrike 2025 Global Threat Report — Access broker economy → MITRE ATT&CK — Valid Accounts (T1078) → Google Threat Horizons Report — Identity-based threat landscape →Every identity investigated. Every session profiled.
See how n0limit detects credential-based attacks that your existing tools miss — with your own data, in a live session.
Book a demo →Get The Signal in your inbox
Practitioner-level threat intel, delivered when it matters.