Why Identity Is Now the Primary Attack Vector

For years, the conversation around cybersecurity centred on perimeter defence. Firewalls, antivirus software, endpoint detection - the assumption was that if you could secure the boundary between your network and the outside world, your data would be safe.

That model served organisations well for a long time. But the way we work has fundamentally changed, and security has naturally evolved alongside it.

Workloads now live in the cloud. Staff work from home, from client sites, from wherever the day takes them. Applications are accessed from personal devices, shared machines, and managed laptops simultaneously. Microsoft 365 made all of this possible - giving organisations unprecedented flexibility, collaboration capability, and productivity. That progress is real, and it's worth protecting.

What progress also does is open new ground. As work moved beyond the traditional network, the single perimeter gave way to something more distributed - and the one constant across every environment, every device, and every access point became identity. Every user, every application, every service account has an identity that grants access to data, systems, and connected services. As this became the centre of gravity for modern work, it also became the area attackers turned their attention to next.

That is why identity has emerged as the #1 attack path in the modern enterprise - not because Microsoft 365 is insecure, but because identity is now the key to everything, and sophisticated attackers are probing the newer, less-charted corners of how organisations configure and manage it.

The shift attackers made - and when

This evolution didn't happen overnight. As organisations moved workloads to Microsoft 365, Azure, and connected SaaS platforms throughout the early 2020s, attackers adapted in parallel. When data moved to the cloud and access became identity-dependent, their focus shifted from network intrusion to identity - a frontier that was still maturing for many organisations.

The result is a threat landscape where the most notable attacks don't involve malware, exploited software vulnerabilities, or brute-force network penetration. They involve logging in - with legitimate credentials, through legitimate channels, in ways that look entirely normal to standard monitoring tools.

This is simply the nature of how sophisticated threats evolve: they go where the value is, and they look for the areas that are newest and least hardened. Three active attack patterns illustrate this clearly - and all three target areas that many organisations are still in the process of fully configuring.

Threat 1: Storm-2949 style attacks - social engineering at scale

Storm-2949 refers to a threat actor pattern that targets human trust rather than technical vulnerabilities. The mechanics are straightforward but remarkably effective.

The attacker identifies a target - typically someone with elevated access - and initiates a self-service password reset request. They then contact the target through a trusted channel, often impersonating IT support, and social-engineer them into approving a multi-factor authentication prompt. The victim believes they are completing a routine security verification. In reality, they have granted the attacker authenticated access to their Entra ID account.

From there, the attacker moves laterally through accounts that hadn't yet been brought under least-privilege principles - service accounts, shared mailboxes, admin roles that accumulated permissions over time. SharePoint libraries, mailboxes, and connected SaaS applications become accessible without a single piece of malware ever touching the environment.

Encouragingly, Microsoft 365 already provides everything needed to shut this down.

Threat 2: Token-theft phishing kits - a commodity threat reaching every tenant

If Storm-2949 represents the social-engineering end of identity attacks, token-theft kits represent the technical end - and in 2026, that capability has become widely available.

Phishing-as-a-Service kits such as Kali365 - first identified in April 2026 - operate by sitting between the victim and a legitimate Microsoft sign-in page. The victim visits what appears to be a genuine login, enters their credentials, and completes MFA. The kit captures the authenticated session token in real time and passes it to the attacker.

The result is a valid, authenticated session - obtained without ever knowing the user's password and without needing to bypass MFA directly. The attacker replays the stolen token to access the account as if they were the legitimate user.

Importantly, this isn't a weakness in Microsoft's authentication system itself. It targets a newer area of focus - the session that exists after authentication. And Microsoft 365 already provides the controls to close it.

Threat 3: Teams external access - a collaboration feature that benefits from review

The third area is less technical in nature but equally worth addressing. Microsoft Teams was designed to enable seamless collaboration - including with external partners. As part of that, a setting allowing chat with external, unmanaged Microsoft accounts is enabled by default in many tenant configurations.

In a managed, well-governed environment, this is a genuinely useful capability. In an organisation that simply hasn't revisited its external access policies yet, it can become an opening. Anyone with a personal Microsoft account can initiate a Teams chat with your staff - and Teams, as a trusted internal channel, carries a different level of implicit trust than an unknown email.

Attackers have noticed this and are beginning to use external Teams chat as a first-stage vector for impersonation and phishing-link delivery. The good news is that the fix is straightforward, and Microsoft provides all the controls needed to do it.

Why these gaps are still open in many organisations

Each of these three areas shares a common thread: the protective controls already exist within Microsoft 365. The reason they're still being exploited is that enabling and correctly configuring them takes deliberate effort, platform knowledge, and a structured review of how identity and access are currently managed.

Most organisations that moved to Microsoft 365 did so to gain productivity and collaboration capability - and they succeeded. Identity hardening is the natural next layer, and it often follows once the platform is embedded and the day-to-day is running smoothly. That space between what the platform enables and what has been configured so far is exactly where these threats operate - and it's a space that closes quickly once it's given attention.

Closing it doesn't require replacing Microsoft 365 or moving to a different platform. It requires a clear assessment of the current identity posture, a prioritised plan, and the right Conditional Access, MFA, and access governance policies put in place correctly.

What effective identity security looks like in 2026

Organisations that are well-positioned against identity-based attacks have taken a structured approach to the tools already available to them in Microsoft 365.

They have enforced MFA across all users - not just administrators - and for high-privilege accounts they have moved to phishing-resistant methods such as FIDO2 keys or certificate-based authentication. They have implemented Conditional Access policies that restrict access based on risk, location, device compliance, and sign-in context. Global Admin counts have been reviewed and reduced. Administrative accounts are separated from day-to-day user accounts.

They have also covered the fundamentals: legacy authentication is blocked, device-code flow is disabled, and stale accounts and dormant admin roles have been cleaned up. Teams external access has been reviewed and restricted to trusted domains.

None of these controls are beyond the reach of a typical Microsoft 365 organisation. All of them are available within the platform. And most can be implemented without significant disruption to day-to-day operations, provided the rollout is phased and users are brought along with clear communication.

The starting point is always the same: a clear, honest assessment of the current identity posture - what is configured, what is not, and where the risk sits.

4Sight Identity Protect is a Microsoft 365 identity and access security service covering assessment, hardening, Conditional Access policy implementation, and ongoing monitoring. To learn more, contact sales@4sight.cloud