Identity theft 2.0: New strategies and how organisations can respond

8. January, 2025

Digital identity attacks were the fastest growing cybersecurity threat between July 2023 and July 2024, according to the Microsoft Digital Defence Report 2024. Every day, Microsoft customers experience more than 600 million attempted attacks from cybercriminals or nation-states.

The report says that 99 per cent of identity attacks still rely on passwords. Attacks are not only targeting classic security vulnerabilities and poor password hygiene on the part of users. Targeted social engineering and advanced techniques such as AI-based attack methods are also increasingly being used. [1]

Password-based attacks: an old threat in a new guise

Although multi-factor authentication (MFA) and zero-trust approaches are becoming more widespread, the classic password attack remains the main vector for identity theft. According to Microsoft, attackers are using breach replays (user data released as a result of security incidents), password sprays (trying out typical passwords) and targeted phishing to gain access to user accounts and sensitive data.

This makes password reuse particularly risky: if the same credentials have been used on multiple platforms, other accounts are likely to be compromised. A compromised password can be tried on many other services within seconds using automated tools to gain access using the same account details.

Microsoft recommends the adoption of passwordless authentication methods such as biometrics or hardware-based tokens. These methods should significantly reduce risk and make traditional passwords obsolete.

Post-authentication attacks: The new wave of threats

Post-authentication attacks are a lesser known but increasingly threatening form of attack. They involve compromising sessions that have already been authenticated, for example through token theft or consent phishing. Users unknowingly hand over access rights to attackers who then do not need to authenticate themselves again. A typical scenario might look like this: An employee clicks on a seemingly legitimate link that asks them to grant access to an application. Authentication tokens are read in the background, giving the attacker long-term access.

One possible defence against post-authentication attacks is the Zero Trust Architecture approach. In this approach, a continuous identity and authorisation check is performed each time a user accesses the system. Even for users who have already been authenticated, a new and continuous check is performed, making it more difficult to log in using stolen credentials.

Social engineering and AI: human factor remains biggest risk

The use of AI by cybercriminals has led to new phishing tactics. According to the Microsoft Digital Defence Report 2024, attackers often copy the user interfaces of legitimate platforms, supplemented by realistic captcha pages to inspire trust. They are increasingly using AI to create personalised and contextual phishing messages that are difficult to detect as such.

Security teams can also use AI to counter this threat and detect anomalies in real time. Machine learning-based systems can quickly analyse unusual behaviour and automatically take countermeasures. [2]

Further technical and organisational measures for identity protection

The security experts’ report recommends a combination of technical and organisational measures to improve the security of an organisation’s IT services:

Technological measures: Implementing MFA, adopting password-less solutions and continuous monitoring through AI-powered systems.
Raising awareness: Regular training and information for employees on the latest social engineering and phishing threats increases visibility and reduces the success rate of such attacks.
Implement zero trust: All access, regardless of user status or location, is constantly audited and validated.

The report also highlights the need for global collaboration between businesses, governments and security vendors. Threats are evolving faster than individual organisations can respond, so a comprehensive sharing of threat intelligence may be just as important in the future.

Conclusion: Vigilance and innovation are key to protecting digital identities. The Microsoft Digital Defence Report 2024 clearly shows that the fundamental security of digital identities must be at the heart of future cyber defence efforts. Organisations that focus early on innovative security solutions, an adaptive security architecture and comprehensive training will have the best chance of thriving in this new era of cybercrime.