Identity Is the New Attack Surface: How Cybercriminals Are Bypassing MFA and What Organisations Must Do Next

The perimeter is gone, but most security strategies haven’t caught up

For years, cybersecurity strategies were built around a simple assumption. Protect the network, and you protect the organisation.

That assumption no longer holds.

Cloud adoption, SaaS proliferation, remote working, and third-party integrations have fundamentally changed how organisations operate. The traditional network perimeter has dissolved, replaced by a far more dynamic and distributed environment.

Yet many security programmes still behave as if that perimeter exists.

Firewalls have been strengthened. Endpoints have been hardened. Monitoring has increased. But the core control plane, the layer that now governs access to everything, is often misunderstood.

That control plane is identity.

And it has become the primary target for modern attackers.

Identity is no longer a control, it is the attack surface

Historically, identity was treated as a gatekeeper. A mechanism to verify users and grant access.

Today, it is something very different.

It is the single most valuable asset an attacker can obtain.

If an attacker gains valid credentials, or more critically, valid session access, they do not need to “break in” in the traditional sense. They can log in.

This changes everything.

Once inside, activity appears legitimate. Detection becomes significantly harder. Traditional controls, network monitoring, endpoint protection, even some forms of behavioural analytics, can be bypassed because the attacker is operating within trusted parameters.

This is why identity has become the new attack surface.

Not because it is weak by design, but because it is now central to how organisations function.

MFA was supposed to solve this, it didn’t

Multi-Factor Authentication (MFA) has long been positioned as a critical control for securing identity. And for a time, it was.

But attackers adapt.

In 2026, we are seeing widespread, effective techniques that bypass MFA entirely.

This is not theoretical. It is happening at scale.

The issue is not that MFA is broken. It is that organisations have misunderstood what it protects against.

MFA is highly effective against basic credential theft. It is far less effective against session-based attacks, social engineering, and real-time interception techniques.

Attackers are no longer trying to log in without MFA. They are finding ways to operate within authenticated sessions.

The rise of session hijacking and token theft

One of the most significant developments in recent years has been the shift towards session-based attacks.

When a user authenticates successfully, a session is established. This session is often maintained through tokens stored in browsers or applications. These tokens allow users to remain logged in without repeatedly entering credentials.

Attackers have realised that stealing these tokens is often more valuable than stealing passwords.

Infostealer malware has become one of the primary tools for achieving this. Once deployed on a device, it can extract session tokens, cookies, and stored credentials, providing attackers with immediate access to active sessions.

This bypasses MFA entirely.

The attacker does not need to authenticate. They inherit the authenticated state.

This is why infostealers have become such a critical component of the modern cybercrime ecosystem. Millions of infected machines are generating vast quantities of usable access data, which is then traded in underground markets.

The barrier to entry for sophisticated attacks has never been lower.

Adversary-in-the-middle attacks: defeating MFA in real time

Another technique gaining prominence is adversary-in-the-middle (AiTM) attacks.

In this scenario, attackers position themselves between the user and the legitimate service. This is often achieved through phishing campaigns that direct users to a proxy site designed to mimic a trusted platform.

When the user attempts to log in, including completing MFA, the attacker captures both the credentials and the session token in real time.

The user is authenticated successfully. The attacker now has everything they need.

Again, MFA is not bypassed in the traditional sense. It is leveraged.

This highlights a critical point.

Controls that rely solely on authentication are no longer sufficient.

The role of AI in accelerating identity attacks

AI has significantly amplified the effectiveness of these techniques.

Phishing campaigns are now highly personalised, leveraging publicly available data and organisational context to increase credibility. Deepfake voice and video technologies are being used to support social engineering attacks, particularly in high-value scenarios.

Attackers can automate reconnaissance, identifying key individuals, mapping organisational structures, and prioritising targets.

This reduces the randomness of attacks.

They are no longer broad and opportunistic. They are targeted and precise.

Identity-based attacks benefit significantly from this shift, because they rely heavily on deception and timing.

AI enhances both.

Why traditional detection struggles with identity compromise

One of the most challenging aspects of identity-based attacks is detection.

When an attacker uses valid credentials or session tokens, their activity often appears legitimate.

They are logging in from expected locations, accessing systems they are authorised to use, and performing actions that may not immediately trigger alerts.

Even advanced detection systems can struggle in this scenario, particularly if they rely heavily on signature-based or rule-based approaches.

Behavioural analytics can help, but only if baselines are well understood and anomalies are significant enough to be flagged.

In many cases, attackers operate carefully, avoiding obvious deviations.

This allows them to maintain persistence for extended periods, increasing the potential impact of the breach.

The shift from network security to identity security

As identity becomes the primary attack surface, security strategies need to evolve accordingly.

This means moving beyond traditional network-centric approaches and focusing on identity as the core layer of defence.

However, this is not simply a matter of deploying identity tools or enforcing MFA.

It requires a deeper understanding of how identity can be compromised, how access can be abused, and how attackers move within environments once authenticated.

This is where many organisations fall short.

They implement controls, but they do not test them in a way that reflects real-world attack scenarios.

Intelligence-led security: understanding identity risk in context

At Cybergen®, we approach identity security through an intelligence-led lens.

This means starting with the threat landscape.

Which threat actors are targeting organisations like yours? What techniques are they using? How are they gaining access? What tools and infrastructure are involved?

This external intelligence is then mapped to internal exposure.

Where are the weaknesses? How could credentials be compromised? How could sessions be hijacked? What pathways exist from initial access to critical systems?

This creates a clear, contextual understanding of risk.

It moves the conversation from abstract controls to concrete attack scenarios.

Simulating real-world identity attacks

Understanding risk is only the first step. The next is validation.

This is where offensive security plays a critical role.

Rather than relying solely on theoretical assessments, Cybergen® simulates real-world identity attacks, including phishing, session hijacking, and lateral movement scenarios.

The goal is not to generate a list of vulnerabilities. It is to demonstrate how an attacker would actually compromise the organisation.

This provides a far more accurate representation of risk.

It also enables organisations to prioritise remediation based on impact, rather than severity scores.

Breaking the attack path: from access to impact

Identity attacks rarely stop at initial access.

Once inside, attackers seek to expand their control, accessing additional systems, escalating privileges, and moving towards high-value targets.

This is where the concept of attack paths becomes critical.

An isolated identity weakness may not seem significant. But when combined with other issues, it can form part of a pathway that leads to a major breach.

Cybergen® focuses on identifying and disrupting these pathways.

By understanding how attacks progress, organisations can implement controls that break the chain, preventing escalation and limiting impact.

Continuous exposure management for identity

As with other areas of cybersecurity, identity risk is not static.

New applications are deployed. Access permissions change. Users come and go. Threat techniques evolve.

This makes continuous assessment essential.

Through Continuous Threat Exposure Management (CTEM), Cybergen® provides ongoing visibility into identity risk, informed by threat intelligence and validated through testing.

This ensures that organisations are not just reacting to incidents, but actively reducing their exposure over time.

What organisations must do now

The shift towards identity-based attacks is not a future concern. It is a present reality.

To address this, organisations need to take several key steps.

They need to recognise identity as a primary attack surface, not just a control layer.

They need to move beyond reliance on MFA, understanding its limitations and implementing additional protections.

They need to adopt an intelligence-led approach, ensuring that security decisions are informed by real-world threats.

They need to test their environments in a way that reflects how attackers actually operate.

And they need to focus on outcomes, measuring success in terms of reduced exposure and improved resilience.

The future of identity security

As organisations continue to evolve, identity will remain central to how they operate.

This makes it an attractive target for attackers.

The techniques will continue to evolve. The tools will become more sophisticated. The barriers to entry will continue to decrease.

Defending against this requires more than incremental improvements.

It requires a fundamental shift in how security is approached.

At Cybergen®, we believe that shift is towards intelligence-led security.

Because understanding how you will be attacked is the first step in preventing it.

Summary: Access is everything

In modern cybersecurity, access is everything.

If an attacker can authenticate, they can operate.

This is why identity has become the new battleground.

And this is why organisations need to rethink how they defend it.

Not through more controls alone, but through better understanding.

Because in a world where attackers no longer need to break in, knowing how they log in is what matters most.

Ready to strengthen your security posture? Contact us today for more information on protecting your business.