Cyber attackers have become so prolific at abusing legitimate enterprise accounts and identity systems to compromise networks that it has become a “mass-marketed impersonation crisis,” security analysts at SentinelOne have warned.
This creates a problem, because an adversary using valid credentials does not look like an intruder; they look like a regular employee – and because of this, many traditional cybersecurity protections do not identify that something is wrong, leaving organizations vulnerable to cyber threats.
In many cases, the malicious threat is only identified after an event has occurred, such as sensitive corporate data being stolen, systems being encrypted with ransomware, or another form of harmful cyber-criminal activity.
Published on March 24, the SentinelOne Annual Threat Report for 2026, warned that the last year has seen threat actors execute shift towards these identity-based attacks at “industrial scale”.
Commonly, accounts are compromised by social engineering campaigns, exploiting attacks techniques like ClickFix, which are designed to ensure that the victim is completely unaware their account has been compromised.
Even when accounts are protected with multi-factor authentication (MFA) attackers have ways to bypass or subvert this additional barrier to takeover.
MFA bypass kits are readily available to cybercriminals, while some attacks just use brute force, overwhelming targets with authentication requests until they get fed up and say yes.
The report warned there have been cases where attackers have been able to compromise high-level accounts, then use the admin privileges of that account to provide access to other accounts of interest.
“We have documented cases where threat actors, having compromised a high-level security administrator account, accessed management portals to disable MFA requirements for entire organizational groups,” said SentinelOne.
“These represent extreme risk because the adversary transitions from a transient squatter in a single session to a policymaker who can dictate the rules of access for the entire network.”
Fake Employees and the New Insider Threat
Campaigns based entirely on fake personas, which attackers use to apply for remote jobs, are a growing threat to organizations. If successfully employed – often having conducted interviews with the aid of AI deepfake technology – the attacker has their own legitimate access to company systems to conduct malicious activity from the inside.
State-backed North Korean hackers are known to leverage this kind of attack.
SentinelOne said that it has tracked over 1000 job applications and roughly 360 fake personas linked to North Korean operations which had attempted to secure remote employment at Western tech companies. The end goal of these campaigns is commonly theft, be that of money, intellectual property or data.
“Because the adversary inherits or creates a trusted state, the intrusion remains effectively invisible until the account begins performing actions that sit outside the user’s normal role, such as bulk data exports or unauthorized permission changes,” warned the report.
To help counter the growth in identity-based attacks, SentinelOne recommended that organizations must have the ability to identify and prevent malicious behavior being conducted by seemingly legitimate accounts.
“Defending against this requires shifting focus from simple login validation to continuous post-authentication behavioral monitoring,” the company said.
