Inside an identity attack: How attackers get in and stay hidden

Long before an attacker touches a system, they can build a picture of the organisation they want to breach. Public sources help them map the people, the structure and the weak points. From there, the route in may be as simple as a call to the service desk, followed by a move into non-human identities that are harder to spot and govern.

David Guest, Solution Architect at Kocho, explains the importance of broad and continuous identity security as he walks us through the attack path from the attacker’s perspective: profile the target, get past the service desk, escalate access, then shift into an identity layer many organisations struggle to govern.

Let’s start at the beginning. If you’re an attacker looking at a target organisation, where do you actually start?

With what’s already public. Companies House, the company website and LinkedIn tell me who the leaders are, who works there, what they do and who they’re connected to. Before I’ve touched a system, I already have a map of the organisation.

And you’re going after the leadership team?

Not necessarily. Senior leaders may be high-value targets, but they are not always the easiest way in. I’m looking for someone easier to impersonate and more likely to get help from the service desk. That could be a manager, someone in a non-technical role, or a new starter who’s just announced their job on LinkedIn.

I’m also mapping the supply chain. Sometimes the route in is through someone the organisation already trusts. Attackers work in graphs. You’re plotting a route from where you are to where you need to be.

Once you’ve picked a target, what comes next?

I build a profile. LinkedIn gives me job history. Facebook, Reddit, TikTok and Have I Been Pwned add the personal detail a service desk agent might use to verify someone over the phone.

So how does that get you into a system?

I phone the service desk. “Hi, I’m Joe. I’ve broken my mobile phone and I can’t reset my password. Can you help me out?”

People want to help. If the service desk is relying on personal details to verify me, I already have the answers. That can be enough to get a password reset, an MFA reset, or whatever I need to get back into the account.

The first thing I do once I’m in is set up my own MFA. Now I can prove I’m “Joe” whenever I’m challenged. The real Joe can’t.

It was these kinds of tactics that were at the forefront of the Scattered Spider-linked attacks on UK retailers in 2025, using service desk impersonation and MFA reset abuse to costly affect. More recently, Microsoft’s Storm-2949 reporting described attackers using social engineering around self-service password reset and MFA registration to take over cloud identities.

What does an attacker actually do once they’re inside?

It’s methodical. I’m scanning for privileged accounts, virtual devices, tokens and logs that might help me find a route to broader access.

What I’m really after is a power user. In a large organisation, I could be looking through 70,000 accounts, or I can run a script that shows me users with specific roles far more quickly.

Microsoft’s Storm-2949 investigation described attackers using a compromised cloud identity to enumerate users, roles, applications and service principals, then search OneDrive and SharePoint for files and access details that would help them move further.

And once you find that power user?

I stop relying on Joe’s account. I create an OAuth application inside the tenant with the same access as the compromised user. That becomes my entry point, and it’s much harder to spot in the usual sign-in and logging views.

OAuth apps are often over-permissioned. If one has broad SharePoint access, a breach can expose far more than the original user could reach directly.

And because non-human identities can vastly outnumber human identities, that activity can disappear into machine-to-machine traffic that few organisations are monitoring closely enough.

Why does this keep working? Most organisations have MFA, conditional access, risk-based policies.

Most of that is designed around human identities. Service principals, OAuth apps, managed identities and AI agents do not always sit under the same controls. There is no joiner-mover-leaver process for a service account, and many organisations cannot say who owns a service principal or how well its credentials are governed.

Agentic AI increases the challenge. Every new agent creates another identity, and many organisations still do not have a central inventory or approval process for them.

So what stops each stage of this attack from working?

The service desk call is the obvious one.

That becomes much harder with Entra Verified ID and Face Check.

The agent sends a QR code to the caller’s mobile device, the caller shares verified information and completes a face check, and the system returns a confidence score. It adds a stronger identity assurance step to service desk interactions.

And the persistence problem, where the attacker hides in the AI and non-human identity space?

That needs governance tooling most organisations have not yet put in place. Agent ID gives AI agents a unique identity that can be tracked and, as the roadmap develops, brought under conditional access.

Microsoft Agent 365 adds sponsorship and attestation. For service principals and managed identities in Azure, Key Vault helps automate secret and certificate rotation.

What about detection? You said you were operating in traffic nobody was watching.

Defender for Cloud Apps. It helps organisations see how users are accessing cloud services, spot over-permissioned OAuth apps, monitor service principal sign-ins, and flag unusual IP addresses or authentication times.

It also discovers shadow IT and shadow AI. Feed that into Microsoft Sentinel for correlation and response, and security teams get a much clearer view of what is happening.

Where should an organisation start?

With visibility. You need to know what identities exist in your environment, human and non-human, before you can govern them. The gap now is governance and optimisation: making sure access is revoked when it should be, non-human identities are inventoried and owned, and credentials are rotated.

Kocho runs a half-day Identity and Access Management Workshop that helps organisations review these risks, the controls available, and the options for implementation.

If you’d like to learn more or discuss your identity security strategies, please get in touch with the team.

Plus, if you want to go deeper inside a typical identity attack, and discover the tactics to stay protected, then check out my recent webinar in the link below.