When it comes to protecting your business from security threats, there’s no “one and done” solution; attackers are constantly evolving and innovating.
The threats we face today have only grown in scale and sophistication, and attackers have only become more successful in gaining access to sensitive data.
In response to each security control that becomes available, attackers come up with new (or even old) techniques to combat these safeguards. That’s why it’s crucial to be aware of the current threat landscape and how attackers are adapting.
Read on for insights about the evolution of attacks over the last few years and how you can make a difference in protecting your organization.
“Identity is the New Perimeter”
For decades, it seemed that securing the perimeter of an organization’s IT infrastructure was the best strategy to keep attackers from obtaining access to emails, business applications, and sensitive data.
A common belief was that a robust firewall or similar network security appliance at the edge of a network would keep attackers out.
While these devices are often necessary for certain basic security functions (like limiting outsiders from gaining access to internal applications), there’s often an overreliance on them.
Consider this: since COVID-19, there’s been a massive shift in how the world and businesses operate. Nowadays, many employees partially operate from a remote location.
It makes sense—employees want to be able to work from anywhere without interruption. Business owners can reap the benefits, too, by hiring talented staff from anywhere, no matter their geographic location.
In response to growing demand, cloud services adoption like Microsoft Office 365 have exploded over the last decade. As a result, there is increasingly less reliance or dependency on internal network infrastructure for most businesses.
Cloud hosting often has major security advantages over locally hosted infrastructure:
- Automatic patches
- High availability
- Rapid scalability
However, since cloud applications are accessible from anywhere, attackers are free to authenticate against these services if they manage to steal an employee’s digital identity.
In the past, locally hosted infrastructure offered attackers a variety of options when it came to gaining access from the outside.
If an application isn’t patched regularly, there is a high likelihood that known vulnerabilities could be leveraged to give an attacker direct access to the main server and infrastructure. With that option dwindling for threat actors, attackers now focus considerable efforts into phishing company users with a variety of techniques, which are often successful.
Once a bad actor gains access to an account in your organization for a major cloud-hosted application or productivity suite, they can obtain emails and sensitive data.
So, what does all of this mean?
With all of these changes, a massive shift towards protecting our digital identities is necessary to stay a step ahead of the attackers.
Centralize Authentication
The more accounts that you have, the more “attack surface” your organization incurs.
Attack surface refers to how many assets your organization maintains, like accounts, software, services, and even employees. Each asset represents an entry point that attackers can leverage.
The more you need to protect, the more entry points a threat actor can leverage when launching an attack.
There are numerous challenges associated with protecting each of these accounts:
- Password strength for each system
- Enforcement of multi-factor authentication
- Permissions and roles
- Account removal when employees leave
When you consider the sheer volume of accounts that need management, it becomes easy to see how security uniformity becomes a massive challenge for even the most mature organizations.
The solution: centralize your organization’s login options whenever possible.
Single sign-on configures most common applications to leverage an external sign-on provider, such as your employee’s email accounts. This approach allows users to log in to each of your organization’s applications with one single account.
It’s often as simple as clicking a button to access each application after signing in once to something like Microsoft Office 365.
Not only is this considerably more secure for your organization because of the reduced attack surface, but it’s considerably more efficient and convenient for your employees by eliminating time spent logging in to numerous applications throughout the day.
Multi-Factor Authentication Alone is No Longer Enough
For years, security professionals have instructed users and organizations to enable some form of multi-factor authentication (MFA) on their accounts to protect from phishing and account takeover attacks.
Today, MFA is still a critical component in protecting sensitive information. In fact, it’s often the first step we recommend for anyone looking to improve their security posture.
MFA is a second form of authentication that acts as a last line of defense in the event an attacker compromises your password. In other words? It provides an extra security layer for your accounts.
However, the efficacy of multi-factor authentication as a preventative control against phishing attacks has started to decline.
In recent years, attackers have devised methods of phishing end users who are protected with multi-factor authentication by proxying their connection to legitimate services through a variety of techniques. These types of phishing attacks are called “Adversary in the Middle” attacks (or AiTM).
Adversary in the Middle phishing attacks have exploded in prevalence, as their effectiveness has yielded significant payoff for threat actors in the cat and mouse evolution of security.
In an AiTM phishing attack, even if you have something like a rolling code or text message for two-factor authentication, an attacker can simply phish that component of your authentication as well and gain access to your account with relative ease.
However, all is not lost; while many forms of authentication are susceptible to modern phishing tactics, there are alternative forms of authentication that are resilient to phishing, also called phishing-resistant authentication or strong authentication.
Phishing-resistant authentication prevents Adversary in the Middle phishing attacks from succeeding by ensuring your employees authenticate to websites with the correct domain name as a part of the login process.
The technology underpinning phishing-resistant authentication has existed for years, but previously required purchasing additional hardware tokens for all employees. These tokens brought additional challenges for widespread adoption.
Many newer options, such as passkeys, are beginning to utilize the same underlying technology as existing hardware tokens; they simply leverage an individual’s smartphone to accomplish the same level of phishing resistance.
While passkeys possess major upsides in thwarting attacks for most organizations, they are still relatively new and adoption is in the early stages for most providers.
Device Compliance
The path to achieving phishing resistance for each organization may look different depending on a variety of factors.
Considering that many of the phishing-resistant authentication options are very new, many organizations may face implementation challenges as users learn to adapt to new login methods. For many, a strategy focused on device compliance may strike a balance between familiarity and security.
Device-compliant authentication is a method of restricting access to a service such as Microsoft 365 from anything other than a previously known and registered device. If an attacker attempts to relay one of your users through a phishing platform, the authentication will fail and the attacker will not be able to log in, since the attacker’s server is not registered with your organization.
While a device compliance strategy is most secure and works best with organizations that want to require company-owned devices, it is not limited exclusively to those businesses. A device compliance policy can be adapted to account for bring your own device (BYOD) models, where employees may leverage a personal smartphone for some basic work tasks, all while preserving their privacy.
Conclusion
Threat actors will continue to focus heavily on gaining access to user accounts through a constant barrage of phishing attacks. In order to adapt, consider embracing this strategy:
- Centralize your authentication by shifting to Single Sign On wherever possible for your organization. This minimizes the risk each organization incurs while juggling multiple critical systems or services with redundant user identities
- Ensure that your centralized authentication moves toward a complete phishing-resistant authentication strategy. Legacy forms of multi-factor authentication are simply not enough in 2025. Attackers can phish legacy MFA methods with relative ease.
By leveraging phishing-resistant authentication (such as passkeys) or adopting a Device Compliance policy for your organization, you will considerably reduce the account takeover risks your organization faces.
Take steps today to secure your business and data from unauthorized access—and stay adaptable as new threats emerge.
If you need help with cybersecurity for your organization, set up a call with one of our experts.
