Attackers Aren't Hacking In. They're Logging In. Here's the Data.
Let's kill a myth first.
The attacker in your head is probably wrong. Not a hoodie-wearing genius wrestling with your firewall. Not a nation-state operative burning a zero-day exploit on your accounts payable inbox. In this week's hot take, Mauven and I worked through the Unit 42 Global Incident Response Report 2026, built on over 750 serious real-world investigations, and the picture that emerges is far more mundane and far more fixable than the threat industry wants you to believe.
Attackers aren't primarily hacking in anymore. They're logging in. With valid accounts. Stolen session tokens. And overly permissive identities that organisations never cleaned up.
What the Numbers Actually Say
Unit 42 are essentially a cyber fire brigade for larger organisations. They get called in when a serious attack is already underway. Their numbers are built on real-world disasters, not lab tests. That makes the following statistics worth sitting with.
Identity weaknesses showed up as a material factor in nearly 90% of investigations. Not malware. Not firewall failures. Identity.
About 65% of initial access was identity-driven. Credentials bought on the dark web, session tokens harvested through browser-based attacks, OAuth grants that nobody revoked.
Browser activity appeared in nearly half of all intrusions. Your staff live in their browsers all day: Outlook, Xero, your HR portal, Teams, the CRM, and whatever random SaaS the marketing team signed up for last year. That is the battleground.
And this one is the one that should land hardest: 99% of cloud identities Unit 42 examined had excessive permissions. Not some. Not most. 99%. The accounting assistant's account can see more than it should. The service account that talks to your CRM can do far more than it needs to. A single compromised identity becomes a vehicle for lateral movement because the access was already there, waiting.
The Speed Problem
While you are picturing some slow, lumbering attack that gives you time to react, the fastest quarter of real-world intrusions in the Unit 42 dataset reached data theft in about 72 minutes. Unit 42 even simulated an AI-assisted attack that got to exfiltration in 25 minutes.
From someone clicked a link to your customer data being zipped up for extortion, in less time than it takes to watch Match of the Day.
You are not patching your way out of that if the front door is wide open on identity.
What the Failures Actually Look Like
Mauven put it plainly in the episode and it is worth repeating here, because this is not a sophisticated problem.
It is the finance mailbox guarded by a recycled password. It is push MFA that pings your mobile and you will approve anything just to get on with your day. It is shared admin accounts that three people use because it is easier. And it is old logins that nobody ever removed: contractors who left two years ago but still have access to your Microsoft 365 tenant, former IT suppliers with temporary global admin that became permanent by neglect.
From a threat actor's point of view, that is gold. They do not need to burn an expensive exploit when they can buy previously compromised credentials, combine them with a bit of social engineering, and walk straight in through your VPN or email portal.
Corrine's quote from the episode deserves repeating verbatim: "Most breaches in this dataset were enabled by exposure, not by genius."
Over 90% of incidents had preventable gaps, limited visibility, inconsistent controls, or excessive identity trust as material enablers. This is not a technology problem that requires more technology. It is an operational discipline problem.
The Zombie Integration Problem
One specific failure mode the report highlights that does not get enough attention: SaaS inherited permissions.
Every connector you have approved over the years, sign in with Microsoft, that sales plugin, that reporting tool, comes with an access footprint. Zombie integrations tied to departed users, or apps nobody remembers installing, are low-visibility pathways. A small sales team with a trial tool that still has read-write access to the CRM two years later. A marketing platform that can send email as anyone in the company. If that upstream service gets compromised, you have just handed an attacker your voice and your data.
Go into your main SaaS platforms right now and list every connected app. Anything you do not recognise, do not use, or that is owned by someone who has left: remove it or lock it. Not when you have time. Today.
Three Actions. This Week.
Corrine laid these out at the close of the episode. They are not this year's priorities. They are this week's.
One: phishing-resistant MFA for admin accounts and anyone who can move money. Standard push-based MFA is better than nothing, but Unit 42 is clear that attackers are increasingly focused on MFA bypass and session hijacking. Clickable links and one-time codes are too easy to socially engineer. The answer is FIDO2 hardware keys or passkeys. For hardware keys, AuthenTrend produce FIDO2-certified options designed with exactly this use case in mind: protecting the accounts that, if compromised, hand an attacker your entire tenant. If you are not sure where to start, that is a reasonable place to look.
Two: remove or disable every ex-employee and contractor account. Microsoft 365, VPN, remote support tools. If you are not willing to delete it, you should be able to explain exactly why it still exists. If you cannot explain it, remove it.
Three: cut God mode. Reduce global admins to the bare minimum. Shift to just-in-time elevation: normal user by default, time-bound admin when needed, with an approval step and logging. Shorten session lifetimes on your most sensitive applications so an attacker cannot live off one long-lived cookie. If they do compromise an identity, they hit a speed bump instead of the fast lane.
The Blunt Challenge
Picture a criminal landing one working login for your business today. Maybe from a phishing email. Maybe from a reused password on a breached website.
How far could they get in 72 minutes? Could they get into email, reset passwords, hit your bank, pull your customer list?
If the honest answer is quite far, then identity is not a theoretical problem for future you. It is a live fire drill you just have not seen yet.
The data from 750 real incidents says attackers are logging in wherever it is easiest. All the evidence points in the same direction: sort your identity mess before you spend another pound on perimeter toys.
Some doors stay closed for a reason. Let's at least make sure they are locked.
| Source | Article |
|---|---|
| Palo Alto Networks Unit 42 | Global Incident Response Report 2026 |
| Palo Alto Networks Unit 42 | Global Incident Response Report 2026: Executive Edition |
| Palo Alto Networks | Unit 42 Global IR Report 2026: Key Findings Blog |
| NCSC | Recommended Types of MFA |
| NCSC | Multi-Factor Authentication for Corporate Online Services |
| NCSC | Authentication Methods: Choosing the Right Type |
| FIDO Alliance | FIDO2: Web Authentication Standard |
| AuthenTrend | FIDO2 Hardware Security Keys |
