Red Helix warns: Identity is the new perimeter as attackers just log in

Tom Exelby, Head of Cyber at Red Helix, argues the hardened perimeter model is obsolete. In cloud-first, SaaS-driven environments, identity has become the new control plane and primary attack vector. Rather than exploiting software vulnerabilities, attackers now simply log in by impersonating legitimate users, services, or machines, bypassing security controls and blending into normal activity. Modern enterprises manage thousands (sometimes tens of thousands) of identities across employees, contractors, APIs, and automated workloads—each a potential entry point. This shift is driven by EDR success making malware noisy, and the increasing complexity of identity ecosystems.

Key techniques: token/session hijacking (bypasses MFA by capturing active authentication tokens) and adversary-in-the-middle (AiTM) attacks that proxy phishing pages to intercept credentials and session data in real time. Phishing-as-a-service platforms like Tycoon 2FA have industrialised this, reportedly compromising 100,000+ organizations, many SMBs with limited resources. Equally concerning are non-human identities (service accounts, APIs, machine identities in DevOps/cloud-native environments) with persistent credentials, broad privileges, and limited oversight. Threat actors range from financially motivated cyber criminals using initial access brokers to ransomware groups exploiting valid credentials for stealth, and nation-state groups like Midnight Blizzard targeting service providers for long-term espionage. Most exposed sectors: financial services, healthcare, government, technology, and MSPs with privileged access to multiple clients.