SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Moody cloud padlock human silhouettes identity theft pixels
#
Malware
#
UC
#
Firewalls

Cloud identity compromise now drives most cyber attacks

Fri, 13th Mar 2026
Author image
By Shannon Williams, News Editor

Field Effect reports that cloud identity compromise drove most of the cyber incidents it investigated last year, with more than 80% of incident-related alerts tied to compromised cloud identities.

Its 2026 Cyber Threat Outlook draws on managed detection and response telemetry and incident investigations conducted in 2025. The report describes a shift away from exploiting software vulnerabilities and towards abusing trusted accounts, collaboration platforms and familiar business workflows.

"In many of the incidents we investigated in 2025, attackers didn't exploit a vulnerability. They logged in using valid credentials," said Earl Fischl, Field Effect's director of security services.

"Identity has effectively become the dominant attack surface. Once attackers gain access to trusted accounts, they can blend into normal activity and move through an organization much more easily," Fischl said.

Identity-based intrusions often start with phishing and account takeover. Alerts analysed by Field Effect frequently pointed to compromised cloud identities that threat actors used for access and persistence.

Trusted Tools

Collaboration and remote support tools featured prominently in the activity Field Effect investigated. The report cites Microsoft Teams, Zoom and Quick Assist as examples of legitimate services attackers abused as part of intrusion chains. Using these tools reduces the need for custom malware early in an attack and can make activity appear routine to employees.

Investigators described multiple campaigns in which threat actors used enterprise tools for initial access. One campaign, tracked since September 2025, involved attackers impersonating internal IT help desks. They created new Microsoft 365 tenants and contacted employees through Microsoft Teams voice phishing calls.

According to the report, the callers tried to persuade employees to grant remote access through Quick Assist. Once access was established, the attackers ran PowerShell-based tools to enumerate privileges and deploy additional malware.

Field Effect linked these intrusions to follow-on activity including credential harvesting and lateral movement across networks. Ransomware deployment also appeared in incidents that began with identity compromise and abuse of trusted platforms.

AI In The Loop

Field Effect said generative AI played a growing operational role in cybercrime during 2025. The report points to AI use in producing phishing content, automating reconnaissance and testing exploit code more efficiently. It frames AI as changing the pace and scale of existing activity rather than introducing entirely new methods.

"AI did not necessarily introduce entirely new attack techniques," said Fischl. "What it did was dramatically accelerate the ones attackers were already using, making them faster and easier to scale."

The report's focus on identity and social engineering reflects broader industry concerns about security controls when attackers use legitimate accounts. It also highlights the risks created when widely used workplace tools become part of an attack path.

Edge Exposure

While identity compromise led the findings, the report also describes continued attacks on edge infrastructure such as VPN appliances, firewalls and routers. These systems remain internet-exposed in many organisations and often sit on the path into internal networks.

One campaign cited involved SonicWall SSL VPN appliances. Field Effect said attackers reused previously exposed credentials to authenticate into high-privilege systems. In several cases, those credentials were later leveraged by Akira ransomware operators.

The report says this pattern shows how credential reuse, delayed patching and exposed edge systems can combine to give attackers access that bypasses controls focused on vulnerability exploitation alone.

Motives Converge

Field Effect also describes a threat landscape shaped by geopolitical tensions. The report says state-aligned actors intensified espionage and access operations during 2025, while ransomware groups and hacktivists increasingly targeted critical infrastructure and public sector organisations.

It argues that overlaps in tactics and infrastructure are becoming more common across different types of threat actor, driven by a mix of financial, political and strategic objectives.

"Organisations cannot control an attacker's intent or capabilities," said Fischl. "But they can reduce the opportunities attackers rely on by strengthening identity security, improving visibility across their environments and addressing exposed infrastructure."

Related stories
Automotive microcontroller market set to hit USD $15.1bn
Vodafone & Google Cloud launch AI & security tools
ISACA launches AI risk certification amid governance gap
Turning security into a story: How managed service providers use reporting to drive retention and revenue
Barracuda spots 7 million device code phishing attacks

Top stories

AI tools widen cyber attack threat, Flashpoint warns
AI flaws & supply-chain risks top new pentesting report
Exclusive: Google Cloud on the road to autonomous SecOps
Zapier expands AI governance controls for enterprise users
Avatier launches offline card after Stryker cyberattack