Threat Intel: Attackers Exploit Identity Systems and MFA to Gain Trusted Access Across Enterprises
What Happened — Attackers are increasingly targeting identity platforms and MFA workflows to obtain high‑trust credentials, then leveraging internal phishing, over‑permissioned AI agents, and credential reuse to move laterally and remain hidden. The Talos Threat Perspective video outlines the 2025 TTPs that enable this “trusted‑user” abuse.
Why It Matters for TPRM —
- Compromised identity assets turn a third‑party vendor into a direct conduit for enterprise breach.
- MFA bypass and AI‑driven privilege escalation broaden the attack surface of supply‑chain partners.
- Detecting trusted‑user abuse requires continuous verification of vendor access controls and least‑privilege enforcement.
Who Is Affected — Enterprises in any industry that rely on IAM solutions, MFA providers, and AI‑enabled automation platforms.
Recommended Actions — Review IAM vendor security posture, enforce strict least‑privilege and MFA hardening, audit AI agent permissions for over‑privilege, and implement continuous monitoring for anomalous privileged activity.
Technical Notes — Attack vectors include internal phishing, credential theft, exploitation of mis‑configured MFA APIs, and abuse of AI agents with excessive scopes. No specific CVE is cited; the focus is on tactics, techniques, and procedures. Source: https://blog.talosintelligence.com/video-the-ttp-ep-21-when-attackers-become-trusted-users/