JH← Back to blog

Attackers Stopped Breaking In. Now They Just Log In.

Identity has replaced the network perimeter as the primary attack surface in 2026. Here's how session and credential theft actually work, and what a real defense looks like.


91% of successful breaches still start with phishing. That number hasn't moved much in years, and it's a little misleading, because what happens after the phishing email is what's actually changed. Attackers used to phish for a password. Now they phish for a session token — and a session token that's already survived MFA is worth far more to them than a password ever was.

Why stealing a session beats stealing a password

Multi-factor authentication made password theft alone less useful, so attackers moved a step later in the process. Instead of stealing credentials, they steal the session token or cookie that gets created after authentication already succeeded — usually through malware, a malicious browser extension, or an adversary-in-the-middle phishing page that captures a live session. Once they have that token, MFA is irrelevant. It already did its job for that session, and the attacker just inherits it.

This is why identity-based attacks are so hard to catch with the security tooling most teams already run. That tooling was built to spot malware signatures and network intrusions. An attacker holding a valid session token doesn't look like an intrusion — they look like an employee doing their job, because as far as the system is concerned, they are.

Federated identity turns one compromise into many

Single sign-on across dozens of connected apps is a genuine productivity win, and it's also a blast-radius multiplier. One compromised identity-provider credential or token can potentially unlock every SaaS application connected to it. The convenience that made federated identity worth adopting is the same property that makes a single compromise so expensive.

The same logic extends past your own employees. Third-party and supply chain breaches have roughly quadrupled over the past five years, and a large share trace back to compromised vendor credentials or access that was broader than the engagement actually required. Every integration with standing access to your systems is part of your identity attack surface whether you think of it that way or not.

What actually reduces this risk

Don't treat login as a one-time gate. The more durable model checks signals — device posture, location, behavior — throughout a session, and forces re-authentication when something changes mid-session rather than trusting the original login indefinitely.

Shorten how long a session token stays valid, and bind it to a specific device where you can. A stolen token that expires in twenty minutes is worth a lot less to an attacker than one that's good for two weeks.

Audit third-party access on a real schedule, not just at contract signing, and default to less access than feels comfortable rather than more "just in case." Most vendor access grants outlive the reason they were given in the first place.

Watch for anomalous behavior from sessions that are already authenticated, not just failed login attempts. A login failure is the easy case — the sessions that matter are the ones that got in cleanly and are now doing something a normal user wouldn't.

The question worth asking your security team this week

How long can a stolen session token stay valid before your systems catch it on their own? If nobody can answer that quickly, that's the actual gap — not your MFA coverage, which is probably fine already. Start the access review with your highest-risk third-party integrations, since that's where the standing-access problem is usually worst and least monitored.