As Fritz Jean-Louis of Info-Tech Research Group has observed, “Attackers no longer need to break in if they can blend in.” When adversaries operate using legitimate session tokens, they often bypass anomaly detection entirely. To monitoring systems, they are not intruders but rather the users.
Subsequent coverage by BleepingComputer, points to a pattern that has become increasingly common: attackers leveraging legitimate access pathways rather than exploiting traditional perimeter weaknesses.
This creates what can be described as the “Identity Gap.” Most enterprise security models still assume that identity validated through passwords and multi-factor authentication represents trust. In practice, that assumption is increasingly unreliable.
By Randy Ferguson
The compromise of Telus in early 2023 didn’t announce itself with cinematic flair. There was no scrolling green text, no dramatic shutdown, no ransom note splashed across employee screens. Instead, it was something quieter and far more instructive. It was a case of credential abuse.
The Snowflake related credential abuse campaigns, which affected organizations including Ticketmaster and AT&T, highlight this dynamic. In many cases, the issue was not a platform vulnerability but gaps in identity controls, such as the absence of enforced multi-factor authentication.
The Scattered Spider campaigns against MGM Resorts and Caesars Entertainment illustrate this evolution clearly. The initial access vector was not a software vulnerability, but a social engineering call to a help desk. By manipulating identity recovery processes, attackers gained legitimate access and then used internal tools to disrupt operations at scale.
The most effective attacks today often target people, not systems.
The Identity Gap: When Your Perimeter Becomes a Ghost
Frameworks such as NIST’s Supply Chain Risk Management (S-CRM) emphasize that security boundaries no longer align with organizational boundaries. Trust must be continuously validated, not assumed based on partnerships.
This is not a failure of any single control, but a systemic issue. Security investments have overwhelmingly focused on strengthening the perimeter, while the mechanisms that define “who is trusted” inside that perimeter have remained comparatively static. The result is an environment where authenticated access is often treated as proof of legitimacy even when it shouldn’t be.
Attackers increasingly target third-party providers to achieve “one-to-many” impact. A compromise at a managed service provider or business partner can provide indirect access to multiple downstream organizations.
Telus is not a soft target. As a global telecommunications provider, it operates critical infrastructure for millions of users and enterprise clients. This was not a failure of budget or tooling, it was a failure of assumption. Specifically, the assumption that identity is a reliable proxy for trust.
In these environments, internal tools can become attack accelerators. Utilities designed to locate secrets or automate workflows can be repurposed by adversaries to map and extract sensitive data at scale.
This distinction matters. Systems can be restored; leaked data cannot be retrieved. Once sensitive information leaves the environment, the risk becomes persistent and largely irreversible.
The Extortion Evolution: Why Backups No Longer Save You
For years, ransomware defense centered on backup and recovery. That strategy remains necessary, but no longer sufficient.
If stronger perimeters are no longer sufficient, the defensive model must evolve.
Modern threat actors have shifted toward “pure extortion” models, prioritizing data exfiltration over encryption. Groups such as CL0P have demonstrated that operational disruption is optional when data exposure alone provides leverage.
Continuous Threat Exposure Management (CTEM) offers a more adaptive approach, focusing on validation, visibility, and response rather than static prevention.
The Infrastructure Fallacy and Concentration Risk
Vishing—voice-based social engineering—has evolved significantly. Attackers now use real-time impersonation and, in some cases, synthetic media to establish credibility. A widely reported 2024 case involved a finance employee transferring millions after participating in a video call they believed included senior executives.
Effective security now depends on institutional skepticism and the ability to question whether normal looking behavior is, in fact, normal.
The MOVEit Transfer incident exemplifies this approach. Attackers exploited a vulnerability to extract data from numerous organizations simultaneously, without deploying ransomware. The impact stemmed not from downtime, but from the threat of disclosure.
This reflects a broader “shared responsibility” disconnect. Organizations often assume the platform secures access, while providers assume customers will secure identity. Attackers exploit that gap.
Telus had enterprise-grade infrastructure. MGM had monitoring. In both cases, the challenge was not visibility of external threats, but recognition of internal misuse.
The Human Layer: Vishing and Shadow AI
By leveraging valid credentials, attackers demonstrated a harsh reality: even the most advanced perimeter defenses are ineffective when malicious activity is indistinguishable from legitimate use. This form of “credentialed stealth” allows intruders to persist quietly, often for extended periods, while traditional detection systems wait for signals that never appear.
One of the most significant is concentration risk: the aggregation of sensitive data and access within a small number of platforms and providers. A single point of failure can now have cascading, multi-organization consequences.
According to CrowdStrike’s 2024 Global Threat Report, a significant majority of successful breaches now involve the abuse of valid credentials. The ecosystem supporting this trend, particularly infostealer malware and underground markets for session tokens that has matured to the point where access can be purchased rather than engineered.
The Supply Chain as a Force Multiplier
The defining security principle going forward is uncomfortable but necessary: authenticated does not mean legitimate.
Modern enterprises operate within complex ecosystems of vendors, APIs, and service providers. This interconnectedness amplifies both capability and risk.
Cloud adoption has improved infrastructure security and on the other hand, introduced new forms of systemic risk.
The Defensive Pivot: Moving Beyond the Lock
Success will not be measured by how many attackers are kept out, but by how quickly organizations can identify the one who is already inside and operating with valid credentials, trusted access, and no obvious signal of intrusion.
At the same time, organizations face a quieter risk: “Shadow AI.” Employees, seeking efficiency, may input proprietary data into public AI tools without understanding the exposure. This creates an unmonitored channel for sensitive information to leave the organization.
Unlike traditional breaches, this does not require exploitation. It relies on convenience and the absence of clear governance.
- Phishing-Resistant Identity (FIDO2): Hardware-backed authentication reduces the effectiveness of credential theft and session hijacking.
- Behavioral Guardrails: Monitoring access patterns and enforcing thresholds can help detect misuse even when credentials are valid.
- Micro-Segmentation: Limiting lateral movement ensures that a single compromised account does not translate into full environment access.
- AI Governance: Clear policies and technical controls are needed to manage how organizational data interacts with external AI systems.
The Architecture of Disbelief
Cybersecurity in 2026 is defined by a quiet but profound shift: the collapse of trust in identity as a security boundary. For decades, enterprise defense strategies were built on a simple premise to keep attackers out, and trust what gets in. That model is no longer holding.
When the threat actor group ShinyHunters surfaced on a data leak forum claiming access to employee data and private source code, it forced a difficult realization across the industry: the attackers didn’t break in. They logged in. They didn’t bypass the locks; they used valid keys.
Across industries, recent incidents are converging on the same uncomfortable conclusion. Whether through credential theft, session hijacking, or social engineering, attackers are no longer forcing their way past defenses, they are inheriting trust. High-profile breaches involving cloud platforms, service providers, and enterprise identity systems show a consistent pattern: access is rarely “hacked” in the traditional sense. It is obtained, replayed, or manipulated.
This shift undermines decades of security investment focused on external threats. The perimeter is still there but it is no longer where the battle is decided.
The Telus incident reflects a broader structural shift in cyber risk. We are moving from the era of exploits to the era of accounts.
