Newsletter Article

THREAT SPOTLIGHT: THEY DIDN’T BREAK IN. THEY LOGGED IN.

If there is one theme that has defined the biggest breaches of 2026 so far, it isn’t a novel exploit. It’s identity.

Snare Insider Newsletter Series Article

Make sure you Subscribe

If there is one theme that has defined the biggest breaches of 2026 so far, it isn’t a novel exploit. It’s identity.

A sustained wave of SaaS and CRM extortion activity through May and June 2026, widely attributed to actors operating in the ShinyHunters ecosystem, hit platforms including Salesforce and Microsoft 365 tenancies, not through a technical intrusion, but through a phished single sign-on token, a talked-out help-desk reset, or access quietly inherited through a third-party vendor.

Separately, KDDI and five other Japanese ISPs (STNet, JCOM, Chubu Telecommunications, and BIGLOBE among them) disclosed on 17 June 2026 that a vulnerability in third-party software had exposed a database affecting up to 14.22 million current and former customer accounts.

Several high-profile ransomware and extortion incidents through Q2 2026 have traced back to a single compromised account or integration rather than a software flaw.

The common denominator: for a period of time, the attacker looked like a legitimate user.

In MITRE ATT&CK terms, this is Valid Accounts (T1078) at scale, credential theft and abuse rather than exploitation, and it is precisely the technique class that signature- and vulnerability-focused tooling is weakest against. Catching it requires the right logs, retained for long enough, correlated well enough to notice.

What this means for log management

Detecting identity-based compromise depends on evidence that many organisations either don’t collect or don’t retain long enough:

  • Authentication, SSO and MFA challenge/response events across every identity provider
  • Conditional access decisions and step-up authentication outcomes
  • SaaS and CRM administrative activity, permission changes, bulk exports, DLP events, not only infrastructure logs
  • Service account and API token usage, especially first-use and anomalous-location patterns
  • Privileged access and just-in-time elevation events
  • Vendor and third-party integration activity

Identity logging checklist

☐ Centrally collect authentication, SSO and MFA events across all identity providers
☐ Log SaaS/CRM administrative and bulk-export activity, not only infrastructure logs
☐ Monitor service accounts and API tokens for anomalous first-use or geographic patterns
☐ Correlate privileged account activity with new account, service or permission creation
☐ Extend logging obligations into vendor and third-party access, not only internal systems
☐ Retain identity evidence long enough to reconstruct a slow-building compromise

The Snare perspective

Identity-based compromise is a correlation problem, not a collection problem for most organisations, the logs often exist, scattered across identity providers, SaaS platforms and endpoints, but nobody is asking the right cross-source question in time. This is precisely the gap AskSnare is built to close.

Snare Solutions
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.