The Login Was the Breach
Security Boulevard, Tuesday, June 9th, 2026
Identity-driven attacks increasingly begin with a legitimate login using stolen valid credentials rather than an exploit chain.
For years, Active Directory breaches were associated with exploit chains, malware, lateral movement, and ransomware, assuming attackers first had to break through controls.
That is no longer how many identity-driven attacks begin. Increasingly the first sign of compromise is a successful login using valid credentials stolen earlier via infostealer malware and later sold, traded, or exposed on underground marketplaces.
From the identity layer's perspective everything appears legitimate, which the article calls the 'no-breach' breach problem. The piece is syndicated on Security Boulevard from Enzoic's blog.