The era of the “break-in” is over. Attackers are now leveraging valid credentials and session tokens to bypass traditional perimeters. The latest telemetry from Guardz highlights a shift toward quiet, identity-driven campaigns.
89%
SMBs with confirmed credential compromise
SMBs with confirmed credential compromise
2,000%
Spike in Google Workspace OAuth abuse
Spike in Google Workspace OAuth abuse
25:1
Non-human to human identity ratio
Non-human to human identity ratio
The Evolution of Stealth: BEC 3.0
Attackers are moving away from loud malware and toward “living-off-the-land” techniques. By monitoring legitimate email threads for weeks, adversaries use AI-generated voice and context-aware messaging to authorize fraudulent transactions without ever triggering a security flag.
RMM: The New Command & Control
RMM tool abuse now accounts for 26.2% of all endpoint threats. By exploiting legitimate tools like ScreenConnect and NinjaRMM, attackers create encrypted channels that are indistinguishable from authorized MSP traffic.
Immediate Operational Priorities
- Phishing-Resistant MFA: Standardize on FIDO2/Passkeys to prevent session hijacking.
- OAuth Governance: Audit application grants and enforce admin-level approval requirements.
- Behavioral Monitoring: Monitor inbox rules and non-human identity patterns in real-time.
- Kill Legacy Auth: Disable outdated protocols via Conditional Access to prevent MFA bypass.