Identity-based attacks have been the dominant initial access vector for enterprise compromises for several years. The 2025 breach reports continued the pattern. The first quarter of 2026 has continued it again. The defensive investment to address identity attacks has been substantial. The attackers have continued to evolve faster than the defenders in specific areas.

This is a working analysis of where the defensive picture sits in May 2026, drawn from incident response activity, the public reporting on significant breaches, and the conversations with security leaders across financial services, government, healthcare, and the broader enterprise market.

The high-level picture

Identity attacks span a broad set of techniques. Credential phishing. Credential stuffing. Session token theft. Multi-factor authentication bypass. Help desk social engineering. OAuth and SSO abuse. Each of these has its own evolution and defensive picture.

The aggregate trend across 2025-26 has been continued growth in identity attacks against enterprise targets, with the composition shifting toward more sophisticated techniques. The simpler credential phishing attacks haven’t disappeared but they’re a smaller share of significant incidents. The more sophisticated attacks — session token theft, MFA bypass through various means, deep social engineering — are more prominent.

The cumulative effect is that the average identity attack against an enterprise target in 2026 is harder to detect and harder to defend against than the average attack of three years ago.

MFA bypass is the live front

The defensive layer most under attack is multi-factor authentication. The investment in MFA over the past several years has been substantial. The attackers have responded by developing reliable MFA bypass techniques for the most common implementations.

The bypass categories that are working in 2026 include MFA fatigue (overwhelming the user with prompts until they approve one), phishing kits with real-time MFA proxying, social engineering of help desks to reset MFA, and SIM swap attacks against SMS-based MFA. Each of these has been seen in significant breaches in the past twelve months.

The defensive response has been to upgrade from weaker MFA factors to phishing-resistant MFA — FIDO2 hardware tokens, platform authenticators with attestation, and similar. The deployment of phishing-resistant MFA has been growing but unevenly. Many organisations still rely on push-based or SMS-based MFA for some user populations.

The pattern that’s emerging is that organisations with comprehensive deployment of phishing-resistant MFA across all users — including admin and privileged users — have substantially better outcomes than organisations with mixed deployments. The mixed deployments leave the weaker links exposed to attack while consuming the budget that might have funded a comprehensive upgrade.

Session token theft is the growing concern

Session token theft has emerged as a significant attack technique through 2024-26. The attack bypasses MFA entirely by stealing the post-authentication session token from the victim’s browser or endpoint. The attacker uses the stolen token to access the application as the victim without needing to repeat authentication.

The defensive picture for session theft is messier than for credential theft. The token is, by design, evidence of successful authentication. Detecting that a token is being used by someone other than the original user requires defensive capability that many organisations don’t have well-developed.

Some specific defensive techniques are gaining traction. Token binding to specific devices or contexts. Continuous authentication signals that detect anomalous token use. Aggressive session timeout for sensitive applications. None of these is a complete defence; in combination they raise the bar.

The organisations that have invested in detection of anomalous session use are catching token theft incidents that would otherwise go undetected. The organisations that haven’t are typically learning about token theft through downstream consequences — data exfiltration, fraudulent transactions, or notification from external sources.

Help desk attacks are the human gap

Social engineering of help desks has become a major attack technique. The attacker calls the help desk impersonating a real employee, claims to be unable to access their account, and convinces the help desk to reset credentials or MFA. The attack succeeds because help desk verification procedures are uneven and the attackers have invested in research that lets them sound convincing.

The defensive responses that work are operational rather than purely technical. Verification procedures that don’t rely on information the attacker can have researched (employee number, manager name, address). Requirement for video verification or in-person verification for sensitive operations. Automated friction in the help desk workflow that prevents single-call resolution of critical changes.

The organisations that have implemented these procedures have seen meaningful reductions in help desk-mediated compromises. The organisations that haven’t continue to see them. The investment in process is unglamorous compared to security tooling but produces real results.

OAuth and SSO abuse

The shift toward SSO and OAuth-based application access has produced new attack categories. Malicious OAuth applications consenting to access by unwitting users. SSO session hijacking. Identity provider abuse where the IdP becomes the single point of failure for an entire estate.

The defensive picture for these attacks is still developing. Conditional access policies that restrict OAuth consent to admin-approved applications help significantly. Identity provider security postures need to match the criticality of the IdP function — the same attention given to domain admin accounts should apply to identity provider admin accounts.

The recent breach reports include several incidents where the attacker compromised the identity provider and used that compromise to access the entire downstream estate. These incidents are particularly damaging because the trust model that SSO depends on means a compromised IdP affects everything that trusts it.

Where defenders are actually winning

Despite the difficulties, several defensive techniques have been consistently effective.

Aggressive disabling of legacy authentication protocols. The basic authentication paths in older protocols are persistent attack targets. Organisations that have disabled them across their estate have closed off significant attack surface.

Comprehensive privileged access management for the highest-risk accounts. The discipline of just-in-time elevation, ephemeral credentials for admin functions, and tight monitoring of privileged sessions makes the high-value targets harder to compromise.

Strong endpoint detection paired with identity event correlation. The combination of endpoint visibility and identity visibility allows detection of compromise patterns that neither layer would catch alone.

Mature security operations capability that can investigate identity anomalies in time. Many of the breaches that have escalated have done so because the initial identity anomaly was not investigated in time. The organisations with mature SOC operations are catching these earlier.

What organisations should be doing

The practical priority list for organisations in 2026 is fairly clear.

Deploy phishing-resistant MFA across all users, especially privileged users. The cost is real. The protection is substantial.

Tighten help desk verification procedures. The process work is unglamorous but effective.

Invest in detection of anomalous session use. The baseline that distinguishes normal from anomalous session activity is enterprise-specific and takes time to develop. The investment is worthwhile.

Restrict OAuth consent and tighten identity provider security. The IdP is critical infrastructure and needs to be treated as such.

Build the security operations capability to investigate identity anomalies in time. The detection without response is not enough.

The organisations that have done these things have substantially better outcomes than the organisations that haven’t. The variance in defensive maturity across the enterprise market remains wide. The attackers know this and target accordingly.