Why Account Takeovers Are Rising and How to Stop Them

1 hour ago 1

Cyber laptop

Organizations now manage thousands of human and non-human identities across cloud services, software-as-a-service applications, endpoints and remote environments. As hybrid working, Bring-Your-Own-Device (BYOD) and third-party access continue to expand, security teams are losing visibility over who has access to what and whether that access can be trusted.

Attackers are taking advantage of that complexity, as compromising an account is often faster and quieter than exploiting infrastructure vulnerabilities directly. For defenders, detecting malicious activity tied to a legitimate identity remains one of the biggest security challenges today.

So, what’s driving the rise in account takeover attacks, and how can organizations protect their identities?

Phishing the session, not the password

Credential abuse remains one of the most reliable ways for attackers to gain access to an organization, accounting for 22% of breaches in 2025. Attackers obtain usernames and passwords through infostealer malware, phishing campaigns or credential dumps from previous breaches.

While multi-factor authentication (MFA) is still one of the most important defenses against account compromise, attackers have adapted their tactics to target the authentication process itself.

One common technique is MFA fatigue, also known as prompt bombing. This involves repeatedly triggering MFA approval requests until the user eventually accepts one, usually out of frustration at the barrage of notifications they’re receiving.

A well-known example came in 2022, when attackers targeted an Uber employee with repeated MFA prompts until one was approved.

That initial access allowed the attackers to escalate privileges and move deeper into Uber’s environment, ultimately compromising large parts of its cloud infrastructure and exposing employee data.

Attackers are also using adversary-in-the-middle frameworks and session hijacking tools to bypass MFA entirely by stealing authenticated session tokens after login.

Credential phishing attacks are bypassing traditional protections

Phishing with the aim of credential theft is still popular, with the latest attacks reaching new levels of sophistication. Attackers now use legitimate hosting services, trusted domains, reverse proxies and AI-generated content to create phishing pages that closely mimic genuine login portals.

Threat researchers at Outpost24, Specops’ parent company, recently uncovered a phishing campaign that employed a legitimate Cisco domain through a multi-chain redirect attack designed to evade detection and increase credibility.

Campaigns like this show how difficult phishing attacks can be to identify, even for security-aware users.

Devices are expanding the attack surface

Employees now regularly access corporate applications from personal laptops, unmanaged mobile devices and systems operating outside traditional security controls.

Because of this, the IT department has limited visibility into whether employees are connecting to internal networks using devices with missing security updates or malware infections.

Compromised endpoints also provide a valuable route into trusted environments. Infostealer malware, in particular, has become a major contributor to account takeover activity by harvesting credentials, browser-stored passwords and authenticated session cookies directly from user devices.

This is where specialized solutions like Specops Device Trust help. By continuously scanning throughout sessions, Specops Device Trust checks for active threats like disabled security controls and outdated software.

Integration with existing identity providers, VPNs, and SSO tools means security teams can extend their current setup rather than replace it, strengthening access decisions without adding friction for users., strengthening access decisions without adding friction for users.

Why identity-based attacks are so difficult to stop

One of the main reasons account takeover attacks continue to succeed is that many security controls still treat successful authentication as the sole proof of trust. Traditional identity and access management tools are designed to verify credentials and authentication flows, not necessarily whether the person behind them can actually be trusted.

This challenge is becoming more pronounced as organizations adopt hybrid work models, cloud-first infrastructure and BYOD policies. Security teams are left trying to balance strong access controls with usability and productivity requirements.

That creates a difficult compromise; either they block access from devices that don’t meet security standards and risk disrupting users, or allow access and accept that some devices may already be compromised. Most organizations end up somewhere in the middle, without fully addressing the underlying trust problem.

High-profile incidents at organizations including Clorox and Marks & Spencer have reinforced the same lesson: identity alone is no longer a sufficient indicator of trust.

Stopping modern account takeover attacks requires more than validating usernames and passwords. Organizations also need visibility into device posture, session risk and behavioral signals throughout the entire access lifecycle.

That shift is driving greater interest in continuous verification models, where trust is assessed not just at login, but throughout the session.

Tackle account takeovers risk with Specops

Specops Device Trust delivers the evolution that Zero Trust identity security requires. By bringing device trust into the equation, security teams have a clearer picture of who’s accessing resources through:

Device authentication: Ensure only approved devices can access sensitive resources by binding users to trusted devices.

Continuous device verification: Check device posture at both login and throughout a session across factors like OS updates, browser versions, and security tooling.

Flexible device coverage: Apply policies across both corporate and personal devices, with the ability to tailor access based on risk and context.

On-access remediation: Address issues as they arise without interrupting users unnecessarily. Instead of forcing password resets or blocking access outright, you can guide users to resolve problems and continue working securely. Robust identity security combines strong authentication with a smooth user experience.

By factoring in device trust with Specops, you reduce the chances of account takeover without slowing your teams down.