The State of Identity-Based Attacks in 2026
Credential theft, session hijacking, and MFA bypass techniques now account for over 80% of initial access vectors in enterprise breaches. In this report, the Strinnex Research Team breaks down the tactics adversaries are using — and what security teams can do to close the gaps.
Why Identity Has Become the Primary Attack Surface
The perimeter is gone. As organisations across the GCC and beyond have accelerated cloud adoption, remote work, and third-party integrations, the traditional network boundary has dissolved. What remains — and what adversaries now target relentlessly — is identity.
In 2026, identity-based attacks are no longer a niche threat vector. They are the dominant method of initial access. According to threat intelligence aggregated by the Strinnex Research Team across our managed security client base, over 80% of confirmed breach incidents in the past 12 months began with a compromised credential, a hijacked session token, or a successfully bypassed multi-factor authentication (MFA) control.
The shift is structural. Adversaries have adapted to the modern enterprise: they do not break in — they log in. And once inside, they move laterally with the same privileges as the legitimate user whose identity they have assumed.
"Over 80% of confirmed breach incidents in the past 12 months began with a compromised credential, a hijacked session token, or a bypassed MFA control."
— Strinnex Research Team, 2026
The Three Dominant Attack Techniques
Credential Theft at Scale
Phishing remains the most prolific credential harvesting method, but the sophistication has increased markedly. Adversary-in-the-middle (AiTM) phishing kits — which proxy authentication flows in real time — now allow attackers to capture both credentials and session cookies simultaneously, bypassing SMS-based and TOTP-based MFA in a single interaction.
Infostealer malware has also surged. Families such as Lumma, Vidar, and Redline are being distributed through malvertising, trojanised software packages, and compromised supply chain repositories. Once executed, these tools exfiltrate browser-stored credentials, saved passwords, and authentication tokens within seconds — often before endpoint detection tools have time to respond.
For organisations operating in the GCC, the risk is compounded by the prevalence of shared credentials across corporate and personal devices, and the widespread use of legacy identity systems that do not support modern authentication standards.
Session Hijacking and Token Theft
As MFA adoption has grown, attackers have shifted focus from stealing passwords to stealing the session tokens that are issued after a successful authentication. These tokens — stored in browser memory, cookies, or local storage — represent a fully authenticated session and can be replayed from any location without triggering additional authentication challenges.
Token theft attacks are particularly effective against cloud-based productivity platforms. Once an attacker possesses a valid access token for Microsoft 365, Google Workspace, or a cloud-hosted ERP system, they can access email, files, and business applications with no further authentication required — and often without generating alerts in standard SIEM configurations that are not tuned to detect anomalous token usage.
The Strinnex Research Team has observed a significant increase in token theft incidents targeting financial services and government-adjacent organisations in Saudi Arabia and the UAE, consistent with the elevated threat activity reported by the National Cybersecurity Authority (NCA) and CISA.
MFA Bypass and Fatigue Attacks
MFA is no longer a reliable last line of defence when implemented poorly. Push notification fatigue attacks — in which adversaries repeatedly trigger MFA prompts until a user approves one out of frustration or confusion — have become a standard technique in the threat actor playbook. High-profile breaches attributed to this method have been documented across multiple sectors globally.
Beyond fatigue, SIM-swapping attacks targeting mobile numbers used for SMS-based MFA continue to be effective, particularly where telecoms providers lack robust identity verification controls. Voice phishing (vishing) campaigns that impersonate IT helpdesks and social-engineer users into approving MFA requests or providing one-time codes have also increased in frequency.
Organisations that have deployed MFA but have not moved to phishing-resistant standards — such as FIDO2/WebAuthn passkeys or hardware security keys — remain materially exposed to these bypass techniques.
The Regulatory Dimension: NCA ECC and SAMA CSF
For organisations operating under Saudi Arabia's regulatory frameworks, identity security is not merely a best practice — it is a compliance obligation. The NCA Essential Cybersecurity Controls (ECC) and the SAMA Cybersecurity Framework both mandate robust identity and access management controls, including MFA for privileged access, regular access reviews, and the principle of least privilege.
The Saudi Personal Data Protection Law (PDPL), enforced by SDAIA, adds a further dimension: organisations that suffer a data breach resulting from inadequate access controls face mandatory breach notification obligations and potential penalties. Given that identity-based attacks are the leading cause of data breaches, the link between IAM maturity and PDPL compliance is direct.
Organisations that have not yet conducted a formal Identity and Access Management assessment should treat this as a priority. The gap between regulatory expectation and operational reality remains wide for many entities across the Kingdom.
What Security Teams Should Do Now
The Strinnex Research Team recommends the following prioritised actions for security leaders seeking to reduce exposure to identity-based attacks:
Migrate to phishing-resistant MFA
Replace SMS and push-notification MFA with FIDO2/WebAuthn passkeys or hardware security keys for all privileged and high-risk accounts as a minimum first step.
Deploy identity threat detection
Implement Identity Threat Detection and Response (ITDR) tooling to monitor for anomalous authentication patterns, impossible travel, token replay, and lateral movement indicators.
Conduct a privileged access review
Audit all privileged accounts, service accounts, and third-party access. Remove stale entitlements and enforce just-in-time (JIT) access for administrative functions.
Tune SIEM rules for token abuse
Ensure your SIEM and SOAR configurations include detection rules for token theft indicators — including logins from new locations immediately following authentication, and access from unexpected user agents.
Run targeted phishing simulations
Test your workforce against AiTM phishing kits specifically. Standard phishing simulations do not replicate the real-time proxy techniques now used by threat actors.
Assess your IAM architecture
Engage a specialist to conduct a formal IAM assessment against NCA ECC and SAMA CSF requirements. Identify gaps in your identity governance, authentication controls, and access lifecycle management.
Conclusion
Identity is the new perimeter — and it is under sustained, sophisticated attack. The organisations that will weather the current threat landscape are those that treat identity security not as a checkbox, but as a foundational capability requiring continuous investment, monitoring, and improvement.
The Strinnex Research Team will continue to publish threat intelligence and practical guidance for security leaders across the GCC and beyond. If your organisation would like to discuss the findings in this report or explore how Strinnex can support your identity security programme, our team is available for a confidential consultation.
Strinnex Research Team
The Strinnex Research Team comprises cybersecurity analysts, threat intelligence specialists, and identity security practitioners with deep experience across the GCC, UK, and European enterprise security landscape. Our research draws on incident response engagements, managed security telemetry, and open-source intelligence to deliver actionable insights for security leaders.
Get in Touch
Strengthen your identity security posture.
Speak with the Strinnex team about an IAM assessment, identity threat detection deployment, or a tailored briefing on the findings in this report.
