Because attackers are no longer targeting only login pages. They use relay kits, consent abuse, alternative delivery channels, and direct SaaS targeting to bypass the trust assumptions built into central identity controls. If IAM is evaluated only at sign-in, it misses the stages where the attack actually wins.
Why This Matters for Security Teams
Modern phishing succeeds because the attacker’s objective is no longer limited to stealing a password. Relay kits, OAuth consent abuse, token theft, and direct SaaS targeting let an adversary bypass the part of IAM that most teams monitor most closely: the sign-in event. Once a session is established, central identity controls can still look healthy while the attacker uses the legitimate account, the legitimate app, or the legitimate token.
This is why NHI Management Group treats phishing as an identity lifecycle problem, not just an authentication problem. The most dangerous cases are often the ones that never trigger a classic “failed login” signal. Guidance from the NIST Cybersecurity Framework 2.0 and NHIMG research such as The State of Secrets in AppSec both point to the same operational reality: attackers exploit the gap between issuance, use, and revocation. In practice, many security teams encounter compromise only after mailboxes, SaaS tenants, or API-linked workflows have already been abused, rather than through intentional detection at the point of trust creation.
How It Works in Practice
Strong IAM reduces risk, but it does not stop an attacker from using a valid identity artifact once it exists. A phishing campaign may capture credentials, but the more effective path is often to steal a session cookie, trick a user into granting app consent, or capture a token that can be replayed elsewhere. That is why MFA alone is not a complete answer when the post-authentication path remains open.
Security teams need to look at the full chain: delivery, interaction, token issuance, and downstream abuse. In mature environments, this means correlating identity logs with email, endpoint, and SaaS telemetry, then enforcing conditional access, token lifetime limits, and consent restrictions. The LLMjacking research is a good reminder that exposed credentials are consumed quickly once discovered, and that attackers move fast after they obtain something usable. For identity-heavy SaaS estates, the relevant control point is often the service principal, delegated permission, or refresh token rather than the password itself.
Useful defensive moves include:
- Shorten token lifetimes where business operations allow it.
- Restrict or review OAuth consent, especially for third-party apps.
- Detect impossible travel, atypical device posture, and anomalous app grants.
- Separate privileged admin sessions from normal user access.
- Monitor mailbox rules, forwarding changes, and SaaS API abuse after login.
These controls tend to break down in highly integrated Microsoft 365 and SaaS environments because legitimate automation, delegated access, and user consent create too much noise for simple alerting.
Common Variations and Edge Cases
Tighter identity controls often increase user friction and operational overhead, requiring organisations to balance phishing resistance against support burden and workflow disruption. That tradeoff becomes sharper when legacy protocols, service accounts, or business-critical integrations cannot easily support modern conditional access.
There is no universal standard for how much consent or token exposure is acceptable, so current guidance suggests treating high-risk applications differently from routine user access. For example, an employee mailbox, a finance app, and an admin console should not share the same trust assumptions. NHIMG research on Azure Key Vault privilege escalation exposure illustrates how attackers move from one valid foothold to broader access once they find a path through over-permissioned identities or exposed secrets. The Ultimate Guide to NHIs — Standards is also relevant because phishing often becomes an NHI problem after the first user compromise, when the attacker pivots into API keys, service principals, and automation tokens.
In regulated or high-assurance environments, the right answer is usually layered: phishing-resistant MFA, token protection, continuous risk scoring, and rapid revocation. But on systems that depend heavily on shared inboxes, long-lived refresh tokens, or broad tenant-wide app consent, even good IAM can be outrun by the attacker’s speed and persistence.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A02 | Phishing often abuses tokens and app permissions after initial auth. |
| OWASP Non-Human Identity Top 10 | NHI-04 | Phishing frequently pivots into stolen secrets and non-human identities. |
| NIST CSF 2.0 | PR.AA-1 | Identity proofing and access control must extend beyond initial login. |
Apply continuous access validation, not just one-time authentication checks.
