Authorization gaps in financial services are the real post-phish risk

At a glance

What this is: This analysis shows how a targeted phishing campaign for RBC Direct Investing clients exposed a deeper authorization gap after credential theft.

Why it matters: It matters because IAM, PAM, NHI, and AI workload governance all fail if identity is trusted at login but not continuously re-evaluated for each action.

By the numbers:

• 22% of breaches start with stolen credentials.
• 246 days mean time to identify + contain credential breaches.

👉 Read EnforceAuth's analysis of the RBC Direct Investing phishing campaign and authorization gap

Context

A credential-harvesting campaign is a phishing attack that steals valid login details and then uses them as if the attacker were the real user. In this case, the primary issue is not email spoofing alone, but the gap between authenticating a person once and authorising that identity across the rest of the environment, including NHI-connected systems and AI-adjacent workflows.

Financial services are especially exposed because one compromised human account can open paths into applications, data stores, service accounts, and automated processes that trust the session by default. That makes the authorisation layer, not the inbox, the real control boundary. For a broader governance frame on lifecycle and access decisions, see the NHI Lifecycle Management Guide.

Key questions

Q: What breaks when authentication is treated as the main security control after a phishing event?

A: Authentication breaks as a security boundary because it only proves that a credential was accepted, not that the resulting actions are legitimate. After a phishing event, the attacker can inherit the user’s session and operate within allowed systems unless runtime authorisation evaluates each action. The failure is not entry alone, but unchecked post-login trust.

Q: Why do stolen credentials create such a large risk in financial services?

A: Stolen credentials are dangerous in financial services because one login often reaches multiple applications, data sets, and delegated workflows. The account may also be linked to service accounts or automated processes, which turns a single phished identity into a wider access path. That is why post-authentication governance matters more than login success alone.

Q: How do security teams know whether continuous authorisation is actually working?

A: Teams know it is working when sensitive actions are blocked or stepped up based on context, not just login state. Good signals include denials for unusual device or location combinations, policy decisions recorded for every high-risk action, and reduced trust in long-lived sessions. If every action still passes once the login succeeds, the control is not active enough.

Q: Who is accountable when a phished identity is used to access downstream systems?

A: Accountability sits with the teams that own the identity, the application boundary, and the downstream trust chain. In practice, IAM, application, and security owners must all share responsibility for what a compromised session can reach. For regulated environments, the issue also maps to audit evidence, because access controls must be demonstrable after authentication, not just at login.

Technical breakdown

Credential harvesting as an authentication bypass

The attack uses social engineering to capture real credentials through a believable tax-form renewal flow. Once the victim enters data into the fake portal, the attacker no longer needs to defeat perimeter controls. They can authenticate with valid identity material, which is why credential theft remains so effective against organisations that still treat login success as a security endpoint rather than a starting point.

Practical implication: treat stolen valid credentials as an operational state, not just a detection event, and validate every post-login action against context.

Why point-in-time authentication fails after login

Point-in-time authentication answers who logged in, not whether that identity should keep acting. In this campaign, the attacker inherits the victim’s session assumptions and can move into account actions, data access, and downstream services that trust the authenticated identity. That is the structural weakness in session-centric IAM: the system checks entry, then too often stops checking behaviour.

Practical implication: add continuous authorisation checks at application, data, and workflow boundaries instead of relying on a one-time login decision.

Authorization gaps across applications, data, and NHI graph

The article’s core architectural point is that a stolen human credential can cascade into non-human identity access because service accounts, APIs, and automation frequently trust the same session chain. In practical terms, the blast radius is not limited to the person whose mailbox was phished. It expands through any workflow, token, or delegated access path that is reachable from that identity.

Practical implication: map downstream trust links from human identities into service accounts and automated workflows so session compromise does not become environment-wide compromise.

Threat narrative

Attacker objective: The attacker’s objective is to turn a phish into reusable authenticated access that can be exploited across financial accounts and downstream systems.

1. Entry began with a spoofed RBC Direct Investing email that used a W-8BEN renewal pretext to drive victims to a fake portal.
2. Credential access occurred when victims entered their login details, personal information, and tax data into the fraudulent site.
3. Escalation followed when the attacker used valid credentials to log in as the victim and inherit trusted access paths across applications and data.

Breaches seen in the wild

• Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Authentication is no longer the security boundary in financial services. This campaign shows that a valid login can be the start of compromise, not the end of it. The programme weakness is not simply phishing susceptibility, but the assumption that identity can be trusted after entry without re-evaluating what it is doing. Practitioners should treat continuous authorisation as the real control boundary.

The authorization gap is the named failure mode this incident exposes. Authentication was designed for the condition where the identity at login is the same identity acting in the system. That assumption fails when credentials are harvested and replayed, because possession of a secret no longer proves legitimate intent at runtime. The implication is that access governance must be built around action-level decisions, not just credential issuance.

Financial institutions are still over-investing in entry controls and under-investing in runtime control planes. Email filtering, MFA, and login protection all help, but they do not answer what happens after a compromised identity begins to move through applications, data, and automation. That is especially true where human accounts are connected to service accounts and scripted workflows. Practitioners should re-centre governance on post-authentication enforcement.

Credential theft becomes an NHI problem as soon as downstream automation trusts the stolen session. In modern financial environments, a single human compromise can reach API-driven workflows, delegated tokens, and service credentials that were never intended to be exposed through a person’s mailbox. That makes NHI governance part of phishing defense, not a separate discipline. The practical conclusion is that human IAM and NHI governance now share the same blast radius.

Static-vs-dynamic access assumptions: The control model was designed for access that remains stable long enough to be reviewed, certified, or revoked. That assumption fails when an attacker can authenticate, act, and pivot before normal governance cycles notice. The implication is that organisations must stop treating review cadence as proof of safety.

From our research:

• The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.
• That matters because identity governance is increasingly a runtime problem across human accounts, service identities, and AI-linked access, which is why readers should also review NHI Lifecycle Management Guide for lifecycle controls that reduce exposure.

What this signals

Authorization gaps are becoming the defining control failure in mixed human and machine environments. Once a phished human identity can reach service accounts, APIs, and automated workflows, the traditional split between IAM and NHI governance stops making operational sense. Teams should expect more pressure to prove decision-level enforcement, not just login hygiene, especially where sessions bridge into automation.

Continuous policy enforcement will become a baseline expectation in regulated environments. The practical shift is from asking whether authentication is strong enough to asking whether every sensitive action is independently authorised. For teams aligning to NIST Cybersecurity Framework 2.0, that means stronger mapping between identify, protect, detect, and respond functions and the runtime controls that sit after login.

For practitioners

• Map post-login trust chains Identify every application, data store, service account, and automation path that inherits trust from a human session. Prioritise the paths that let one compromised login reach multiple systems without an independent policy check.
• Enforce runtime authorisation at decision points Place policy checks at API gateways, data access layers, and workflow boundaries so the same credential is re-evaluated for each sensitive action. A valid session should not automatically mean valid access.
• Separate human compromise from downstream NHI access Review where human identities can trigger service account actions, token use, or automated jobs. Remove implicit trust where a phished user can become a proxy for broader non-human access.
• Instrument high-risk behaviour for step-up or deny decisions Use device, location, time, and action sequence signals to flag impossible or unusual post-authentication behaviour. Apply stronger control when the action departs from the normal pattern for that identity.

Key takeaways

• The incident shows that a phishing email becomes a broader security problem only after the stolen identity is trusted beyond login.
• The evidence points to a durable breach pattern: stolen credentials remain one of the most reliable initial access paths, and detection is often slow.
• The control that changes the outcome is continuous authorization, because it limits what a compromised identity can do after authentication succeeds.

Key terms

• Authorization Gap: The authorization gap is the disconnect between proving an identity at login and controlling what that identity can do afterwards. It matters because many environments still treat authentication as the main security event, while the real risk sits in continuous access decisions across applications, data, and automation.
• Credential Harvesting: Credential harvesting is the theft of valid login details through phishing, fake portals, or similar deception. The attacker does not need to bypass the target system if the victim supplies usable credentials directly, which makes this a persistent problem in environments that trust authenticated sessions too broadly.
• Continuous Authorization: Continuous authorization is the practice of re-evaluating access at runtime for each sensitive action rather than trusting a session once it is established. For identity security, it is the control that limits how far a compromised human, service account, or automated workflow can move after login.
• Standing Trust: Standing trust is the assumption that a logged-in identity remains trusted for the life of the session. In practice, it allows compromised credentials to keep working until a separate detection or review process intervenes, which is too slow for many phishing-driven attacks.

Deepen your knowledge

Authorization gaps in financial services are a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building governance around human sessions that can reach automated systems, it is worth exploring.

This post draws on content published by EnforceAuth: the RBC Direct Investing phishing campaign and the authorization gap in financial services. Read the original.