TL;DR: Compromised credentials are increasingly the first step into Active Directory-connected environments, with infostealer logs turning stolen logins, cookies, and session artifacts into a scalable access market, according to Enzoic. The operational shift is clear: password policy alone cannot contain identity exposure once credentials are already circulating outside the enterprise.
At a glance
What this is: This analysis argues that many Active Directory intrusions now begin with valid credentials stolen earlier, not with exploit chains or malware inside the domain.
Why it matters: It matters because IAM, PAM, and NHI teams have to treat exposed credentials as active attack surface, especially in hybrid environments where stolen logins can still authenticate cleanly.
By the numbers:
- 46% of infostealer-infected systems containing corporate login data were tied to unmanaged devices, likely representing personal or BYOD systems.
- 30% of compromised systems could be identified as enterprise-licensed devices.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
👉 Read Enzoic's analysis of why valid logins are now the breach
Context
Credential theft has become an identity-layer problem, not just a malware problem. In Active Directory-connected environments, a valid username and password can be enough to create access that looks legitimate even when the credential was stolen earlier through infostealer malware.
That shift is especially acute in hybrid identity environments where VPNs, cloud applications, browser-stored credentials, and synchronized identities blur the line between managed and unmanaged access. The article's core point is that the breach begins before any visible intrusion signal appears.
Key questions
Q: What breaks when valid credentials are stolen before an attack begins?
A: The main failure is that identity controls still trust successful authentication as proof of legitimacy. Once a stolen password or session artifact works, the attacker can enter through approved channels, bypass many perimeter signals, and blend into normal access patterns. Security teams must assume that exposure can exist long before any visible intrusion event.
Q: Why do infostealer logs make credential abuse so scalable?
A: Infostealer logs package usernames, passwords, cookies, login URLs, and device context into ready-to-use access kits. That removes much of the reconnaissance work attackers used to perform manually, so they can test multiple enterprise services quickly and cheaply. In effect, the underground market has turned identity exposure into a reusable commodity.
Q: How do security teams know whether password controls are actually working?
A: They should measure how many active credentials are known to be exposed externally, how quickly those credentials are blocked, and whether privileged accounts are screened before reuse. If a password can still authenticate after appearing in breach data, the control is not working as intended.
Q: Which frameworks are most relevant to exposed credential governance?
A: NIST SP 800-63B is relevant for screening compromised passwords, while MITRE ATT&CK helps map valid-account abuse as an adversary technique. For identity programmes, that combination is useful because it connects the governance problem to the actual intrusion path rather than treating password policy in isolation.
Technical breakdown
Why valid accounts are now the primary entry path
MITRE ATT&CK T1078, Valid Accounts, captures the core mechanic here: attackers use credentials that already work instead of forcing a perimeter failure. In practice, this means the identity stack authenticates a user who appears normal while the source of the credential is already compromised. In hybrid environments, that legitimacy is amplified by remote access, browser sessions, and synchronized identities that widen the usable surface for stolen logins.
Practical implication: Map your highest-risk entry points to valid-account abuse, not just malware or exploit detection.
How infostealer logs package identity context for reuse
An infostealer log is more than a password dump. It often includes browser autofill data, cookies, login URLs, device data, and session artifacts that tell attackers where credentials are likely to work and how to reuse them. That operational context lowers attacker effort and makes enterprise identity systems easier to probe at scale, especially when session tokens can extend access beyond a single password capture.
Practical implication: Treat browser-stored identity data and session artifacts as credential material, not convenience data.
Why MFA does not close the exposure gap
MFA helps, but it does not answer whether a credential has already been stolen, sold, or repackaged into underground logs. If coverage is inconsistent, or if session persistence and remembered state are in play, attackers may still gain access without triggering a clean MFA failure. The real control gap is exposure visibility, not just authentication strength.
Practical implication: Add compromised-credential screening and exposure monitoring alongside MFA, especially for remote access paths.
Threat narrative
Attacker objective: The attacker wants low-friction access into enterprise identity infrastructure without needing to exploit the network perimeter first.
- Entry occurs when attackers buy or retrieve stolen credentials from infostealer logs and use them to authenticate through VPN, Microsoft 365, SSO, or remote administration portals.
- Escalation follows when those valid accounts reach Active Directory-connected resources, delegated permissions, or administrative paths that were never meant to be exposed externally.
- Impact comes from lateral movement, privilege escalation, and persistent access that looks legitimate to identity controls because the login itself succeeds.
Breaches seen in the wild
- Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Valid-account abuse is replacing exploit-led intrusion as the default identity breach pattern. The article shows a mature access economy where stolen credentials become the entry mechanism and identity systems unknowingly validate the attacker. That changes the security model from perimeter defense to exposure management, because the first malicious action may look like an ordinary login. Practitioners should treat successful authentication as an insufficient signal of trust.
Browser credential storage has become an extension of the enterprise identity plane. When browsers hold VPN access, SSO sessions, cloud console logins, and password-manager artifacts, a single endpoint compromise can convert personal workflow data into enterprise access. This is a governance problem for IAM and NHI teams alike, because the organisation has effectively distributed identity material outside the controls it believes it owns. Practitioners need to map where identity data is actually stored, not where policy assumes it lives.
Compromised-password screening is now a control for identity exposure, not a hygiene add-on. NIST SP 800-63B already points toward screening against known-compromised passwords, and this article reinforces why that matters operationally. Complexity rules and rotation intervals do not matter if the credential has already been sold in an infostealer log. Practitioners should reframe password management as continuous exposure detection with revocation and blocking paths.
Identity blast radius expands fastest where stale access and delegated rights remain unchecked. Active Directory makes valid credentials especially dangerous when privileged accounts, delegated administration, and unused accounts still retain broad reach. The problem is not only that attackers log in, but that the environment still grants them meaningful paths once they do. Practitioners should assume the cost of one exposed credential is determined by standing privilege, not password strength alone.
Exposure management must become part of hybrid identity governance. Hybrid environments create a false sense of segmentation between managed endpoints, cloud apps, and legacy AD trust. In practice, stolen credentials can move across those boundaries faster than teams can observe them. The implication is clear: identity programmes need continuous external exposure monitoring as a core governance control, not a forensic afterthought.
From our research:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- A separate finding shows only 5.7% of organisations have full visibility into their service accounts, which explains why exposed credentials so often remain undetected.
- That visibility gap is why 52 NHI Breaches Analysis is the right next step for teams studying how identity exposure becomes compromise.
What this signals
Credential exposure now behaves like a standing governance debt across human, machine, and workload identities. In hybrid estates, attackers do not need to defeat every control if one valid credential continues to work. That makes external exposure monitoring a programme-level requirement, not a narrow password feature, and it should sit alongside identity lifecycle and privileged access controls.
The next maturity step is to connect exposed credential detection with offboarding, recertification, and privileged account review. When access can be bought or reused outside the organisation, the question is no longer whether authentication succeeds, but whether the identity should still exist in a form that can authenticate at all.
For practitioners
- Identify externally exposed credentials already active in AD Prioritise privileged users, service accounts, stale accounts, and delegated admin identities that still authenticate successfully even after appearing in breach or infostealer data.
- Block compromised passwords at creation and reset Do not wait for periodic rotation cycles. Screen passwords against breach and infostealer datasets during change workflows so known-bad credentials never re-enter the environment.
- Inventory browser-stored identity paths Map which browsers, extensions, and password managers store access to VPN, SSO, cloud consoles, and admin portals, then decide which of those paths must be reduced or monitored.
- Monitor session artefacts as credential material Treat cookies, remembered sessions, and authentication tokens as part of the identity attack surface, especially where infostealers can reuse them to bypass normal login friction.
Key takeaways
- Active Directory breaches increasingly begin with valid credentials stolen outside the perimeter, which makes exposed identity material the real entry problem.
- Infostealer logs package passwords, cookies, and login context into scalable access kits, so attackers can reuse enterprise identities with minimal friction.
- The control shift is from password policy alone to continuous compromised-credential screening, exposure monitoring, and blast-radius reduction.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST SP 800-53 Rev 5, NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Valid-account abuse is the core identity risk described in the article. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0001 , Initial Access | The article centers on stolen credentials used for initial access. |
| NIST SP 800-53 Rev 5 | IA-5 | Authenticator management governs compromised password screening and credential hygiene. |
| NIST CSF 2.0 | PR.AC-1 | Identity and access permissions must be tied to trustworthy authentication evidence. |
| NIST SP 800-63 | SP 800-63B | The article explicitly aligns with compromised-password screening guidance. |
Map exposed credential scenarios to valid-account abuse and prioritize detection around reuse.
Key terms
- Valid Accounts: An attack technique where an adversary uses credentials that already authenticate successfully instead of exploiting a vulnerability first. In identity governance terms, the system sees a normal login while the real risk is that the credential was obtained outside the organisation's control.
- Infostealer Log: A packaged collection of stolen identity material harvested by malware, often including usernames, passwords, cookies, login URLs, and device context. It matters because it turns raw theft into ready-to-use access intelligence that attackers can replay against enterprise systems.
- Compromised-password Screening: A control that checks whether a password appears in breach data or other external exposure sources before allowing it into active use. For identity teams, it is a practical way to stop known-bad credentials from becoming a persistent authentication path.
- Identity Exposure Management: The practice of continuously finding and reducing externally visible identity material that can be reused by attackers. It extends beyond password policy to include leaked credentials, session artefacts, stale access, and any identity data that can be replayed against live services.
What's in the full article
Enzoic's full blog covers the operational detail this post intentionally leaves for the source:
- How the article ties infostealer infection to Active Directory-connected access paths across VPN, SSO, and remote administration.
- The specific role of browser-stored credentials, cookies, and session artefacts in attacker reuse workflows.
- Practical guidance for spotting exposed credentials already active in hybrid identity environments.
- Vendor context on how compromised passwords can be detected and blocked in active directory workflows.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-06-09.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org