Identity-first defense is the lesson from the Qantas breach

At a glance

What this is: This is an independent analysis of the Qantas breach and the identity attack pattern behind it, with a focus on how Scattered Spider-style techniques exploit fragmented controls.

Why it matters: It matters because the same control gaps that expose human access paths also weaken NHI governance and response across hybrid environments, especially where third parties, legacy protocols, and privileged identities overlap.

👉 Read Silverfort's analysis of the Qantas breach and Scattered Spider tactics

Context

Identity-based attack paths are most dangerous when organisations treat human access, third-party access, and privileged access as separate problems. In a hybrid environment, attackers do not need to break every layer if they can move through trust relationships that were never designed to be enforced end to end.

The Qantas incident shows how a third-party customer service platform can become the entry point for broader identity compromise. The article argues that fragmented identity control, legacy protocol gaps, and weak containment assumptions create the conditions for social engineering-led attacks to spread beyond the initial access point.

Key questions

Q: How should security teams limit identity-driven lateral movement in hybrid environments?

A: Security teams should segment identity paths by privilege, business criticality, and trust boundary, then enforce different controls for privileged users, suppliers, and standard users. The goal is to stop a valid session in one domain from becoming a free pass into others. Identity-layer segmentation works best when combined with strong verification at every reset, escalation, and remote access step.

Q: Why do legacy protocols create more risk for identity attacks?

A: Legacy protocols create risk because they often cannot enforce modern MFA consistently, which gives attackers alternate authentication paths to abuse. If NTLM, LDAP, or SMB remain broadly usable, an adversary can bypass the stronger controls on the primary identity stack and still look legitimate. Organisations should inventory these exceptions and either constrain or remove them.

Q: What do security teams get wrong about help desk social engineering?

A: Many teams treat the help desk as a service function rather than a security boundary. That mistake lets attackers convert routine recovery actions into account takeover paths through credential resets, MFA changes, or bypassed checks. Help desk workflows need the same verification discipline as privileged access processes, especially when outsourced support is involved.

Q: Who is accountable when supplier access is abused in a breach?

A: Accountability sits with the organisation that granted the access and with the supplier governance process that failed to constrain it. If a third-party platform can be abused to expose customer data, then access scope, offboarding, and monitoring were not aligned to the relationship. IAM and third-party risk teams should review supplier access as a lifecycle control, not a one-time approval.

Technical breakdown

How social engineering becomes identity entry

Scattered Spider-style attacks often begin with human manipulation rather than malware. Attackers impersonate help desk staff, pressure users into MFA resets, or trick them into sharing credentials and verification codes. The technical issue is not just deception, but trust delegation: once an employee or support function accepts a request as legitimate, the attacker inherits an authenticated path into the environment. In hybrid estates, this is especially effective because identity proof is distributed across SSO, directory services, and vendor workflows. Practical implication: tighten help desk verification and step-up checks before any credential reset or MFA change.

Practical implication: strengthen help desk identity verification before any reset or MFA change.

Why legacy protocols create MFA blind spots

Protocols such as NTLM, LDAP, and SMB were not built with modern MFA enforcement in mind. That makes them an attractive bypass route when organisations authenticate through older directory paths while assuming their primary identity stack is covered. The problem is architectural, not just procedural: if enforcement is inconsistent across protocols, attackers can pivot to the weakest path and still appear legitimate. In hybrid identity environments, these gaps are often hidden behind normal business operations, which makes them easy to miss until an incident occurs. Practical implication: map every authentication path and close or isolate protocols that cannot enforce modern verification.

Practical implication: map every authentication path and isolate protocols that cannot enforce modern verification.

How real-time containment limits lateral movement

Once attackers have valid access, they often rely on living-off-the-land tools such as RDP, PowerShell, and legitimate remote access utilities. That makes detection harder because the activity resembles normal administration. The critical control is not only detection, but inline response: the environment must be able to force reauthentication, deny risky sessions, or isolate affected machines before privilege escalation completes. This is where hybrid visibility matters most, because on-prem and cloud logs must be interpreted together. Practical implication: pre-stage containment rules that can interrupt lateral movement without waiting for manual triage.

Practical implication: pre-stage containment rules that can interrupt lateral movement without waiting for manual triage.

Threat narrative

Attacker objective: The attacker objective was to reach customer data and move through trusted identity paths without triggering traditional perimeter controls.

1. Entry occurred through social engineering against a third-party customer service platform and related human trust processes, giving attackers a legitimate-looking foothold.
2. Credential access and abuse followed through phishing, MFA manipulation, and reuse of valid identities, allowing the attacker to operate as an authorised user.
3. Impact came from lateral movement and data exposure across hybrid systems, culminating in the theft of personal data for millions of customers.

Breaches seen in the wild

• LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity-layer segmentation is the control that breaks the attacker’s assumed freedom of movement. The article shows that once a third-party platform or help desk path is trusted, attackers can traverse environments that should have been isolated from one another. That is not just a visibility problem, it is a governance failure in how trust is scoped across privileged, non-privileged, and supplier identities. Practitioners should treat segmentation as an identity control plane issue, not a network afterthought.

Legacy protocol trust is a standing exception that attackers turn into an operating model. NTLM, LDAP, and SMB persist because business systems still depend on them, but every exception creates an alternate authentication universe. Scattered Spider-type operators do not need to defeat modern controls if legacy paths remain usable and under-monitored. The implication is that identity governance must account for protocol-level asymmetry, not just account-level policy.

Help desk identity assurance is now part of attack surface management. The article makes clear that social engineering succeeds when recovery and reset processes are easier to trigger than they are to validate. That means the control problem sits inside support workflows, not only in IAM tooling. Organisations should treat support staff verification rules, escalation paths, and third-party service desk procedures as security-critical identity boundaries.

Identity blast radius is the right concept for hybrid breach analysis. The Qantas case shows how a breach in one access domain can produce consequences far beyond the initial platform. This concept captures the gap between initial compromise and downstream harm when privileged, supplier, and customer identity paths are loosely coupled. Practitioners should evaluate every high-value identity path by how far it lets an attacker spread, not only by whether it authenticates successfully.

Hybrid identity programmes fail when containment is treated as a recovery task rather than a design constraint. The article’s response guidance points to an important field-level truth: if organisations wait to decide on deny, MFA, or isolation policies after compromise is confirmed, the attacker has already used the valid session. That makes containment part of the access model itself. Security teams should build for interruption at the identity layer before they build for investigation.

From our research:

• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to the 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to the 2024 ESG Report: Managing Non-Human Identities.
• For the lifecycle controls behind these attack paths, see Ultimate Guide to NHIs for the governance model that reduces sprawl and limits exposure.

What this signals

Identity blast radius is becoming the practical measure of programme maturity. If a supplier platform, support workflow, or privileged account can be used to move laterally across hybrid estates, then the programme has not actually bounded trust. Teams should assess where identity decisions still depend on assumptions that do not hold across on-prem, cloud, and outsourced operations.

With 72% of organisations reporting or suspecting a breach of non-human identities in our research, the lesson is not limited to machine accounts. Any environment that allows cross-boundary trust without lifecycle discipline will eventually expose the same structural weakness, so third-party and privileged access reviews need to converge.

The next step for many programmes is to align identity controls with response speed. Inline denial, forced reauthentication, and isolation need to be pre-approved before the event, because by the time a breach is confirmed, the attacker is already using legitimate access paths.

For practitioners

• Map and tier every identity path across hybrid estates Inventory human, privileged, third-party, and service access together, then separate them by business criticality so a compromise in one tier cannot freely traverse the others. Use identity-layer segmentation to reduce blast radius across on-prem, cloud, and vendor-operated systems.
• Close MFA gaps across legacy authentication protocols Find where NTLM, LDAP, and SMB still permit authentication without modern verification, then restrict those paths to the smallest possible set of systems. Where possible, force stronger controls around those protocols and retire any dependency that can be removed.
• Harden help desk verification and reset workflows Require stronger identity checks before password resets, MFA changes, or account recovery actions, especially where third-party staff or outsourced service desks are involved. Treat these workflows as privileged access points rather than administrative conveniences.
• Pre-authorise identity-first containment actions Define the exact deny, reauthentication, and isolation actions that should trigger when suspicious identity activity appears, so containment can begin before the investigation is complete. Make sure those controls work across cloud and on-prem logs, not only in one environment.
• Extend least privilege to third-party suppliers Limit supplier and contractor access to the minimum systems needed for the service they provide, then review whether that access still matches the current business relationship. Remove standing access paths that outlive the operational need for them.

Key takeaways

• The Qantas breach shows that identity compromise can originate in a third-party service workflow and still produce broad customer exposure.
• The scale matters because millions of customer records can be exposed without ransomware, proving that valid credentials and trust abuse are enough to create serious harm.
• The control that changes the outcome is identity-layer segmentation combined with stronger verification and pre-planned containment.

Key terms

• Identity-layer segmentation: A control model that separates access by identity type, privilege level, and business criticality instead of treating the environment as one trust zone. It limits how far a compromised account can move by enforcing boundaries between privileged, standard, and third-party access paths.
• Help desk impersonation: A social engineering technique where an attacker pretends to be support staff or a trusted internal operator to trigger resets, approvals, or credential disclosure. In identity programmes, it is a high-value attack path because it turns routine recovery workflows into access grant mechanisms.
• Identity-first containment: A response approach that uses identity controls, such as deny rules, reauthentication, and session isolation, to stop movement before investigation is complete. It prioritises fast access interruption at the identity layer so an attacker cannot keep using legitimate sessions while responders triage the event.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Silverfort covering the Qantas breach and identity attack patterns: Identity-first defense is the lesson from the Qantas breach. Read the original.