PKI authentication and NTLM deprecation define the identity risk gap

At a glance

What this is: This is an analysis of a state-sponsored identity-focused espionage campaign and the key finding that weak authentication, legacy protocols, and misconfigured permissions remain the easiest path into enterprise environments.

Why it matters: It matters because IAM teams must treat authentication hardening, certificate-backed identity, and legacy protocol retirement as core security controls across human, NHI, and hybrid identity estates.

By the numbers:

• A newly released joint cybersecurity advisory from agencies across 10+ nations describes a persistent cyber espionage campaign.

👉 Read Axiad's analysis of state-sponsored identity abuse and PKI defenses

Context

Identity trust fails when attackers can authenticate as if they were legitimate users or services. In this article, the problem is not network perimeter collapse but identity-layer abuse: password spraying, phishing, vulnerable VPNs, misconfigured mailbox permissions, and outdated protocols such as NTLM are being used to enter environments that still assume credentials are enough.

For IAM teams, the lesson is straightforward. If legacy authentication and weak identity governance remain in place, state-backed operators do not need novel exploits to move in. Certificate-based authentication, tighter mailbox permissions, and protocol retirement are the controls that change the cost of access.

The article frames PKI as a practical answer to a familiar problem: identity systems that still trust guessable or replayable credentials. That starting position is common in hybrid enterprises, not exceptional, which is why the campaign matters well beyond the specific geopolitical target set.

Key questions

Q: How should security teams reduce identity compromise from password spraying and phishing?

A: Start by removing easy authentication targets. Enforce phishing-resistant methods for privileged access, limit password-based fallback, and monitor for spray patterns across authentication logs. The goal is to make stolen credentials less reusable and to force attackers into noisier paths that are easier to detect and block.

Q: Why do legacy protocols like NTLM still increase breach risk?

A: Legacy protocols preserve compatibility but also preserve weaker trust assumptions. NTLM can enable replay, relay, and downgrade-style abuse when it remains available, so attackers look for organisations that have not completed migration. If it is still required, it should be tightly scoped, monitored, and isolated from sensitive access paths.

Q: How can organisations decide when certificate-based authentication is worth the effort?

A: Prioritise it where credential theft would have the highest impact, such as admin access, remote access, and hybrid on-prem systems. Certificate-based authentication is most valuable when the organisation needs stronger proof than passwords can provide and when lifecycle management can be handled consistently across users and devices.

Q: Who is accountable when identity trust failures enable espionage campaigns?

A: Accountability sits with the teams that own authentication policy, legacy protocol retirement, mailbox governance, and privileged access design. In practice, that means IAM, security architecture, and platform owners must share responsibility for removing weak trust paths before attackers use them.

Technical breakdown

Why password spraying and phishing still work against identity trust

Password spraying succeeds because it targets the weakest shared assumption in identity systems: that users will defend credentials through strength alone. Phishing adds social engineering to that weakness by stealing valid login material or tokens that pass normal authentication checks. When MFA is vulnerable to fatigue attacks or when federation trusts old assumptions, the attacker does not need to bypass identity controls. They simply use them as designed. That is why identity trust, not just endpoint hardening, becomes the real attack surface in these campaigns.

Practical implication: retire weak credential paths and tighten authentication so stolen credentials cannot be reused easily.

How NTLM and mailbox permissions expand the attack surface

NTLM remains valuable to attackers because it is a legacy protocol that preserves compatibility at the cost of modern assurance. When organisations leave NTLM enabled, they keep a usable trust path alive for credential replay, relay, and downgrade attacks. Misconfigured mailbox permissions add a second problem: once an attacker reaches email infrastructure, delegated access and overbroad permissions can expose messages, contacts, and reset workflows. Identity compromise then becomes a platform for persistence and internal reconnaissance, not a single login event.

Practical implication: inventory and remove NTLM where possible, then audit mailbox permissions for excessive delegation.

Why certificate-based authentication changes the trust model

Certificate-based authentication shifts identity proof from something guessable to something cryptographically bound to the device or token. Instead of trusting a password that can be sprayed or a token that can be replayed, PKI validates possession of a private key and the integrity of the issuing chain. That makes the identity event harder to counterfeit, especially in hybrid environments where on-premises systems, Exchange, and RDP still matter. PKI does not solve every governance issue, but it changes the economics of identity abuse in a way passwords cannot.

Practical implication: use certificate-backed identity for high-risk access paths and treat lifecycle management as part of the control.

Threat narrative

Attacker objective: The objective is to gain durable identity-backed access for espionage, internal reconnaissance, and collection against organisations supporting Ukraine.

1. Entry begins with password spraying, phishing lures, and abuse of vulnerable VPNs and legacy authentication paths to obtain valid identity access.
2. Escalation follows through misconfigured mailbox permissions, outdated protocols such as NTLM, and unpatched systems that widen access after the first foothold.
3. Impact is persistent cyber espionage, with attackers using identity trust to reach targeted systems and support intelligence collection operations.

Breaches seen in the wild

• Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity trust is the real perimeter, and this campaign proves legacy authentication still collapses first. Password spraying, phishing, and malware do not need to defeat a mature network boundary if the identity layer remains permissive. NTLM, weak mailbox permissions, and replayable credentials turn authentication into a pathway rather than a gate. The practical conclusion is that identity hardening is now front-line defence, not a supporting control.

Certificate-based identity is not a convenience upgrade, it is a change in the trust contract. Passwords can be guessed, replayed, or socially engineered. Certificates bind access to cryptographic proof and lifecycle control, which makes identity abuse harder at scale. For hybrid estates that still rely on on-prem systems, the question is no longer whether PKI is elegant, but whether the current trust model is still defensible.

Legacy protocol dependence is a governance failure, not just a technical debt item. NTLM persists because organisations tolerate compatibility risk longer than they tolerate migration pain. That tolerance creates a standing identity weakness that state actors can repeatedly exploit. Practitioners should treat legacy authentication retirement as an identity-risk decision with direct espionage implications.

Mailbox permissions are part of identity infrastructure, not an email-only concern. When mailbox delegation is broad or poorly reviewed, attackers who reach messaging systems can map users, reset flows, and trust relationships. That makes email access a control plane for further identity compromise. Security teams should stop separating collaboration permissions from IAM governance.

Top 10 NHI Issues: identity abuse is converging across human, machine, and hybrid trust paths. The same patterns that weaken human authentication also affect service accounts, tokens, and certificate-backed access if lifecycle control is weak. The field is moving toward unified trust governance across identity types, and organisations that keep them separate will keep reintroducing the same exposure in different forms.

From our research:

• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why identity trust failures often persist unseen until an incident forces discovery.
• A broader view of identity exposure is available in 52 NHI Breaches Analysis, which helps teams connect trust failure to real breach patterns.

What this signals

Identity programmes that still separate human login controls from broader trust governance will keep missing the same failure mode. The article shows that attackers do not need to invent new tricks when organisations leave legacy authentication and permissive delegation in place. For security leaders, the practical signal is to treat authentication, mailbox governance, and protocol retirement as one operating model rather than isolated projects.

Identity blast radius is now the useful planning concept. When password spraying or phishing lands, the question is not only whether access was gained, but how far identity trust can be extended before detection. Organisations should map which systems still accept weak protocols, which mail permissions allow lateral movement, and which access paths depend on reusable credentials.

The article’s lesson is that a strong identity estate is measured by what attackers cannot reuse. As long as legacy authentication remains available, state actors can keep turning identity into an access broker. Teams should expect certificate-backed identity, tighter privilege scoping, and faster revocation to become the differentiators that reduce blast radius.

For practitioners

• Retire legacy authentication paths Inventory NTLM usage, identify remaining dependencies, and set a migration plan that removes downgrade paths from high-value systems first. Where NTLM cannot disappear immediately, isolate it tightly and monitor for unusual authentication patterns.
• Strengthen phishing-resistant authentication Prioritise certificate-based authentication or other phishing-resistant methods for privileged, remote, and high-risk access paths. Pair deployment with device trust, revocation discipline, and clear fallback rules so weaker methods do not remain the default.
• Audit mailbox delegation and recovery paths Review mailbox permissions, delegated access, and account recovery workflows for excessive privilege. Attackers often use email control to map relationships and initiate resets, so these paths should be governed alongside core IAM entitlements.
• Link identity lifecycle to trust controls Treat issuance, renewal, revocation, and offboarding as part of identity assurance, not back-office administration. That is especially important for certificate-backed access, where stale credentials can undermine the assurance the control is meant to provide.

Key takeaways

• This campaign shows that identity trust failures, not perimeter collapse, still provide the cleanest entry for state-sponsored attackers.
• Legacy protocols, mailbox delegation, and weak credentials create the conditions for persistent espionage and internal reconnaissance.
• Certificate-backed authentication and aggressive protocol retirement are the controls that most directly change the attacker’s cost of access.

Key terms

• Certificate-based authentication: A method of proving identity using a cryptographic certificate and the associated private key rather than a reusable password. In identity programmes, it raises the bar for theft and replay because the secret is bound to lifecycle, issuance, and revocation control.
• Legacy authentication: Older login or protocol methods that remain in place for compatibility even after stronger controls exist. They often preserve weaker trust assumptions, which makes them attractive to attackers and difficult to defend if they are not tightly scoped and eventually retired.
• Identity trust: The set of assumptions an environment makes about how a user, device, or service proves who it is. When those assumptions are weak, attackers can enter through valid authentication instead of breaking infrastructure, which turns identity into the primary attack surface.
• Mailbox delegation: Permissions that allow one account or service to access another mailbox or its functions. In practice, excessive delegation can become a hidden control plane for reconnaissance, message access, and account recovery abuse if it is not reviewed as part of IAM governance.

Deepen your knowledge

PKI authentication, certificate lifecycle, and identity trust hardening are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are replacing weak login paths in a hybrid estate, it is worth exploring.

This post draws on content published by Axiad: Authentication State-Sponsored Cyber Threats - Is Your Identity Infrastructure Ready? Read the original.