Notifications
Clear all
Topic starter
27/06/2026 1:57 pm
TL;DR: Credential abuse drove nearly half of 2024 breaches, with attackers using forged tokens, proxy reuse, and low-and-slow timing to evade standard detections, according to Abnormal AI. The real control gap is not alert volume but correlation across accounts, IPs, and timeframes, because isolated sign-ins no longer reveal campaign-level compromise.
NHIMG editorial — based on content published by Abnormal AI: stealthy account takeover detection and credential abuse
By the numbers:
- Credential abuse drove nearly half of 2024 breaches.
- Abnormal detected 100+ customers logging in from the same VPN infrastructure.
Questions worth separating out
Q: How should security teams detect account takeover campaigns that use proxies and stolen credentials?
A: They should correlate login telemetry across users, time windows, and infrastructure so the same IP blocks, browser traits, or VPNs can be linked to a wider campaign.
Q: Why do proxy-based account takeover attacks evade standard IAM alerts?
A: Because standard alerts are often tuned to one account at a time and to obvious spikes in activity.
Q: What do teams get wrong about safe login risk scores?
A: They treat a safe login as proof that the session is trustworthy.
Practitioner guidance
- Correlate identity events across accounts and time Join login telemetry, IP reputation, browser traits, and session timing into one investigative view so recurring patterns surface as campaigns rather than isolated events.
- Flag repeated VPN and proxy infrastructure reuse Create detections for IP blocks that reappear across unrelated accounts within short windows, especially when the same infrastructure is paired with rare device or geolocation signals.
- Promote low-signal cases only after cross-tenant validation Require corroboration from multiple accounts, message events, or session attributes before escalating confidence so analysts are not overwhelmed by one-off anomalies.
What's in the full article
Abnormal AI's full blog post covers the operational detail this post intentionally leaves for the source:
- The full campaign reconstruction showing how the phishing lure, credential theft, and VPN reuse connected across multiple tenants.
- The telemetry patterns used to promote suspicious sign-ins from medium to high confidence.
- The exact behavioural AI signals that distinguished attacker infrastructure reuse from isolated anomalies.
- The remediation workflow details, including how active-mode response could have revoked access earlier.
👉 Read Abnormal AI's analysis of stealthy account takeover detection and credential abuse →
Account takeover is getting quieter, not louder: what teams need to change?
Explore further
27/06/2026 3:29 pm
Credential abuse is now a correlation problem, not a login problem. Standard IAM controls still see events one authentication at a time, but these campaigns win by hiding in repetition across accounts and infrastructure. Once the same VPN blocks or proxy patterns recur, the security question becomes campaign detection, not individual sign-in assessment. Practitioners should treat identity correlation as a core detection capability, not an optional analytics layer.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, including 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who is accountable when account takeover is detected too late?
A: Accountability usually sits with the team that owns identity telemetry, detection engineering, and response thresholds, because the failure is often a programme design issue rather than a single analyst mistake. Frameworks such as the NIST Cybersecurity Framework 2.0 help teams assign ownership across detect and respond functions.
👉 Read our full editorial: Credential abuse is hiding in plain sight across account takeover
