Identity-based attacks are no longer a secondary concern at the edges of enterprise security; they are increasingly the primary and defining challenge. The central argument of the new Veeam report, Identity Under Attack, is that many organizations are still defending against an older model of compromise, one built around malware, endpoint intrusion, and perimeter failure.
Today’s attackers often choose a far simpler and more effective route: they sign in with valid credentials, inherit trusted access, and move through legitimate administrative pathways. In such an environment, identity becomes the battleground.
A compromised account, token, or service principal can create pathways across Microsoft 365, Entra ID, Salesforce, Azure, and other cloud platforms. The result turns trust itself into the mechanism for compromise. That shift changes the meaning of resilience. It is no longer enough to focus solely on keeping attackers out; organizations must also be able to detect, contain, and recover when the access appears legitimate.
Why identity has become the primary attack surface
The report makes this shift concrete through a detailed attack narrative that unfolds over the course of a single workday. What begins as an unusual service account login from an unfamiliar geography quickly expands into SharePoint permission changes, bulk mailbox exports in Microsoft 365, policy manipulation in Entra ID, OAuth-based activity in Salesforce, and privileged role assignments in Azure.
Looked at individually, each event has a plausible explanation. Taken together, however, they reveal a coordinated campaign moving laterally through the cloud control plane. That is one of the paper’s most important insights: identity-driven attacks rarely present as a single obvious breach. Instead, they are distributed across platforms, carried out through valid sessions, and concealed by the fact that enterprise systems are behaving exactly as designed.
This is also why siloed monitoring and fragmented response models struggle to keep pace. By the time separate teams connect what happened in identity systems, SaaS platforms, and cloud infrastructure, an attacker may already have escalated privileges, established persistence, or begun exfiltrating data.
The report argues that the problem is made even more acute by the explosive growth of non-human identities. Service accounts, API keys, OAuth tokens, service principals, automation credentials, and AI-driven agents now outnumber human identities by a wide margin, and many carry privileged or sensitive access. These identities often have no clear owner, no reliable behavioral baseline, and no consistent governance model. They are created for integrations or short-term projects, then left in place with broad permissions long after their original purpose has ended. That makes them highly attractive targets, especially in cloud environments where normal automated activity can easily mask malicious use.
What has changed about modern attacks
From there, the report explains that the mechanics of attacks have changed in three fundamental ways: how attackers gain access, how quickly they move, and how they profit.
Initial access now depends less on traditional malware delivery and more on social engineering, help desk manipulation, adversary-in-the-middle techniques, stolen session artifacts, and access brokers selling authenticated entry. In other words, human trust and inherited trust relationships have become central to compromise.
Once access is obtained, speed becomes the attacker’s advantage. The report highlights how quickly modern adversaries can move from access to lateral expansion, often far faster than security teams can investigate a single alert. That mismatch means defenders are still piecing together fragmented telemetry while attackers are already operating inside the cloud administration layer.
Just as importantly, the report argues that monetization has evolved. Attackers are no longer focused only on encrypting systems; they are increasingly stealing data for extortion, competitive leverage, resale, or downstream abuse. That evolution exposes a serious mismatch between confidence and capability inside many organizations.
A large share believes they are well prepared for cyber incidents, yet far fewer can actually recover cleanly when identity is involved. The gap matters because identity compromise affects much more than files or endpoints: it can corrupt the trust relationships that govern access across the environment. And if teams restore data while attackers still hold valid tokens, manipulated policies, or compromised service principals, recovery may simply recreate the path of compromise.
What identity resilience looks like in practice
That is where the report shifts from diagnosis to response. It defines identity resilience through four connected capabilities that must work together.
The first is unified visibility across identity and cloud environments. That enables teams to see how human and non-human identities interact with applications, workloads, and data across the estate in real time.
The second is reducing blast radius by enforcing least privilege, tightening trust boundaries, and extending strong authentication and conditional access to the accounts and pathways attackers are most likely to exploit.
The third is cross-platform detection, because identity-driven attacks often look ordinary in one console and dangerous only when signals are correlated across multiple providers and platforms.
The fourth is orchestrated multi-system recovery, where SaaS, IaaS, and PaaS services are restored from trusted recovery points only after the identity layer has been validated as clean.
Together, these measures expand resilience from a narrow backup discussion into a practical operating model for modern cloud defense.
Key takeaways
Seen as a whole, Veeam’s report message is both straightforward and urgent.
Identity is now the connective tissue of enterprise operations — and therefore poses enterprise-wide risk. Attackers no longer need to defeat controls one by one when a single trusted credential can bridge systems for them.
Indeed, with breakout times now measured in seconds rather than hours (the fastest recorded lateral movement after initial access is 51 seconds), conventional response windows have effectively collapsed.
That shift matters because the attack surface has expanded well beyond human accounts. Today, non-human identities — including service accounts, OAuth tokens, and automated pipelines — now outnumber human identities by as much as 144 to 1.
Worse, most organizations govern them poorly if at all. The consequences show up in recovery statistics that should give every security leader pause: despite 69% of organizations believing they were well-prepared, only 10% recover more than 90% of their data after an attack (Source: Identity Under Attack).
Clearly, prevention alone is no longer sufficient. Recovery plans built for older, malware-centric models are increasingly inadequate against adversaries who never touch an endpoint.
The report argues forcefully that meaningful resilience requires four things working together: unified visibility across platforms, deliberate blast-radius reduction, cross-platform behavioral detection, and clean multi-system recovery that verifies the identity layer before restoring anything else.
For security leaders, IT administrators, cloud architects, and SaaS operations teams reassessing whether their current plans are truly built for identity-driven compromise, Identity Under Attack makes a compelling case for examining that question, and for downloading the full white paper to read the original for all its vital details.
Learn and do more with Veeam
Veeam is the Data and AI Trust Company, specializing in helping organizations ensure their data and AI are fully understood, secured, and resilient to enable the acceleration of safe AI at scale. As the market leader in both data resilience and data security posture management, Veeam is built for the convergence of identity, data, security, and AI risk.
Headquartered in Seattle, with offices in more than 30 countries, Veeam protects over 550,000 customers worldwide, including 82% of the Fortune 500.
Download the Identity Under Attack report or learn more at www.veeam.com, and follow Veeam on LinkedIn @veeamsoftware and X @veeam.
