Identity and integrations are the weak edge

A payroll system, a television sign-in screen, a home router, and a cloud data connector look like four different problems until you see the same trick in each one: the attackers are not breaking the vault door, they are stealing the badge that opens it. (microsoft.com) (ncsc.gov.uk) (rhisac.org) Microsoft said on April 9 that a group it calls Storm-2755 targeted Canadian employees, took over their accounts, opened their employee profiles, and changed salary payments so money went to attacker-controlled bank accounts. (microsoft.com) The group did not need custom malware for that job because Microsoft says it used malicious ads and search engine poisoning to catch people searching generic work terms, then used an adversary-in-the-middle page, which is a fake login page that sits between you and the real one like a counterfeit toll booth. (microsoft.com) That fake toll booth matters because Microsoft says Storm-2755 hijacked authenticated sessions and bypassed multi-factor authentication, which means the attacker rode along after the victim had already proved who they were. (microsoft.com) The same idea shows up in device-code phishing, which abuses the sign-in method used when a device like a smart television cannot type a password and asks you to enter a short code on a second screen instead. Microsoft said on April 6 that an artificial-intelligence-enabled campaign was compromising organizational accounts at scale with live code generation and automation. (microsoft.com) In plain English, the victim is still logging in to a real Microsoft page, but the attacker is the one who created the code and is waiting on the other end, so the victim finishes the attacker’s sign-in for them. Reports this week said hundreds of organizations were being hit daily, and a Cloud Security Alliance note said one campaign compromised more than 340 Microsoft 365 organizations across five countries. (theregister.com) (labs.cloudsecurityalliance.org) Then there is the router, which is the small box that tells every laptop and phone in a home or branch office where to send internet traffic. The United Kingdom National Cyber Security Centre said Russian group APT28 has been exploiting routers to overwrite Domain Name System settings, which is like swapping the address book every device in the building uses. (ncsc.gov.uk) Once that address book is poisoned, the National Cyber Security Centre says traffic can be redirected through attacker-controlled servers for adversary-in-the-middle attacks that steal passwords and OAuth tokens, which are reusable sign-in passes for web and email services. (ncsc.gov.uk) The Snowflake case lands on the same weak edge from a different direction. RH-ISAC said on April 7 that attackers breached a software-as-a-service integrator, stole authentication tokens, and then used that trusted connection to reach customer environments, with most of the observed data theft aimed at Snowflake customers. (rhisac.org) Snowflake told investigators the activity was tied to a specific third-party integration and not to a vulnerability in Snowflake’s own systems, which is the cloud version of finding out the side door key was copied instead of the front door lock being picked. (rhisac.org) (bleepingcomputer.com) Put those four incidents together and the pattern is blunt: attackers are getting better returns from login flows, session tokens, router settings, and third-party connectors than from noisy break-ins against hardened core systems. In 2026, the easiest path into an enterprise often starts at the edge where identity is delegated, traffic is redirected, or trust is borrowed. (microsoft.com 1) (microsoft.com 2) (ncsc.gov.uk) (rhisac.org)