Cloud Identity Compromise Surges in Attacks

Field Effect's 2026 Cyber Threat Outlook reports that over 80% of cyber incidents investigated in 2025 were linked to cloud identity compromise, signaling a major shift in attack strategies. Attackers are moving away from traditional software exploits, and instead, are targeting trusted accounts, collaboration platforms, and familiar business workflows. This often starts with phishing and account takeovers, where compromised cloud identities are then used for access and persistence within the network. Microsoft Teams, Zoom, and Quick Assist are examples of legitimate tools being abused in these intrusion chains. Attackers impersonate internal IT help desks, create new Microsoft 365 tenants, and use Teams for voice phishing, tricking employees into granting remote access via Quick Assist. Once inside, they use PowerShell-based tools to escalate privileges, harvest credentials, move laterally, and even deploy ransomware. Microsoft Entra, formerly known as Azure Active Directory, is a suite of identity and access management solutions that can help businesses secure and manage digital identities in cloud environments. It allows organizations to implement a Zero Trust security strategy by verifying identities, validating access conditions, and monitoring for compromises. Microsoft Entra passkeys on Windows will soon offer a phishing-resistant, passwordless sign-in option for Entra-protected cloud resources. Azure Policy enables businesses to create, assign, and manage policies that enforce rules and effects on resources, ensuring compliance and security. Azure Policy allows you to govern existing and future resources by tracking compliance status and identifying changes that lead to non-compliance. These policies can restrict resource creation in certain regions, enforce VM sizes, ensure storage account encryption, and require specific tags for cost tracking.