Attackers don’t need to find a technical route into your business if they can successfully gain access using stolen credentials. Once they are inside, they often rely on commercially available tools to hide their presence and quietly add new users to groups with higher IT rights. Such identity fraud and the abuse of administrative and privileged access rights are among the top cyber risks for organizations, according to Barracuda’s Managed XDR Global Threat Report. For example, unusual Microsoft 365 logins and the unexpected addition or removal of users from access groups can be important warning signs.

Identity is the new perimeter

Barracuda’s security operations center (SOC), part of Barracuda Managed XDR, flagged 600,000 security alerts in the last 12 months.

Leading the list of the most detected threats against organizations were attacks targeting identities and identity security. This included unusual or unexpected logins to a user account. These are connections that do not correspond to the user’s typical behavior pattern in terms of device, location or time. Such detections are a strong indicator of credential theft and account compromise. Anomalous Microsoft 365 logins topped the list for the most detected threat.

Other red flags are attempts to connect from a blocked geolocation and the ‘impossible travel’ rule (accounting for 17% of the top detections), where a user logs in from a second location they could never have reached in the time between logins.

Privilege escalation – the path to full control

Once cybercriminals have access to a system, their first goal is often to obtain administrative level rights. This is called ‘privilege escalation’ and allows them, for example, to have deeper control over the network, for example to disable security software and then roll out ransomware. In Windows environments, this often involves adding a user to a high‑privilege group such as Domain Administrators, which occurred in 42% of observed cases. Within Microsoft 365, attackers sought full control of the cloud environment by adding a new user to the Global Administrator group in 16% of incidents.

PowerShell and password spraying

Certain combinations of attack techniques can provide warning signs of malicious activity. For example, the SOC found that 66% of incidents involving fileless malware also featured the use of PowerShell, allowing attackers to operate in memory and evade traditional security scanners.

Similarly, password spraying was involved in 44% of firewall-related incidents. Password spraying involves attackers trying to gain access by trying large numbers of commonly used passwords against known usernames.

A third (34%) of social engineering incidents involved users being tricked into downloading malicious files.

Disabled security measures

Organisations sometimes inadvertently weaken their own security posture by disabling or failing to properly configure security tools. 94% of the misconfigured security features detected over the last 12 months involved identified disabled endpoint protection agents.

When security controls on a device are turned off, it effectively creates a blind spot for IT and security teams. This lack of visibility means suspicious activity can go undetected, allowing attackers to operate freely without triggering alerts. Over time, these gaps can increase the risk of compromise, making it harder to identify threats early, contain incidents, or understand how an attack unfolded. In environments where resources are already stretched, such misconfigurations can turn minor oversights into serious security exposures.

Recommendations for organisations

A combination of preventative and monitoring measures can significantly reduce the risk of a breach. Strong foundations include enforcing multi‑factor authentication, carefully managing how permissions are assigned and changed, and closely monitoring for anomalous behaviour and suspicious login activity. Using an integrated security platform that delivers full visibility across networks, devices, servers, cloud storage and email further helps organisations identify threats earlier and limit potential exposure. These steps are particularly important for organisations with limited security resources, as they provide clearer insight into how attacks unfold in real‑world environments and where common security gaps are most often exploited.

The author is Merium Khalid, Director of SOC Offensive Security, Barracuda,

Disclaimer: The views expressed are solely of the author and ETCISO does not necessarily subscribe to it. ETCISO shall not be responsible for any damage caused to any person/organization directly or indirectly.

Join the community of 2M+ industry professionals.

Subscribe to Newsletter to get latest insights & analysis in your inbox.

All about ETCISO industry right on your smartphone!