Over the past week, multiple research teams have documented a renewed wave of voice-led social engineering targeting identity providers and federated access. The entry point is not through malware or a zero-day exploit. The goal is simple. Persuade a user to help complete authentication in real time, then use that trusted session to move through SaaS applications and exfiltrate data.
Security leaders already know the fundamentals. Multi-factor authentication (MFA) can be socially engineered. Single sign-on (SSO) concentrates trust. Uncontrolled privilege can turn one compromised identity into a broader incident.
Executive takeaway
- SSO is a force multiplier for both defenders and attackers. If a session is compromised, the blast radius is defined by what that identity, and any AI agents acting on its behalf, can reach.
- “Assume compromise” is synonymous with “post-login.” Standing access, uncontrolled privilege, and persistent machine credentials allow initial access to escalate into business impact.
- You can’t SIEM your way out of it alone. Audit logs across dozens of SaaS applications vary widely in detail and retention, making it difficult even for strong SOC teams to stitch together an accurate picture quickly.
What is new is how directly and consistently this campaign abuses those known gaps. The operator playbooks are polished, and the tooling behind them is becoming repeatable and commercialized. That makes this less of an edge case and more of a planning assumption for any organization that relies on SSO for everyday work.
The mindset shift is not “deploy phishing-resistant MFA” and stop there. It is to augment MFA and SSO with intelligent privilege controls that contain compromise after authentication.
What this campaign on identity providers is really exploiting
These attacks don’t break authentication—they reuse it. After a successful SSO login, attackers replay a valid session token to move through SaaS applications exactly as the user would, operating largely beyond the identity provider’s line of sight. The real blast radius is shaped by what happens next: fragmented visibility across SaaS, movement beyond the IdP boundary, and privilege that extends further than most teams intend.
The SSO-to-SaaS visibility gap
SSO is where you authenticate. Business impact happens after authentication, inside federated applications. In many environments:
- The identity provider sees “login succeeded,” but it does not inherently see what happens inside each SaaS application.
- The security team must rely on each application’s audit stream, with different schemas, granularities, and retention defaults for threat detection.
- The highest-value signals are often post-login actions: entitlement changes, admin actions, bulk exports, and high-risk workflows that live inside the application.
The burden falls on defenders to correlate identity + entitlement + activity, build nuanced detections that do not drown in false positives, and reconstruct exfiltration after the fact.
Lateral movement beyond the identity provider
Once attackers have a valid session, they do not stay neatly within the identity provider’s field of view. Lateral movement can include:
- Applications and consoles not governed by the identity provider
- APIs, OAuth grants, and delegated access where persistence outlives the initial login
- Automation and AI agents acting on behalf of a user, often inheriting their entitlements
The new definition of “privileged”
Privileged used to mean a handful of administrators. Today, privilege is a property of access and entitlements, not a job title. A standard workforce identity can have access to sensitive data, customer records, code repositories, finance tools, and automation platforms.
Assume that any user can become high-impact, and design controls accordingly.
Three control priorities that change outcomes
If an identity provider session can become a skeleton key, reduce the blast radius by ensuring it cannot unlock everything. These three priorities can help contain compromise before, during, and after access:
1. Zero standing privileges (ZSP) with time-limited access
By making privileged access time-bound, policy-bound, and session-audited, organizations can directly reduce the risk of standing accounts and lateral movement, and accelerate investigations and incident response.
2. Secure the persistence layer: tokens, secrets, and machine identities
Many SaaS takeovers do not end with a stolen user session. They end with something that outlives the user interaction: OAuth grants, API tokens, service principals, credentials in pipelines, and secrets that persist.
If the only response is “reset the password,” you may leave the real foothold intact.
Treat machine credentials as first-class risk: discover them, reduce their lifespan, rotate or revoke them at scale, and govern who and what can create new ones.
3. Protect beyond the login
Many security stacks evaluate risk at login and then go quiet. Modern identity security can identify what happens after access is granted: privilege elevation, access to high-value resources, and suspicious API calls. While “continuous authorization” is a practical bridge between identity and security operations center (SOC) teams, ensure this covers the targets that matter to your business, across your hybrid enterprise.
These priorities reflect the shift toward treating identity as an active control surface rather than a static access point.
The future of privileged access
The pattern here is durable. Attackers do not need to break identity systems to operate inside them. They need a person to help, and an environment where privilege outlives intent.
CyberArk’s 2025 Identity Security Landscape found that 87% of organizations experienced at least two successful identity-centric breaches in the past 12 months. The takeaway is not that everyone is failing at MFA. It is that identity compromise is recurring, and containment must occur after authentication, across human, machine, and AI identities.
If you’ve already invested in SSO and MFA, that’s the right starting point. The next step is to make sure a compromised session cannot become a business event.
Eric Sun is responsible for competitive programs at CyberArk.
Explore more on the future of privileged access
To gain a deeper view into emerging approaches to privileged access, visit The future of privileged access.
Further reading
For additional perspectives on how privilege is evolving within identity security, you may also be interested in these recent blogs:
