We all know that neighbor who is security-conscious enough to change the locks when they moved in but left a key under a flowerpot on the porch. When it comes to identity security, we often see similar issues where our vulnerabilities hide in plain sight. So, as the United Arab Emirates (UAE) speeds its way through successive economic successes, have its businesses considered all possible Paths to Privilege™ in their IT systems? For we live in a world where our cyber adversaries no longer hack in; they log in.

The problem is identities. According to the Huntress 2025 Managed ITDR Report, 67% of organizations have seen identity-related incidents increase in just the past three years. These findings are supported by research from Check Point, which found that credential theft has surged by a staggering 160% in 2025 and now accounts for 20% of all data breaches.

Organizations work hard to implement robust security policies, but hidden misconfigurations in our identity infrastructure often leave the metaphorical key under the mat. These misconfigurations open up Paths to Privilege that mean a seemingly harmless identity belonging to a summer intern might suddenly have the ability to become a Global Administrator. As an attacker, why bother with all the trouble of finding a zero-day exploit and creating complex malware code to remain undetected when one compromised identity with a path to privilege can get you everything you want. Identity misconfigurations are the new malware.

While organizations think in lists of privileges assigned to individuals within siloed systems, their attackers think in graphs of connected identities across systems. Attackers can exploit complex nested group memberships and trust relationships. They can target infrastructure weaknesses. They go after misconfigurations. This holistic view makes it easier for them to move laterally and elevate privileges to achieve their objectives.

Lets take a look at three real world misconfigurations that attackers are actively exploiting in the wild, and how defenders can stop them.

By John Hathaway, VP Sales – META & APAC at BeyondTrust

1. Target the infrastructure not the accounts

Stealing domain admin account passwords is hard work, especially as many organizations have placed good controls around these high risk accounts. Instead, attackers will target misconfigurations in Active Directory Certificate Services (ADCS) that allow any domain user to issue a certificate allowing them to authenticate as a domain admin. With this access-all-areas pass in hand, the attacker can bypass even a well-implemented Privileged Access Management (PAM) solution.

Organizations often overlook the necessity to monitor the granting of privileges as strictly as they monitor the privileged accounts themselves. They should regularly audit certificate templates and ensure only authorized users can request certificates for privileged accounts.

2. Gaming the helpdesk

If the threat actor can compromise a helpdesk identity in, say, Entra ID, they can reset passwords, including global admin passwords, and add themselves to highly privileged groups. After that, they will have unlimited access to the environment. To stop this, organizations must have full visibility of not just who has a privileged account, but a complete map of who can grant privileges or indirectly elevate privileges now and in the future. It is critical that indirect privilege escalation paths are remediated, and that just-in-time access is put in place for tier-0 actions like password resets.

3. Introducing a rogue identity provider

If a threat actor can introduce a rogue identity provider (IdP) into the environment, they may be able to gain persistent access to other identities in the estate, along with all its privileges.

To counter this threat, security teams must watch for high-risk changes within the identity infrastructure (IdPs, MFA, and federated settings), paying particular attention to privileged accounts. Just like how any endpoint malware may be accompanied by a rootkit designed to enable persistence. Any compromised identity could be part of a bigger issue, so look beyond the account to entire identity and any infrastructure changes that have the potential to grant persistent access.

Mind the gaps

To thwart the threat actor, we need to reduce our identity attack surface, and in order to do this we must uncover the Paths to Privilege within our environments. Organizations must go beyond siloed views of directly granted privileges and think about the ways privileges can be directly or indirectly accessed. A unified identity-centric approach is a reliable way to uncover indirect paths to privilege and the risk behind each identity.

As identity ecosystems expand, occasional privilege access audits will no longer be sufficient. Enterprises must continuously be on the lookout for high-risk changes across their entire identity attack surface, and they must understand what the potential impact of compromise is for each identity. Enforcing the principle of least privilege at the identity level is important to break down silos so least privilege can be applied universally. Remember that the most privileged identities may not be who you think they are, they could be non-human identities or even human identities missing vital MFA or conditional access policies.

We should never make life easy for our assailants. No UAE business wants to make headlines for being the next high-profile target of a cyber attack. Shaping our environment correctly and ensuring there are no metaphorical keys left under figurative flowerpots involves thinking about all our Paths to Privilege. With due diligence we can rid ourselves of the new malware: identity misconfiguration.