The Attack That Doesn’t Look Like an Attack.
Out of the Shadows — and Why Your Detection Is Looking the Wrong Way.

The uncomfortable shift: the intrusions that matter most no longer break in — they log in, on credentials that were left where an attacker could find them. Detection cannot see a genuine login. A passive assessment finds the exposed credential first.

Assess Your Exposure →

Australia’s signals intelligence agency spent most of its existence as a name you were not meant to know. Today the Australian Signals Directorate sits on public platforms and names the threats it is actively tracking — telling businesses, in the open, what it can see coming. For an institution built on secrecy, that is a remarkable change in posture, and it carries a lesson that reaches well past Canberra. The organisations closest to the threat have decided that visibility beats silence: naming what is out there, before it is exploited, is now frontline defence rather than an afterthought.

Every organisation should sit with what that implies, because the same instinct turned inward is far less comfortable. The agencies are looking outward and speaking plainly about what they find. Most organisations are doing the opposite — investing heavily in inward-facing detection while paying almost no attention to what they look like from the outside, or to whether the controls they trust can even see the attacks now landing on firms like theirs.

And increasingly, they cannot. The most consequential intrusions of recent years share an uncomfortable trait: they do not look like attacks. There is no malware to catch, no exploit signature to match, no alarm for a monitoring platform to raise. An attacker holding a valid credential simply logs in and behaves like a legitimate user — because, to every system watching, that is exactly what they are. The credential is the identity. The door was never forced; it was opened with a key that was left where it could be found.

22%
of breaches began with stolen credentials — a leading initial-access vector
Verizon 2025 DBIR
88%
of web-application attacks involved the use of stolen credentials
Verizon 2025 DBIR
64%
of four-year-old secrets in code repositories were still valid — never revoked
GitGuardian, via 2025 DBIR

The Attack That Looks Like Business as Usual

The numbers make a case that anecdotes cannot. In Verizon’s 2025 Data Breach Investigations Report — drawn from more than 22,000 security incidents — stolen credentials were among the most common ways attackers got in, present at the start of roughly a fifth of breaches and involved in the overwhelming majority of attacks against web applications. These are not exotic intrusions. They are logins.

What makes credential-based access so effective is precisely what makes it invisible. Verizon’s analysis of single sign-on logs found that credential-stuffing accounted for around a fifth of all authentication attempts on a typical day — and because each stolen credential is tried only once against a given account, the traffic blends into normal login activity and rarely trips a rate limit or a lockout. The attack does not hide from detection. It looks like business as usual.

This is the structural problem beneath a great deal of security spending, and it is worth naming as plainly as the ASD now names its threats: an attacker using a genuine credential generates nothing anomalous to detect. There is no abnormal behaviour to score when the behaviour is, by definition, authorised.

The Credentials Are Already Out There

The reason there is so much stolen credential material to work with is a governance failure hiding in plain sight. Information-stealing malware now harvests credentials at industrial scale: the 2025 DBIR found company credentials sitting in infostealer logs on roughly 30% of corporate devices and 46% of unmanaged ones. Among ransomware victims, more than half had prior credential exposure in those logs before the attack ever began.

And once a credential leaks, it tends to stay useful — because organisations are remarkably bad at revoking them. Analysis of secrets committed to code repositories found that 64% of four-year-old secrets were still valid. A key that should have died years ago still opens the door. Rotation was never meant to make theft difficult; secrets leak regardless. Its job is to shrink the window during which an inevitably-exposed credential still works — and that window is being left open for years.

Why the volume signal fails too The obvious defence is to watch for a credential doing something unusual — a sudden bulk download, an odd hour, a new location. That works for people, who have a legible daily rhythm to deviate from. It largely fails for the non-human identities that now dominate every estate — service accounts, tokens, automation. Their ‘normal’ is already bursty and high-volume, they vastly outnumber human users, and almost none of them carry a per-identity baseline. The one identity class with the broadest standing access is the one behavioural detection can least reliably watch.

Why “AI-Driven Monitoring” Is the Wrong Primary Control

This is the part no vendor stage will say out loud. Behavioural monitoring — increasingly sold under an “AI-driven” banner — is built to spot the abnormal. It is genuinely good at novelty: new malware, strange processes, anomalous patterns. It is structurally weak at exactly the thing that defines the attacks above: a valid credential used by a patient operator, generating traffic that is indistinguishable from legitimate work.

No amount of detection sophistication fixes that, because it is not a detection problem. A smarter model looking for anomalies cannot flag an action that is, by every measure available to it, normal. Selling more AI as the answer is selling a cleverer lock for a door the attacker opens with a real key.

Detection existing is not the same as detection working Even where the right telemetry exists, it frequently is not wired up. Source-control and cloud-identity logs — the records that would show a token cloning a repository from a new location, or a service principal signing in from an unfamiliar network — are among the most consistently un-ingested data sources in enterprise security. The capability is off-the-shelf. The wiring is a governance task that routinely does not get done.

This Is a Governance Problem Wearing a Technical Costume

If behavioural detection is the wrong primary control, the right ones sit earlier — in architecture and governance, not monitoring. The attacks succeed because of forgotten, reachable things, not broken-down doors: a leaked token that still works, a service account nobody deprovisioned when the project ended, an over-permissioned identity in a corner of the estate no one owns, a storage key that has not rotated in years. In a large, heterogeneous environment stitched together through acquisitions and years of delivery, that sprawl is manufactured as a by-product of scale.

The controls that actually blunt this are unglamorous and unsellable, which is exactly why they are neglected:

  • Kill the standing credential. Short-lived, federated, just-in-time access removes the durable secret an attacker relies on. A token that expires in an hour is a far poorer theft target than a key minted years ago and never touched.
  • Scope what survives. Least-privilege on both human and non-human identities means a compromised credential opens a small, well-watched room — not the whole building. Blast radius is a design decision, not a detection outcome.
  • Own the lifecycle. Every identity — especially the non-human ones that outnumber staff many times over — needs an owner, a maximum lifetime and a deprovisioning trigger. An orphaned credential with no matching project is an anomaly of state, catchable without watching a single login.
  • Gate the provisioning. The single biggest determinant of whether an attacker can quietly assign themselves standing access is who is allowed to grant it, and whether that grant is approval-gated and logged. This is process, not product.

Not one of these is a model you can buy. Every one is a governance decision that has to be made, assigned an owner, and enforced — across the vendor chain as well as your own walls.

The Defenders Are Saying It Too — in Public

This is not a distant, offshore problem. Australia’s own signals agency is now saying so in plain language — and the numbers it has put on the public record are stark. Its Annual Cyber Threat Report for 2024–25 does not describe a rising risk in the abstract; it counts it.

ASD’s ACSC — Annual Cyber Threat Report 2024–25, by the numbers

1,200+
cyber security incidents responded to — up 11% on the prior year
ASD’s ACSC — 2024–25
1,700+
times organisations were notified of malicious activity on their networks — up 83%
ASD’s ACSC — 2024–25
1 / 6 min
a cybercrime report lodged roughly every six minutes — 84,700+ in the year
ASD’s ACSC — 2024–25

The 83% jump in proactive notifications is the figure that should hold a board’s attention. That is not more organisations reporting after the fact — it is the national signals agency finding malicious activity on Australian networks and picking up the phone, far more often than a year earlier. The agency’s stated posture for Australian organisations is now blunt: assume compromise. It is no longer if, but when.

And it is not waiting for the annual report to say it. In recent weeks the ASD has used its public platforms to name live campaigns as they unfold. It warned that attackers were using exposed credentials to gain unauthorised access to Fortinet firewalls and VPN gateways — access that let them alter security controls and harvest further credentials, the exact lateral-movement pattern the statistics describe. Days later it flagged a large-scale campaign compromising content management systems across Australian businesses. This is an intelligence agency doing in the open what it once did only in the shadows: pointing at the threat, by name, in real time.

The convergence worth noticing The Fortinet alert is the whole thesis in one artefact. Attackers exploit an internet-facing edge device, harvest the credentials it holds, then use those valid credentials to move — where the intrusion stops looking like an attack and starts looking like a login. Vulnerability exploitation and credential abuse are not competing stories; they are two halves of the same one.

What This Means Under Australian Obligations

For an Australian board, none of this is abstract. The credential-and-identity exposure described above maps directly onto obligations the organisation already carries — and, increasingly, onto obligations its regulators are prepared to enforce.

ObligationWhat it requiresThe identity control it points to
APRA CPS 234Information security capability sized to the threat; controls over information assets, including those managed by third partiesAccess management, credential controls and least-privilege — extended across the vendor chain, not just internal systems
Essential EightRestrict administrative privileges; multi-factor authentication; patch applications and operating systemsNo standing admin rights; phishing-resistant MFA on remote access and admin; close the edge-device exposure attackers harvest from
SOCI ActRisk-management programs for critical-infrastructure entities, covering material service providers and supply-chain riskOwnership and assurance over provider access; scoped, expiring credentials for anyone touching regulated environments
Privacy Act / NDBReasonable security steps; notify eligible data breaches — obligations that run on your clock, independent of a vendor’s postureData minimisation and retention limits; credential hygiene, because most notifiable breaches begin with access, not exotic exploits

Scroll the table sideways on mobile. General commentary on regulatory themes, not legal advice.

The through-line is that these obligations are satisfied by governance and architecture — access management, privilege restriction, provider assurance, retention discipline — not by the detection layer most budgets favour. A regulator asking how your information assets are controlled is not asking which monitoring platform you bought.

Three questions your board should ask on Monday

  • Who can provision access to our information assets and to our vendors’ — is it approval-gated, logged, and reviewed? (CPS 234)
  • Do our credentials expire, and do we know when each was last rotated — including the non-human ones? (Essential Eight)
  • Has anyone assessed what our organisation — and our critical providers — expose to the outside, independently and recently? (SOCI, Privacy Act)

Where the Line Sits

Two disciplines close this gap, and neither is a product. GRC turns a known control into an enforced, owned one: it assigns third-party access an owner, writes least-privilege, rotation and retention into the contract, and makes the boring control a requirement rather than a recommendation. Most of what fails here is a governance failure wearing a technical costume.

Passive OSINT lets you see the exposure the way the attacker does — the leaked credentials already circulating, the internet-facing edge devices and forgotten assets, the vendor relationships that map your real attack surface — from the outside, without touching a system, while there is still time to close them.

That external, evidenced view — and its translation into board-ready obligation mapping — is where a practice like BlackFlag Advisory adds value. It is where our scope deliberately ends, too: the internal tuning of identity systems, the deprovisioning workflows and the credential-lifecycle engineering belong with the teams who own the estate. The assessor names the exposure and frames it against the obligation; the operator closes it. Those are different jobs by design, and the discipline of keeping them separate is what makes the assessment credible.

The defenders have decided that naming the threat out loud beats sitting in the shadows. The lesson for every organisation is the same posture turned inward: look at yourself the way an outsider can, and name your exposure — before someone else does.

Sources & Notes General commentary, not legal or security advice. Figures are accurate to the best of our knowledge at publication. Statistics are drawn from the Verizon 2025 Data Breach Investigations Report (including GitGuardian secrets-exposure data cited within it) and the Australian Signals Directorate’s ACSC Annual Cyber Threat Report 2024–25. Public threat alerts referenced are the ASD’s ACSC advisories on Fortinet credential-based exploitation and on large-scale CMS exploitation, as published via the agency’s public channels. Regulatory references (APRA CPS 234, the ASD Essential Eight, the Security of Critical Infrastructure Act, and the Privacy Act / Notifiable Data Breaches scheme) describe general obligations and are not a substitute for advice on your specific circumstances.

Source websites:
• Verizon 2025 DBIR — verizon.com/business/resources/reports/dbir
• ASD ACSC Annual Cyber Threat Report 2024–25 — cyber.gov.au
• Australian Signals Directorate — asd.gov.au
• APRA CPS 234 Information Security — apra.gov.au/information-security
• ASD Essential Eight — cyber.gov.au/essential-eight
• Security of Critical Infrastructure Act — cisc.gov.au
• OAIC Notifiable Data Breaches — oaic.gov.au

Do You Know What Your
Credentials Expose?

A BlackFlag Advisory passive assessment gives your Board an independent, evidenced view of the exposed credentials, edge devices and third-party access an attacker would find — mapped to CPS 234, the Essential Eight and your obligations — before an incident makes it urgent.

Request an Assessment →
Passive Only — No Systems Accessed

All BlackFlag Advisory assessments use exclusively passive OSINT techniques and publicly available data sources. No systems, networks, or accounts are accessed, probed, or tested at any time. Board-ready output delivered within three to seven business days.