Skip to main content

Jul 10, 2026

Clean Logs, Active Breach

Your identity stack records from the moment of authentication. The kill chain that completes before that moment—and the non-human identities that bypass authentication entirely—are outside its record by design.

In an attack following the VENOM pattern—documented by Abnormal in April 2026 and tracked across 4,600+ organizations—an attacker was inside for days before any identity tool registered a single signal.

Here is what the IdP saw:

  • Authentication flow from a consistent IP address

  • Credentials verified

  • MFA passed

  • No anomalous signals

Within minutes, the enterprise IdP and downstream SaaS applications had accepted OAuth tokens derived from that session without re-authentication. Every log entry was consistent with normal access, because the token exchange the IdP recorded was, technically, valid.

What the IdP could not see:

  • Days earlier, the same user had clicked a phishing link and completed MFA on an adversary-in-the-middle proxy that captured the authenticated session cookie in real time

  • The attacker used that session to register a new MFA device under their control—a persistent foothold that survives password reset entirely in environments without enforced session revocation

In most infrastructure, Continuous Access Evaluation is not enforced across all resource providers where the stack extends beyond Microsoft's native CAE coverage. In those environments, credential theft via AiTM results in no artifact that authentication systems can use to reliably distinguish from a legitimate session: the email-layer kill chain is complete before the identity record begins, and what the IdP logs is, technically, a valid session. Where CAE is enforced, session replay triggers a claims challenge; however, the phishing delivery and session capture are never in the authentication record. For intrusions using valid, in-scope accounts, posture scans and authentication events log clean (valid credentials, passed MFA, a legitimate session) until the deviation becomes unmistakable.

Clean Logs 1

Before the First Login

What makes that gap structural is a missing data type: the email communications graph.

Who corresponds with whom, which executives an identity reaches directly, what financial relationships the inbox encodes, and what external vendor patterns are normal for a given role—none of which are native to identity event data. A SIEM can ingest email metadata as a secondary feed; what it cannot do is reconstruct the per-identity behavioral graph from log correlation.

Per-identity models address this by incorporating what authentication logs structurally exclude: the email communications graph. With that baseline, an anomaly is a deviation from that specific identity's established behavior. When email and identity layers are both in scope, the phishing email delivered days earlier is already in that record, available immediately or retrospectively—the full causal chain is present without reconstructing it across separate log systems.

Account lockdown addresses the credential, not what was planted during dwell time:

  • Mailbox forwarding rules

  • Rogue MFA registrations

  • OAuth grants to third-party applications that survive password reset entirely

Coverage that spans the full email and post-authentication timeline can surface those persistence artifacts in the same workflow as the initial compromise, not as a separate investigation.

The Non-Human Identity Problem

The same structural gap applies when the compromised identity isn't human.

A single compromised credential can represent broader access than a typical user account. Unlike a human session, it also lacks a behavioral baseline connecting its runtime activity to the person who provisioned it. A service account operating via OAuth client credentials generates a service principal sign-in event: no MFA challenge, no session tied to a user context—a categorically different signal type from the human sign-in telemetry that ITDR tools are built to analyze.

When that service account begins bulk-exporting SaaS data, the volume anomaly may appear in application audit logs, but nothing in the identity layer connects it to the human who provisioned the credential.

Non-human identity tools profile call volume, endpoint distribution, and error rates per service account. What they don't see is the human-layer compromise event that preceded the grant: the phishing email sent to the developer. The anomalous request registers. The email that enabled it does not.

Clean Logs 2 Clean Logs 3 Clean Logs 4

AI agents compound this further. An agent instructed via email to initiate a wire transfer or approve an OAuth scope produces an API call that looks like normal automation. Connecting the instruction to the action requires email to be part of the detection record.

The Gap in Practice

For non-human identities, the API call registers without the human compromise event that enabled it. Most identity security programs address this from a posture-first model:

Identity Security Posture Management (ISPM) maps which identities exist, what permissions they hold, and where they're over-scoped;

Identity Threat Detection and Response (ITDR) is designed to catch the attacker who exploits those gaps.

ITDR tools that rely on IdP and Active Directory authentication logs as their primary signal source carry the same inherent constraint: initial access is complete before their record begins. The accounts that pass a posture scan (valid credentials, appropriate permissions, active status) are precisely the ones used in breaches: the attacker is using legitimate credentials, which is what makes them invisible to posture tools.

The key differentiator to detecting and preventing these types of complex attacks is the right architecture: a model built natively on the email layer, with sender-recipient relationships, authority signals, and vendor patterns as the primary training signal — versus email as a secondary feed added to a stack built on authentication telemetry. That architecture retains the graph from the start.

Abnormal is built on this architecture. Where Abnormal has visibility across email and identity layers, the full causal chain is present in a single investigation timeline—from phishing lure through session relay to post-authentication anomaly — not reconstructed from an alert that surfaced days later.

Full analysis of the VENOM campaign: phishing to AiTM to persistent MFA device registration, with the authentication record showing no anomalous entries at the point of initial access—is available in Abnormal's April 2026 threat research.

Read the Full Analysis

Request a demo to see a live investigation timeline: the same attack, from the first phishing lure to post-authentication persistence, in a single view.

Schedule a Demo

Protect Against Evolving Email Threats

See how behavioral AI detects attacks that legacy defenses miss.