Delinea Labs April 2026 Threat Outlook
In this monthly series, Delinea Labs reviews the identity-related activity that had the greatest operational impact over the previous month. We focus on how attacks unfolded, what failed in real environments, and what those failures signal for the month ahead.
March revealed that identity isn’t just the path to enterprise data. For a growing number of attackers, it’s the objective
Across last month’s breaches, the pattern was consistent. Attackers didn’t exploit software vulnerabilities or bypass perimeter controls. They compromised the identity layer—administrative credentials, SSO accounts, cloud IAM roles, CI/CD service accounts—and then used legitimate access to do whatever they came to do. In the most striking case, an Iran-linked group logged into Stryker’s Microsoft Intune environment and wiped 80,000 devices across 79 countries.
No malware. No exploit. Just an authenticated administrator with destructive intent.
Here’s Delinea Labs’ outlook for April.
The Stryker incident deserves more attention than it will likely receive. Handala, an Iran-linked threat group, didn’t compromise Stryker’s network in any traditional sense. They compromised an administrative identity in Microsoft’s Intune environment and used it to issue a mass device wipe command. Eighty thousand endpoints across 79 countries. Hospitals delayed surgical procedures, and supply chains stalled.
The attacker didn’t need custom tooling or a zero-day. One set of administrative credentials and the willingness to use them. The tools built to manage the organization became the weapons used against it.
Three supply chain compromises defined the month, each following the same pattern: one trusted third-party identity compromised, trust cascading downstream.
Salesloft → Telus Digital → Crunchyroll: Google Cloud credentials stolen in an unrelated 2025 breach gave ShinyHunters access to Telus Digital, a major BPO provider, for approximately seven months—and access to data belonging to 28 client organizations. A compromised Okta account at Telus then unlocked Crunchyroll’s internal platforms.
Trivy → European Commission: Attackers poisoned the development pipeline of Trivy, a widely used open-source vulnerability scanner. When organizations ran the compromised version, it harvested AWS credentials from their environments. The European Commission was among the targets and approximately 340 GB of was data stolen.
Jenkins → CGI Sverige → Sweden’s BankID: A misconfigured CI/CD server at CGI Sverige exposed source code for Sweden’s core e-government platforms and BankID login systems — the primary digital identity infrastructure for 8.6 million residents. Source code for identity systems doesn’t expire.
Several additional trends emerged across the month:
MFA bypass is now a subscription service. Tycoon 2FA, disrupted by Microsoft and Europol in early March, intercepted MFA codes in real time by proxying legitimate login pages and delivering fully authenticated sessions to attackers. It sold on Telegram for as little as $120 and accounted for 62% of all phishing attempts blocked by Microsoft by mid-2025. Activity returned to near pre-seizure levels within days of the disruption.
Non-human identities remain the preferred quiet entry point. API keys, service account tokens, and cloud credentials were the primary targets across the Trivy, Telus, and CGI Sverige incidents. These identities bypass MFA by design, authenticate without user interaction, and rarely surface in user-centric monitoring.
Active Directory remains the highest-value lateral movement target. CVE-2026-25177 allowed a low-privileged domain user to escalate directly to domain administrator. Full control over user creation and policy modification, no additional tooling required.
Ransomware operators authenticate before they encrypt. Qilin, Akira, and DragonForce, the three most active groups in March, continued to rely on credential theft, privileged access abuse, and Active Directory targeting for initial access and lateral movement. The encryption or extortion phase remains a trailing indicator of identity failure that occurred much earlier.
In March, 5,236 CVEs were disclosed across the industry. Of those, 519 were identity-related, and 62 directly affected identity products.
The two most significant: an Active Directory privilege escalation flaw that converts a standard domain user into a domain administrator (CVE-2026-25177, CVSS 7.8), and an n8n secret access bypass that exposes vault-stored credentials to unauthenticated retrieval (CVE-2026-33722, CVSS 8.6). Both reflect the same problem. The systems organizations rely on to govern access are themselves becoming attack surfaces.
The patterns from March are not anomalies to patch around. The organizations with the most exposure are those still treating identity as an authentication problem rather than a governance one.
Govern administrative identities as critical infrastructure. Stryker’s wipe of 80,000 devices required one compromised admin account and no second approval. Multi-administrator approval for high-impact operations is a control boundary, not a process inconvenience. CISA said so after the incident. Treat it as the floor.
Audit third-party identity access continuously. BPO providers, MSPs, and software vendors hold SSO credentials and cloud IAM roles that span client environments. Most organizations don’t know exactly what that access looks like, and almost none are monitoring it in real time. March showed what that gap costs.
Strengthen authentication, but don’t stop there. Tycoon 2FA’s rapid recovery after disruption confirms that TOTP and push-based MFA aren’t sufficient against motivated attackers. Moving toward phishing-resistant authentication (FIDO2, passkeys) removes the interception point. But hardening the login event doesn’t govern what happens after it. Continuous authorization at execution is what determines whether access that looks legitimate actually is legitimate.
Monitor privileged behavior after authentication. In most March incidents, initial access looked like normal user behavior. Detection came only after something destructive forced an investigation. Abnormal privilege use, lateral movement, and policy deviations post-login are where attacker activity surfaces—if organizations are equipped to see it.
Govern non-human identities actively. Service accounts, API keys, and automation tokens were central to almost every significant March incident. They bypass MFA by design, authenticate without human interaction, and accumulate access that outlasts the context that created them.
Patch identity infrastructure urgently. Both CVEs disclosed in March have exploitation windows measured in days. Identity infrastructure needs the same patching urgency as internet-facing systems.
March didn’t introduce new techniques. It showed how far existing ones can scale when identity infrastructure goes ungoverned. The difference between organizations that contained the damage and those that didn’t comes down to one thing: whether they were actively governing privileged access, third-party identity, and non-human credentials, or assuming they were safe.
Learn how the Delinea Platform powered by Iris AI helps organizations monitor identity activity, reduce standing privilege, and enforce access controls across human and non-human identities.