Trust Eroding: Delinea Labs November 2025 Threat Outlook

In our new ongoing series from Delinea Labs, our research team analyzes the most significant identity-focused threats shaping cybersecurity each month.

Our goal is to help security leaders understand how adversaries are evolving, where identity architectures are under pressure, and what defensive strategies are proving most effective.

Identity has become the defining battleground in modern cybersecurity. Credentials, tokens, and trust are now the currency of malicious actors, and business is booming. Each month, we’ll distill global breach data, vulnerability disclosures, and ransomware trends into actionable insights for enterprises navigating an increasingly identity-driven threat landscape.

Attackers aren’t just stealing passwords anymore . . . they’re weaponizing trust itself

October 2025’s activity underscored this shift. Attackers aren’t just stealing passwords anymore. They’re weaponizing trust itself. From OAuth token theft to machine identity abuse, adversaries are exploiting the connections and permissions that bind today’s digital ecosystems together.

Here’s our outlook for November.

The big theme: trust has become the target

Identity has always been central to cyber risk, but this month proved that trust itself is the new commodity. Attackers are moving beyond passwords, hijacking OAuth tokens, service accounts, and consent flows to quietly persist inside SaaS and cloud environments.

Token abuse defined the month. For example, Salesforce supply-chain breaches propagated through reused OAuth tokens, allowing threat actors to bypass MFA and pivot across tenants. Another example is the “CoPhish” campaign, which embedded malicious OAuth consent flows inside Microsoft Copilot Studio, granting adversaries legitimate data access through user-approved tokens.

Third parties also expanded the blast radius of attacks. Discord’s verification vendor leaked government ID data, showing that integrations and SaaS connectors remain weak links in the identity chain.

Credential reuse also persists at scale. A dataset of 183 million credentials surfaced on Have I Been Pwned, 16 million of which were new, emphasizing the persistence of infostealer-driven exposure.

The pattern is clear: attackers no longer need to break in when they can simply compromise trust.

What we’re seeing at Delinea Labs: token weaponization and machine identity exposure

October’s activity demonstrated that adversaries are now operationalizing token and machine identity abuse as scalable, supply-chain threats.

• OAuth token exploitation expands: Threat groups reused tokens across Salesforce, Atlassian, and Slack, sustaining long-term access without triggering login alerts.
• Machine identities become invisible attack paths: Service accounts and static API credentials have increasingly been used for lateral movement, often with no ownership or monitoring.
• Low-code ecosystems emerge as risk zones: The CoPhish campaign underscored how low-code tools like Microsoft Copilot Studio can be manipulated to embed malicious consent flows inside legitimate apps.
• Identity-focused ransomware evolves: Qilin and Akira continued to dominate the ransomware landscape, leveraging unmanaged credentials and privileged tokens to gain initial access.

Identity infrastructure under pressure

The foundation of cloud identity faced significant stress this month, from authentication to authorization to token validation.

• Microsoft Entra ID disclosed two critical vulnerabilities (CVE-2025-59218 and CVE-2025-59246) that allowed attackers to exploit token validation and service principal trust logic.
• These flaws extended weaknesses first seen in September’s cross-tenant impersonation bug (CVE-2025-55241), showing a continuing crisis in cloud identity boundaries.
• Oracle E-Business Suite was again targeted, this time via a zero-day (CVE-2025-61882) enabling system-level ERP access and extortion.
• Across the ecosystem, 524 identity-related CVEs were recorded in October (a sharp increase from September’s 420), including 43 within identity products themselves.

Each of these disclosures reinforces a central theme: identity infrastructure has become attack infrastructure.

What enterprises should prepare for next

Enterprises should expect the trust economy to remain under assault. The next phase of identity attacks will focus on exploiting town sprawl, machine identities, and inter-tenant trust relationships to quietly expand attacker reach.

What must organizations prioritize?

• Continuous identity threat detection that correlates token behavior, consent patterns, and cross-tenant API activity in real time.
• Discovery and governance of machine identities to eliminate unmanaged services accounts and static credentials.
• Adaptive authentication and consent monitoring for SaaS and low-code environments to flag risky app connections.
• Privileged access control and rotation to ensure that tokens, secrets, and credentials can’t be reused or over-scoped.

The identity battlefield is shifting from who you are to what you trust. As identity chains grow longer and more interconnected, protecting the links between them has never been more critical.

Learn more about how the Delinea Platform powered by Iris AI can safeguard your identity infrastructure.