Delinea Labs March 2026 Threat Outlook
In this monthly series, Delinea Labs reviews the identity-related activity that had the greatest operational impact over the previous month. We’ll focus on how attacks unfolded, what failed in real environments, and what those failures signal for the month ahead.
February confirmed something the data has been pointing to for months: attackers aren't just moving through identity systems to reach their targets. In many cases, identity infrastructure is the target.
Across last month's breaches, ransomware campaigns, and vulnerability disclosures, attackers exploited the platforms built to enforce privileged access, manipulated employees into handing over internal system access, and continued harvesting credentials at a scale. By the time organizations detected the impact, the identity layer had already been compromised and, in several cases, no longer functioned as a reliable security boundary.
The assumption underlying most privileged access deployments is that the tools themselves are trustworthy. February put pressure on that assumption.
A pre-authentication remote code execution flaw in BeyondTrust Remote Support and Privileged Remote Access allowed unauthenticated attackers to execute OS commands with no credentials and no user interaction required. They got privileged execution first, then harvested sessions and pivoted. A separate vulnerability in CyberArk's Endpoint Privilege Manager allowed attackers to abuse elevation dialogs to gain unauthorized local privilege, turning a least-privilege enforcement agent into an escalation path.
These were not fringe products. They are widely deployed, precisely because organizations trust them to enforce access control. That trust is now part of the attack surface.
Several trends from February reinforce each other in ways that are hard to dismiss as coincidence:
PAM and remote access platforms have become high-priority targets. Attackers are moving up the stack, from endpoints and perimeter devices toward the systems that govern identity itself. Pre-auth RCE on a remote access gateway is not just a critical vulnerability patch. It collapses the authentication boundary entirely.
Social engineering continues to outperform technical exploits. The Figure Technology Solutions breach on February 14 involved no CVE. An employee was manipulated into granting internal access, and ShinyHunters walked away with approximately 2.5 GB of customer data. The same group had already exposed 12 million CarGurus records weeks earlier, demonstrating how credential exposure from one incident fuels the next.
Token integrity is failing across federated environments. February's disclosures included JWT signature bypass in Keycloak, SAML SSO account takeover in Sentry, and a redirect flaw in GitHub Enterprise Server that leaked privileged JWTs to attacker-controlled domains. These are not one-off bugs. Federation trust is a recurring weak point.
Infostealers are building identity profiles, not just password lists. Specops analysis of 90,000 infostealer dumps found attackers now collect credentials alongside cookies, browser history, and session data. A single dump now provides enough context for targeted account takeover and privilege escalation without brute force.
Ransomware operators authenticate before they encrypt. Qilin, Clop, and mid-tier groups all followed the same sequence: compromised credentials, remote access, privilege escalation, then destructive activity. The initial access phase increasingly looks like normal user behavior, which is the point.
In February, 3,182 CVEs were disclosed across the industry. Of those, 399 were identity-related (authentication, access management, or credential-handling systems). Twenty-six directly affected identity products: providers, access management platforms, and authentication services.
External research provides context for the broader problem. Sophos found that 67% of incidents investigated in 2025 stemmed from compromised credentials, weak or absent MFA, or direct exploitation of identity systems. The median time for an attacker to reach Active Directory after initial access is 3.4 hours. Unit 42 found that identity weaknesses contributed to nearly 90% of cases, with some intrusions progressing to data exfiltration within 72 minutes.
February's breaches bore this out. The French national banking registry breach, exposing over 1.2 million accounts through a credential leak, converted static identity data into systemic financial exposure. The CarGurus exposure gave ShinyHunters a reusable asset for credential stuffing and targeted phishing. In each case, the failure was not a missing patch or a misconfigured firewall. It was an identity failure that cascaded.
The activity patterns from February are not cyclical. Delinea Labs expects continued targeting of identity infrastructure, expanded social engineering against SSO and remote access workflows, and broader use of stolen credential packages that include session context alongside passwords.
Security teams should prioritize:
Patch identity infrastructure with the same urgency as internet-facing systems. PAM platforms, remote access gateways, and IAM services at the network edge are active ransomware entry points. Treat them that way.
Validate token integrity across all federated environments. JWT bypass, SAML abuse, and redirect-based token exfiltration appeared across multiple products in February. Assume the pattern repeats.
Extend detection to privileged behavior after authentication. Abnormal elevation, lateral movement, and policy deviations following a successful login are where attacker activity is most likely to surface, if organizations are equipped to see it.
Reduce standing privilege and rotate credentials continuously. Static credentials are high-value attacker currency. Just-in-time access and automated rotation reduce the blast radius when exposure occurs.
Build controls for non-human identities. Service accounts, API keys, and automation tokens bypass MFA by design, and authenticate without requiring user interaction. They are increasingly the preferred path for attackers.
The control plane is where access decisions are made. Organizations that monitor and govern identity at that layer have a fundamentally different posture than those still focused on the perimeter.
Learn how the Delinea Platform powered by Iris AI helps organizations monitor identity activity, reduce standing privilege, and enforce access in real time.