Channel shifts to managed IAM after large identity attacks

Channel providers are offering managed identity and access management services after a series of identity attacks that targeted companies across the US and Europe. The incidents include intrusions at Visa, Marks & Spencer, Jaguar and Harrods, and a March 2026 breach that exposed about 350GB of European Commission data.

Security investigators trace the recent wave of incidents to a merged criminal group formed by Scattered Spider and ShinyHunters. The combined group carried out multiple intrusions over roughly four months, targeting corporate accounts and cloud applications.

The attackers used social engineering as the initial vector. Investigators report the groups used vishing and phishing to get employees to re-enroll or reset access credentials, then delivered modified account-reset links or intercepted one-time codes to bypass single sign-on and multi-factor authentication. After hijacking credentials, attackers replayed MFA tokens to access SaaS services, copy data and press for extortion payments.

Reconnaissance relied on public information. Employee names, titles and personal posts on social and professional sites helped attackers identify likely access levels and craft convincing messages. Corporate email formats made it easy to target specific accounts.

Channel vendors and security teams say effective IAM needs integration across systems to provide a single source of identity truth and automated correlation of login data to flag anomalies. Correlation can highlight patterns such as impossible-travel logins, sudden IP-location shifts, or unexpected spikes in activity from service accounts.

Risk-based authentication is being adopted to reduce false alarms and add checks only when needed. User and Entity Behavior Analytics systems build profiles of normal activity and trigger extra verification, such as biometric checks or MFA, when actions fall outside a baseline. Conditional access can require additional steps when a risk score crosses a set threshold. Organizations also report that adding FIDO2 passkeys, either as software keys or hardware tokens, can cut the majority of common anomalous-sign-in alerts because passkeys resist credential replay and theft.

Rising attack volumes and limited in-house security staff have led many companies to hire managed security providers for IAM. A full managed identity service typically includes MFA or FIDO2 support, policy management, identity handling for human and non-human accounts, machine-learning risk analysis and workflow orchestration for incident response and access requests. Managed services are kept under regular review to respond to changing attacker techniques.

Channel partners preparing IAM services are advising peers to secure their own environments first, standardize on a small number of identity platforms-often including Microsoft Entra ID-and create clear onboarding plans to limit service disruption during migrations.

Identity-focused attacks have increased demand for continuous IAM operations that detect anomalous access, enforce stronger authentication and manage identity risk across corporate environments.