High-risk accounts: The new frontline for UK cyberattacks

For most of the past decade, cyberdefense in the United Kingdom (UK) has been organized around the perimeter and the endpoint. Firewalls were tuned, EDR agents deployed, and patch cycles tightened. The assumption underneath this work was that intrusions begin with a technical breach and that hardening the technical estate would reduce the number of successful attacks. The incidents that ran through 2025 and into 2026, hitting UK manufacturers, medical technology firms, and critical infrastructure operators, have made that assumption hard to defend. The breaches that caused the most damage were not technical compromises. They were the takeover of specific accounts that should have been treated as critical and were instead treated as routine.

This is the category the UK's National Cyber Security Centre describes as "high-risk accounts": accounts where compromise would produce disproportionate damage. The category covers domain admins, global admins, and cloud admins; executive accounts with broad access to data and decisioning; service accounts and machine identities running automated workflows; and accounts belonging to staff in sensitive functions such as finance, HR, the IT help desk, and procurement. These are the accounts attackers now plan their campaigns around, and they are the accounts the most consequential UK breaches of the past 18 months have turned on.

The role of identity today

The reason high-risk accounts now sit at the center of UK threat activity is not because of a single event but a convergence of three shifts that built up through 2025 and continued into 2026. Each one reinforces the others, which is what has made the pattern so durable.

1) Credential-based intrusion has displaced technical exploitation

The starting point is the economics of an attack. Defeating firewalls, exploiting zero-days, and evading EDR is slow and expensive. Acquiring a working set of credentials for an account that already has the access an attacker wants is fast, cheap, and reliable, particularly against organizations that have invested heavily in perimeter and endpoint controls. The infrastructure of most large enterprises will function exactly as designed when a legitimate credential is presented, and that is the property attackers now build their campaigns on.

2) AI has lowered the bar for convincing impersonation

Once attackers settled on credential acquisition as their primary entry path, the next constraint was getting the credential in the first place. AI has effectively removed that constraint. Voice cloning, deepfake video, and generative phishing content have eliminated the linguistic and tonal cues that staff and help desks used to rely on to detect fraud. CrowdStrike's 2025 Threat Hunting Report recorded that vishing attacks doubled over the year. Additionally, a 2026 survey by Deep Instinct found that 45% of financial services organizations experienced an AI-powered cyberattack in the 12 months leading up to mid-2025. Microsoft Threat Intelligence has gone further still, documenting AI-driven phishing campaigns specifically hyper-targeting UK CEOs, finance directors, and procurement leads. The verification steps that previously protected privileged credentials, such as a callback or a quick conversation with the help desk, are no longer sufficient evidence of identity.

3) The non-human identity surface has expanded faster than governance

The third shift sits underneath the first two. Even as human credentials became the attacker's preferred target, the population of non-human credentials grew faster than most organizations could track. Service accounts, OAuth tokens, API keys, and machine identities now outnumber human users in most enterprise environments. Many of these identities operate with elevated permissions, retain credentials that were issued years ago, and are rarely reviewed. They authenticate continuously, inherit permissions dynamically, and operate at speeds that periodic governance reviews cannot match. In most UK organizations, the inventory of non-human identities is incomplete, their entitlements are unmapped, and their credentials are not rotated on any reliable cycle. This is the part of the high-risk account surface that has grown most quickly and been governed least, and it is now being targeted accordingly.

What recent UK incidents show

The following are three incidents from the past year, each with a different threat actor and a different attack pattern, that show how the same underlying mechanism produces outcomes at radically different scales. They are worth examining together because they share a common feature: In every case, a specific high-privilege account was the route in, and the damage scaled with the privilege of that account rather than with the sophistication of the attack.

A high-street retailer, April 2025

The first of the year's identity-led UK breaches began not with malware but with a telephone call. Operators linked to a financially motivated social-engineering collective contacted an IT service desk operated by a third-party provider, impersonated staff, and induced a password reset that handed them legitimate domain credentials. The foothold reportedly dated back to February, weeks before any disruption was visible. Once inside, the attackers exfiltrated the Windows domain controller's NTDS.dit file, the Active Directory database holding the password hashes of every domain account, and cracked it to escalate privilege and move laterally across the estate, before deploying ransomware against the retailer's virtualization hosts in late April. Online ordering, in-store payments, and customer services were disrupted for weeks, with analysts estimating lost sales of more than £40 million a week and a total impact running well into the hundreds of millions. Multi-factor authentication was in place throughout. It was not broken; it was bypassed at the help desk, one reset request at a time. What failed was the treatment of a credential reset, and the privileged account it produced, as a routine support task rather than the highest-risk identity operation a service desk can perform.

A consumer cooperative, April to May 2025

The same playbook surfaced within weeks at another major UK retailer, which is why the two are worth reading as a pair rather than separately. The intrusion has been attributed to the same collective, using the same method: social engineering against the help desk to reset a user's credentials and obtain legitimate access, then movement toward higher-privilege accounts. The difference was in the response. This organization detected the activity early and took systems offline, which limited the destructive payload the attackers were able to deploy, but not before personal data belonging to a large number of its members had been exfiltrated. That divergence is the instructive part: the same identity weakness was exploited in the same way at two comparable organizations, and the outcomes separated almost entirely on how quickly each detected the compromised account and revoked its access. In neither case was a technical control defeated. A routine-looking password reset was sufficient to surrender an account that should have been governed as high-risk.

A automotive manufacturer, September 2025

The largest-scale example came in early September. The intrusion at a UK automotive manufacturer has been traced back to a vishing campaign run weeks earlier, in which operators linked to the Scattered Lapsus$ Hunters collective impersonated insiders by phone, harvested credentials, and used them alongside infostealer credentials reportedly dating back to 2021 to access internal systems through VPN-based applications. Once inside, attackers escalated privileges across core applications, exfiltrated data via TOR exit nodes, and deployed ransomware. The UK Cyber Monitoring Centre subsequently assessed the economic impact at around £1.9 billion and the affected population at more than 5,000 UK businesses, with production halted for around five weeks across Solihull, Halewood, Wolverhampton, and overseas sites. The UK government intervened with a £1.5 billion loan guarantee to stabilize the manufacturer's supply chain. The infrastructure functioned as designed throughout. Authentication succeeded. Authorization checks passed. What failed was the treatment of the compromised accounts as routine identities rather than as high-risk ones and the absence of meaningful re-verification of access once those identities had been authenticated.

Read across the three cases, the underlying mechanism is the same. A specific account with elevated reach, whether held by a human or a workflow, was compromised through a route that did not require defeating any technical control. The systems the account could touch were then accessed in exactly the ways the account was permitted to access them. The damage scaled with the privilege of the account, not with the sophistication of the attack. That is the asymmetry that the second half of this article addresses.

Rethinking high-risk accounts

A defensive response is not new technology but the disciplined application of controls that already exist, directed specifically at the accounts that matter most. The shift required is in scope and intent rather than in capability. The seven changes below, taken together, produce measurable risk reduction against the attack pattern described above.

1) Build a current inventory of accounts that actually qualify as high risk

Everything else depends on this. Most organizations have a documented list of privileged accounts, but it is rarely complete and rarely current. The list needs to include domain admins, cloud admins, and global admins, but also executive accounts, accounts with access to financial systems, HR systems, customer data platforms, and source code repositories, as well as the service accounts and machine identities that hold equivalent or greater scope. An identity and access management (IAM) platform that maintains a live inventory of accounts and their entitlements across the directory, cloud, and SaaS estate is the practical mechanism for building and sustaining this view. Without it, the controls that follow are applied to the wrong set of accounts.

2) Apply phishing-resistant MFA to every account on that list

Once the right accounts are identified, the next step is making them genuinely difficult to take over. SMS-based MFA is no longer adequate for high-risk accounts, and app-based authenticators are only marginally better against the social engineering techniques now in active use. Phishing-resistant authentication, including FIDO2 or WebAuthn passkeys, hardware security keys, and platform-bound credentials, is the operational floor. The NCSC has been explicit on this point. Most of the recent UK breaches involved MFA in some form. What they did not involve was MFA that could withstand a determined social engineering campaign. A modern IAM platform with adaptive MFA can enforce stronger factors for high-risk accounts while keeping friction proportionate for lower-risk users.

3) Restructure help desk and account recovery procedures

Even strong authentication can be undone at the recovery step. Gartner® has identified account recovery as the riskiest part of the identity management life cycle, and recent incidents bear that out. If a help desk operator, whether internal or outsourced, can reset credentials on a privileged account following a phone call, the recovery process is the weakest point in the identity architecture. Stronger controls include multi-channel identity verification, manager approval for resets on high-risk accounts, video verification with liveness detection, and time delays that give monitoring systems an opportunity to flag unusual recovery patterns. Each of these adds friction. That is the point.

4) Enforce continuous, context-aware policy evaluation for privileged sessions

Strong authentication and recovery still leave a gap if a session, once established, is trusted indefinitely. Access decisions made at login and left static for the session duration cannot detect a compromised privileged account in time to prevent damage. Continuous evaluation re-verifies context as session conditions change, including device posture, location, behavioral baseline, and time of access, and restricts or revokes access when signals indicate anomaly. For high-risk accounts, step-up authentication should trigger automatically when risk scores rise, not when an analyst eventually notices. This is where IAM and UEBA capabilities, applied together, change what is detectable in real time rather than after the fact.

5) Eliminate standing privilege wherever possible

The previous controls reduce the chance of a high-risk account being compromised. This one reduces the impact if it happens. Just-in-time access, where elevated permissions are granted for the specific task and duration required and then revoked automatically, removes the standing target that attackers currently exploit. A privileged account that does not exist outside an active session cannot be socially engineered out of a help desk and cannot be used to escalate to a Global Administrator on the way to a mass-wipe operation. High-impact actions such as bulk device operations, directory-wide changes, or new administrator creation should require additional approval beyond the standing entitlement of any single account. This is one of the highest-impact architectural changes available to UK organizations and one of the least adopted.

6) Govern non-human identities with the same rigor as human ones

The same logic that applies to human privilege applies to machine identities, and it is more often neglected. Every service account, OAuth token, and API key with elevated permissions should be inventoried, owned by a named individual, scoped to the minimum required permissions, and rotated on a defined cycle. Tokens that have not been used in a defined window should be expired automatically. Integrations should be reviewed when the business relationship changes, when the source system is compromised, and when the entitlement is no longer required. The Salesloft–Drift incident would have produced significantly less damage in an environment where these reviews were operationalized rather than aspirational.

7) Correlate identity, behavior, and entitlement data in a single analytics layer

The final piece is detection. Network monitoring, endpoint detection, and identity providers each capture a portion of the attack surface. None captures the whole. Detecting lateral movement that travels through legitimate trust relationships requires correlating governance data with behavioral telemetry and access events across Active Directory, Microsoft Entra ID, endpoint management platforms, and SaaS audit logs. A unified analytics layer that combines UEBA, entitlement analysis, and risk scoring is what allows security teams to recognize the pattern of a compromised high-risk account before the impact stage of the attack chain, rather than during it.

The position UK organizations are in now

These controls should not be optional, and the regulatory environment is moving accordingly. Between September 2024 and August 2025, the NCSC recorded 204 nationally significant cyber incidents, more than double the previous year's 89, and the underlying conditions that produced that figure have not improved. The Cyber Security and Resilience (Network and Information Systems) Bill, introduced in the House of Commons on Nov. 12, 2025, and expected to receive Royal Assent later this year, will expand the scope of regulated entities, impose stricter incident reporting requirements, and raise the maximum penalty for serious breaches to £17 million or 4% of global turnover. Phased implementation is expected to continue through 2028, but the direction of travel is settled. Board-level accountability for cyber resilience is moving from principle to enforcement.

The accounts that attackers target most reliably are not, in most cases, the accounts that organizations protect most rigorously. That asymmetry is now the central operational risk in UK cyberdefense. The work involved in correcting it is not novel. It is the work of taking the controls that already exist for privileged access, identity verification, and continuous monitoring and applying them with discipline to the specific set of accounts where compromise produces disproportionate damage. The organizations that came through the past year best were those that had already done that work. The ones that suffered most were those that had assumed their existing controls were sufficient.

High-risk accounts are the frontline now. Treating them as such is the practical starting point for everything else.

Related solutions