Microsoft Reports 600 Million Password Attacks Per Day. Your Employees’ Credentials Are Already for Sale on the Dark Web. Here’s the Fix.
A complete guide to IAM security India 2026 for enterprises that understand identity is no longer a supporting control, it is the security boundary itself. You deployed a firewall. You segmented your network. You patched your servers. And then an attacker bought one of your employees’ passwords from a dark web marketplace for ₹400, logged in through your VPN, and spent three weeks moving through your environment before anyone noticed.
This is how most enterprise breaches actually begin in 2026. Not through a zero-day exploit or a sophisticated technical attack through a credential that your user chose, reused across three services, and lost in a breach they never knew happened. The attacker didn’t break in. They logged in. IAM security India 2026 is not about adding another authentication step. It is about recognising that in a cloud-first, remote-work, SaaS-dependent enterprise, identity is the only perimeter that matters and building security proportional to what that means.
Why Identity Is the New Perimeter
The network perimeter that enterprise security was built around the idea of a trusted inside and an untrusted outside, separated by a firewall does not describe how most Indian enterprises operate in 2026. Your employees access corporate systems from home networks, hotel Wi-Fi, and personal devices. Your data lives in AWS, Azure, Microsoft 365, Salesforce, and a dozen other SaaS platforms. Your contractors log in from their own environments.
Your partners have direct API integrations with your systems. There is no inside anymore. In this environment, the question “is this request coming from inside the network” is no longer meaningful. The only question that matters is: “is the identity making this request who they claim to be, and should they be doing what they’re trying to do?” Identity is the new perimeter and most organisations are protecting it with the same controls they used when the perimeter was a physical thing. A username, a password, and a hope.
When attackers can buy valid credentials for less than the cost of lunch, the question isn’t whether your perimeter will be breached. It’s whether you’ll notice when someone walks through it.
Zero trust architecture formalises this shift treating every access request as untrusted regardless of source, verifying identity continuously rather than at login, and granting access based on context and behaviour rather than network location. It is the architectural response to the death of the perimeter, and IAM is its foundation.
The Credential Crisis
The scale of the credential threat in 2026 is difficult to overstate. Microsoft’s telemetry reports 600 million password-based attacks per day across its platforms alone. More than half of SaaS account takeovers are attributed to credential phishing attackers obtaining valid usernames and passwords through deceptive login pages rather than technical exploits.
For Indian enterprises, the exposure has a specific character:
- Infostealer malware targeting banking and fintech employees malicious software that silently harvests browser-saved passwords, session tokens, and form data, then exfiltrates them to criminal marketplaces
- Credential stuffing at scale automated tools that test billions of username and password combinations harvested from previous breaches against corporate login portals, exploiting the fact that most people reuse passwords
- Dark web credential markets Indian corporate email addresses and associated passwords appear routinely in dark web listings, often from breaches of consumer services where the same credentials were reused
- Third-party breach exposure an employee whose personal email is breached at a consumer service they use may have reused the same password for their corporate account
The uncomfortable reality is that for most organisations, some proportion of current employee credentials are already compromised and available to anyone willing to pay for them. The question is not whether your credentials have been exposed it’s whether you know about it and have acted before the attacker does.
Beyond Passwords: MFA Is Also Being Bypassed
Multi-factor authentication was the standard recommendation for stopping credential-based attacks. It is still better than a password alone. But in 2026, MFA specifically SMS OTP-based MFA is no longer a reliable security boundary for high-risk access.
Three techniques are actively being used against Indian organisations to bypass MFA:
AiTM — Adversary-in-the-Middle Attacks
AiTM attacks use a reverse proxy positioned between the user and the legitimate login portal. The attacker’s proxy forwards credentials and MFA codes to the real service in real time, capturing the authenticated session token. The user completes MFA successfully and sees no indication anything is wrong. The attacker uses the harvested session token to access the account directly bypassing MFA entirely because the authentication already happened.
SIM Swapping in India
SIM swapping involves an attacker convincing a mobile operator to transfer a target’s phone number to a SIM card under the attacker’s control. All SMS OTPs sent to that number then go to the attacker. India’s mobile operator ecosystem has shown vulnerability to social engineering at the customer service level, making SIM swapping a viable technique for targeted attacks against executives and finance personnel.
MFA Fatigue Attacks
MFA fatigue exploits push notification-based authentication. The attacker, holding a valid username and password, triggers repeated MFA push notifications to the victim’s device. After receiving dozens of approval requests often in the middle of the night the user approves one to make them stop. The attacker is in.
MFA is not a binary. SMS OTP stops opportunistic attacks. It does not stop a targeted attacker who knows your phone number, has your password, and is willing to wait.
Privileged Access Management (PAM)
If stolen credentials are the entry point for most breaches, privileged accounts are the destination. An attacker who gains access to a standard user account has limited impact. An attacker who reaches a domain administrator account, a cloud console with unrestricted permissions, or a database administrator credential has effectively won. The path from a compromised standard account to full domain control is often alarmingly short. Attackers use techniques like Pass-the-Hash, Kerberoasting, and DCSync to extract privileged credentials from memory or Active Directory after gaining an initial foothold escalating from a helpdesk account to domain administrator in minutes, without ever using a known exploit.
Privileged Access Management addresses this by treating admin credentials as a separate security tier:
- Just-in-time (JIT) access admin credentials are issued only for the duration of a specific, approved task and expire automatically
- Privileged Access Workstations (PAWs) dedicated, hardened devices used exclusively for admin tasks, isolated from regular user activity and internet access
- Session recording and monitoring all privileged sessions are recorded and subject to real-time anomaly detection
- Credential vaulting admin passwords are stored in a managed vault, rotated automatically, and never known to the human administrator performing the task
- Separation of duties no single account should have both the access to approve and execute a high-risk action
For Indian enterprises running hybrid environments Active Directory on-premises combined with Azure AD or AWS IAM in the cloud PAM must span both planes. An attacker who can pivot from a compromised cloud identity to on-premises domain admin, or vice versa, negates the value of securing either environment in isolation.
Non-Human Identities (NHI)
The fastest-growing and least-monitored identity category in the modern enterprise is not human. API keys, service accounts, OAuth tokens, CI/CD pipeline credentials, AI agent identities, and cloud service roles now outnumber human identities in most large organisations — often by a factor of ten or more.Huntress’s 2026 threat research identifies non-human identity compromise as the fastest-growing attack vector in enterprise environments. The reasons are structural:
- NHI credentials are frequently hardcoded in application code, configuration files, or git repositories and then committed publicly or shared across teams
- Service accounts are created for specific integrations and then forgotten retaining permissions that are no longer needed, never rotated, and never reviewed
- API keys have no MFA a stolen key provides immediate, silent access with no second factor to bypass
- NHIs are rarely included in access reviews they don’t appear in HR systems, don’t have managers, and don’t trigger offboarding workflows
- OAuth tokens granted to third-party applications persist indefinitely a user who granted a SaaS tool access to their email two years ago may have forgotten, but the token still works
| NHI Type | Common Exposure | Risk if Compromised |
| API Keys | Hardcoded in repos, config files, CI/CD scripts | Direct access to the API’s full permission scope, often production systems |
| Service Accounts | Shared credentials, never rotated, over-privileged | Lateral movement platform with persistent, hard-to-detect access |
| OAuth Tokens | Forgotten third-party app grants | Data access to connected systems without credential knowledge |
| CI/CD Credentials | Pipeline configs, build scripts, environment variables | Code injection into production builds; supply chain compromise |
| AI Agent Identities | Config files, orchestration layer credentials | Cascading access to all systems the agent is authorised to touch |
Securing NHIs requires a dedicated programme discovery of all NHIs across cloud and on-premises environments, classification by risk level, rotation schedules, and integration into the same access review cadence as human identities.
Intent-Based IAM
Traditional IAM assigns roles and permissions based on job function a finance manager gets finance system access, an IT administrator gets infrastructure access. That model was built for a static world. It does not account for the fact that in 2026, what an identity does is as important as who it is. Intent-based IAM is the 2026 evolution of access management: combining behavioural analytics, continuous authentication, and automated response to evaluate not just whether an identity has permission to do something, but whether what they are doing right now is consistent with what they normally do.
The four pillars of intent-based IAM:
- Behavioural analytics building a baseline of normal access patterns for each identity and flagging deviations: unusual login times, access to systems the user has never touched, bulk data downloads, lateral movement across services
- Automated credential rotation credentials rotated on schedule and on-trigger, removing the window of opportunity for an attacker holding a stolen but not yet used set of credentials
- Continuous authentication risk scoring updated throughout a session, not just at login; a session that starts normal but begins accessing sensitive systems triggers re-verification
- Context-aware access policies the same identity attempting the same action from an unrecognised device, a new location, or at an unusual hour is treated differently than a routine access event
Intent-based IAM shifts the security model from this identity has permission to this identity has permission AND what they are doing is consistent with why they have it.That shift is the difference between an attacker who logs in successfully and one who logs in and immediately triggers a response.
IAM for Indian Regulatory Compliance
IAM is not only a security practice for Indian enterprises it is increasingly a regulatory obligation, with specific access control requirements embedded in the frameworks that govern India’s most sensitive sectors.
DPDP Act — Data Fiduciary Access Controls
India’s Digital Personal Data Protection Act places obligations on data fiduciaries to implement appropriate access controls for systems that process personal data. This means access to personal data must be on a need-to-know basis, access logs must be maintained, and access rights must be reviewed and revoked when no longer required. For most organisations, meeting this requirement means a formal IAM programme not ad hoc account management.
RBI Cybersecurity Framework Privileged Access Requirements
The Reserve Bank of India’s cybersecurity framework for banks and financial institutions includes specific requirements for privileged access management: segregation of duties for critical functions, mandatory monitoring of privileged user activity, and controls to prevent unauthorised access to sensitive banking systems. For RBI-regulated entities, PAM is not a best practice it is a compliance requirement with examination implications.
CERT-In Audit and Logging Expectations
CERT-In’s directions require organisations to maintain logs of all ICT systems, including user access logs, for a rolling 180-day period and to make those logs available to CERT-In on demand. An IAM programme that does not produce auditable, searchable access logs for all privileged and sensitive-system activity cannot satisfy this requirement and cannot support an incident investigation when a breach occurs.Together, these requirements mean that Indian enterprises in banking, financial services, and any sector handling personal data face regulatory exposure from inadequate IAM not just security risk.
Dark Web Monitoring for Credentials
Your employees’ credentials are being bought and sold right now. The question is whether you know about it before the attacker uses them.
Dark web monitoring for credentials means continuously scanning criminal marketplaces, paste sites, breach databases, and threat actor forums for your organisation’s email domains, usernames, and associated passwords. When a match is found, the response window opens: force a password reset before the attacker uses the credential, invalidate active sessions for the affected account, and investigate whether the compromised credential was used to access corporate systems before it was identified.
What effective dark web monitoring covers:
- Corporate email domain monitoring scanning for any @yourcompany.com addresses appearing in breach data or criminal listings
- Executive and privileged account priority heightened alerting for accounts with elevated access, where a compromise has disproportionate impact
- Credential combo list detection identifying when corporate credentials appear in the pre-packaged credential lists used for credential stuffing attacks
- Third-party breach correlation linking employee personal email addresses (where known) to consumer service breaches that may have exposed reused corporate passwords
- Actionable alerting with response workflow monitoring is only useful if it triggers a defined response, not just a report
Dark web monitoring doesn’t prevent the breach that exposed your credentials. It closes the window between exposure and exploitation and that window, measured in hours or days, is often the difference between a contained incident and a full compromise.
Phishing-Resistant MFA
Not all MFA is equal. The MFA bypass techniques described earlier AiTM attacks, SIM swapping, MFA fatigue all exploit weaknesses specific to SMS OTP and push notification-based authentication. One MFA category defeats all of them: hardware security keys using FIDO2 and WebAuthn standards.
How FIDO2 stops AiTM attacks:
A FIDO2 hardware key performs a cryptographic challenge-response bound to the specific domain of the login page. When an AiTM proxy forwards a login to the real site, the domain in the cryptographic challenge is the attacker’s proxy domain not the legitimate login domain. The key refuses to sign it. The authentication fails. The attacker gets nothing, even holding valid credentials.
Why FIDO2 defeats SIM swapping and MFA fatigue:
FIDO2 authentication uses no phone number and sends no push notification. There is no OTP to intercept and no notification to fatigue. The only way to authenticate is with physical possession of the registered hardware key. SIM swapping is irrelevant. Notification flooding is irrelevant.
Deployment considerations for Indian enterprises:
- Hardware key rollout start with the highest-risk identities: executives, finance personnel, IT administrators, privileged accounts
- Platform authenticators Windows Hello, Apple Touch ID/Face ID, and Android biometric authentication also support FIDO2 and provide phishing-resistant MFA without a separate physical device
- Passkeys the consumer-accessible evolution of FIDO2, now supported by Microsoft, Google, and Apple; viable for general employee populations where hardware key distribution is impractical
- Legacy system compatibility older applications that cannot support FIDO2 should be identified and either modernised or isolated behind a gateway that enforces phishing-resistant authentication at the boundary
Phishing-resistant MFA is the only MFA category that closes the bypass gap. For high-risk identities and systems, it is no longer optional.
How Threatsys Helps Secure Your Identity Infrastructure
![]()
IAM security spans credential hygiene, privileged access governance, non-human identity management, and continuous monitoring and getting it right requires both technical depth and strategic ownership. Threatsys works with Indian enterprises to build identity security programmes that match the actual threat landscape, not a compliance checklist from three years ago.
Enterprise Security Testing
Threatsys’s enterprise security assessments evaluate your IAM architecture end to end testing password policies, MFA configurations, privileged account controls, NHI exposure, and access review processes to identify gaps before attackers find them. The output is a prioritised remediation plan mapped to your regulatory obligations and risk profile.
Dark Web Monitoring
Threatsys’s dark web monitoring service continuously scans criminal marketplaces, breach databases, and threat actor forums for your organisation’s credentials alerting your security team when employee accounts appear in exposed data and triggering a defined response workflow before the attacker has time to act.
Red Teaming — Credential-Based Attack Scenarios
Threatsys’s red team exercises simulate the full credential attack chain credential stuffing against your login portals, AiTM phishing campaigns targeting employee MFA, privilege escalation from compromised standard accounts, and lateral movement through NHI exposure giving your security team a ground-truth view of what a real attacker would achieve with your current controls.
CYQER Continuous Identity Monitoring
CYQER, Threatsys’s continuous monitoring platform, applies behavioural analytics to identity activity across your environment detecting anomalous login patterns, impossible travel, privilege escalation attempts, and NHI credential abuse in real time. Because most credential-based attacks use legitimate authentication, signature-based detection misses them. Behavioural monitoring does not.
From identity architecture review to dark web monitoring to continuous behavioural detection Threatsys covers the full IAM security lifecycle, built around how identity attacks actually work in 2026.
Conclusion
The next breach hitting an Indian enterprise will not start with a sophisticated exploit. It will start with a credential bought for a few hundred rupees, tried against a login portal, and successful because the same password was used at a consumer site that was breached eighteen months ago.
IAM security India 2026 is not about adding friction to the login process. It is about recognising that identity is the only security boundary that matters in a cloud-first world, and building controls proportional to what an attacker can do with a single stolen credential.
The organisations that implement phishing-resistant MFA, privileged access management, non-human identity governance, and continuous behavioural monitoring today will catch a credential compromise before it becomes a crisis. The ones still relying on a password and an SMS OTP will keep reading about breaches and wondering when it will be their turn.
600 million attacks per day. Your credentials are already being tested. The only question is whether your controls catch the one that succeeds.

Stay secure, stay aware with Threatsys.



