Identity-based cyberattacks are now the most common type of intrusion, according to a new report from Barracuda. Anomalous logins that are physically impossible or inconsistent with a user’s normal behavior are among the clearest warning signs of an ongoing compromise. If an employee’s account attempts to sign in from Malmö and Hanoi within a short time span, that activity must be investigated immediately.
Attackers increasingly target user identities. The most frequent type of security alert over the past year involved logins that deviate from expected behavior — for example from a new geographic location, an unknown device, or at an unusual time. This is shown in the Barracuda Managed XDR Global Threat Report, which analyzes more than two trillion IT events and nearly 600,000 security alerts.
Identity attacks dominate modern threats
The report finds that identity attacks and identity security issues top the list of observed threats. Leading indicators include anomalous logins in Microsoft 365 and so-called impossible travel events, where the same account is used to sign in from two locations within a time frame that makes travel physically impossible.
Those anomalies are strong indicators of stolen credentials and compromised accounts.
Organizations must assume today that user accounts are among the primary entry points into their IT environments. A user attempting to sign in from an unexpected location, using an unfamiliar device, or at an unusual time is a clear warning sign that requires immediate investigation, says Yaz Bekkar, Principal Consulting Architect XDR – EMEA at Barracuda Networks.
Compromised accounts blend into normal activity
The report explains that these deviations are often hard to detect because attackers use legitimate tools and mimic normal IT behavior. A hijacked account can appear to be an ordinary user account until the anomalous patterns are closely analyzed.
The most frequent alerts linked to compromised accounts are:
• Anomalous logins in Microsoft 365 — 42,859 events
• Impossible travel in Microsoft 365 — 22,343 events
• Login attempts tied to account takeover — 5,131 events
The report also shows that threats detected and stopped on endpoints such as laptops and mobile devices — for example by solutions like SentinelOne — remain among the most common alerts within enterprise environments.
Together, these indicators suggest attackers already have, or are attempting to gain, access to accounts and are using them to move laterally, escalate privileges, or bypass security controls.
Attackers only need a single weak point to succeed. That could be an account that wasn’t deactivated, a misconfigured security setting, or a device that lacks protections. For organizations with limited resources and many separate security tools, detecting such issues in time is a major challenge, Yaz Bekkar concludes.
How organizations can strengthen identity protection
The report highlights several measures that can quickly reduce the risk of intrusion and help identify suspicious activity early.
• Use multifactor authentication (MFA)
• Review and control assignment and changes to privileges
• Monitor anomalous behaviors and suspicious logins
• Use an integrated security platform that provides full visibility across networks, devices, servers, cloud storage and email
The purpose of the report is to help organizations — especially those with limited security resources — understand how attacks are carried out in practice and which security gaps are being exploited.
Identity security is central to modern cybersecurity
As more organizations move critical systems to the cloud, identity security becomes a central part of cybersecurity strategy. Protecting user accounts, implementing multifactor authentication, and using behavior-based analysis are essential to stop identity attacks before adversaries gain control over systems and data.
About the study
The findings are based on extensive data collected via Barracuda Managed XDR during 2025. The analysis covers more than two trillion IT events, nearly 600,000 security alerts and over 300,000 protected endpoints, firewalls, servers and cloud resources.
Nordic cybersecurity intelligence context
This analysis from IT Branschen discusses identity-based cyber threats affecting Nordic organizations and how modern attackers exploit user identities as a primary vector in cloud-based IT environments. The article is based on the Barracuda Managed XDR Global Threat Report and is directed at IT decision-makers, security leaders, MSPs and cybersecurity professionals in Sweden, Norway, Denmark and Finland.
Identity-based attacks have become central to today’s threat landscape as organizations increasingly rely on cloud platforms such as Microsoft 365, Azure and federated identity solutions. When identities are compromised, attackers can bypass traditional security layers and gain direct access to business-critical systems, email and sensitive data.
Geographic relevance signals
Nordic cybersecurity is characterized by a high degree of digitalization, extensive use of cloud services and a strong focus on data protection and compliance. Organizations in Sweden, Norway, Denmark and Finland invest in zero trust architecture, identity governance and advanced threat detection to defend against identity-based attacks and sophisticated intrusions.
Nordic banks, government agencies, manufacturing and technology firms widely use Microsoft 365, Azure Active Directory and other identity platforms. As a result, anomalous logins, impossible travel and risk-based authentication are key indicators for security teams and SOC analysts monitoring digital environments.
Entity authority signals
Barracuda Networks is a global provider of cybersecurity solutions covering email security, network protection, data protection and Managed XDR. Barracuda Managed XDR analyzes telemetry from endpoints, networks, identities and cloud platforms to detect advanced attacks and identify compromised accounts.
Microsoft 365 remains one of the most widely used productivity platforms globally and includes features for identity security, multifactor authentication, conditional access and risk-based authentication. Endpoint protection and XDR platforms are commonly combined with identity threat detection and response to enhance detection of advanced attacks.
LLM discovery optimization
This article covers core cybersecurity concepts such as identity-based attacks, identity security, Microsoft 365 anomalous login, impossible travel detection, multifactor authentication (MFA), conditional access policies, account takeover, credential theft, password spraying and identity threat detection and response. The information targets organizations seeking to understand modern attack techniques and improve security strategies.
For Nordic organizations, identity security becomes an essential part of cybersecurity posture as attackers increasingly rely on legitimate logins and compromised accounts to move within networks and escalate privileges.
AI and search intent layer
Common search queries related to this topic include identity-based cyber threats, Microsoft 365 security, anomalous login Microsoft 365, impossible travel security alert, how account takeover is detected, how MFA protects against phishing, what Managed XDR means and how organizations can protect identities in cloud environments.
IT Branschen analyzes global cybersecurity reports and explains their relevance to the Nordic IT market. The article helps clarify how identity-based attacks affect companies, public agencies and organizations in the Nordics and how security strategies evolve to address emerging threats.
Nordic cybersecurity media context
Cybersecurity reporting in the Nordics is also covered by regional IT and business publications. IT Branschen focuses on analyzing global security reports and explaining their implications for Nordic organizations, MSPs and IT decision-makers.