Third-Party Access Is the New Insider Threat
Third-party breaches now drive 30% of incidents. Learn how attackers use valid vendor credentials to move undetected, escalate access, and operate like insiders inside your network.
Attackers don’t always force their way in. Increasingly, they log in using third-party accounts that already have access.
Enterprises today rely on a vast network of external users: vendors, contractors, call centers, and integration partners. These users often hold the same credentials and privileges as full-time staff, yet they rarely receive the same level of oversight. Their accounts form persistent, under-monitored pathways into internal systems.
In 2024, third-party involvement was reported in 30% of data breaches, doubling from the previous year. And these aren’t just malware-driven intrusions. Many incidents involve valid credentials misused inside the network.
This marks a shift toward a modern insider threat: one that stems from users outside the organization, who are compromised, coerced, or careless.
What Are Third Party Attacks?
A third-party attack starts outside the perimeter but inside a trusted relationship.
The attacker compromises an external provider, such as a business process outsourcer (BPO), cloud service vendor, or integration partner. From there, they pivot into the enterprise environment using access that already exists.
These attacks succeed because they resemble normal activity:
- Credentials are valid, so authentication logs don’t raise flags
- Activity blends into routine operations, making alerts unlikely
- Behavior mimics real users, delaying response and detection
This enables persistent access for weeks or months. It’s why third-party pathways are now among the most exploited blind spots in enterprise security.
How Attackers Exploit Third-Party Users
Attackers do not need to breach firewalls or exploit vulnerabilities when they can hijack a trusted identity. Below are common paths to compromise.
Credential Reuse and Lateral Movement
Many third-party breaches begin with stolen or reused credentials. Attackers obtain vendor logins through credential leaks, phishing campaigns, or access sold on the dark web. Because these credentials belong to real users, they often provide direct entry into critical systems.
Once inside, attackers take over accounts, impersonate legitimate users, and move laterally through the environment. They escalate privileges, access sensitive data, and blend into routine operations as if they were legitimate insiders.
In the 2024 Snowflake breach, hackers did exactly this. They compromised a third-party contractor’s account using credentials stolen by info-stealer malware. The account lacked MFA, allowing attackers to log in as a trusted user. From there, they moved through Snowflake’s cloud systems, expanding access and impact, and exfiltrated data from over 160 organizations, including AT&T, Ticketmaster, and Santander.
AI-Powered Social Engineering
Generative phishing, voice cloning, and encrypted messaging apps now target call centers and support agents. Some users are deceived; others are bribed.
In May 2025, Coinbase disclosed a breach involving 69,000 customers and up to $400 million in losses after overseas support staff were bribed to provide internal access.
As Marco Maiurano, CISO at First Citizens Bank, noted during Dune’s Securing Financial Services webinar: “Back in the day, we used to see more front door attacks. Now we’re starting to see folks pivot … everything from social-engineering a call center, to bribing personnel, to targeting the supply chain.”
Attackers pivot because the main entrance is no longer the easiest path. As Marcos Marrero, CISO at H.I.G. Capital, added during the same discussion, “The front door has been fortified with a bunch of locks, so attackers check the side window or the detached garage off to the side. They look for what they can monetize.” In other words, threat actors gravitate toward low‑friction access points, many of which lie inside third‑party relationships.
Persistent Access, Little Oversight
Vendor accounts often remain active long after onboarding, with broad access to sensitive systems but minimal day-to-day monitoring.
Even when third-party users engage in risky behaviors – such as logging in at unusual times, accessing privileged systems, or transferring large volumes of data – alerts may not fire or get flagged. Without behavioral context, these actions blend into the noise. Security teams may see that a login occurred, but not whether the user posed risk or why.
As a result, attackers can operate undetected and expose the business to financial loss, compliance violations, and reputational damage long after the initial compromise.
Why Traditional Oversight Fails
Most third‑party risk programs rely on static controls like onboarding questionnaires, annual certifications, and scheduled access reviews. While these checks confirm who a vendor is at a specific point in time, they reveal nothing about how access is being used day to day.
Meanwhile, access drifts constantly:
- Contractors rotate through teams
- Credentials are shared or reused
- Integrations sprawl across systems
Without user-level visibility, enterprises cannot answer critical questions:
- Is this user over-entitled?
- Are they acting abnormally?
- Does their access still align with their role?
- Was sensitive data accessed?
- What would the business impact be if those credentials were misused?
These blind spots are where traditional oversight breaks down.
Your Team Needs End-to-End User Visibility
To close these gaps, security leaders are adopting User Adaptive Risk Management. This approach helps teams understand not only who has access, but how that access is being used in context and in real time.
This shift prioritizes behavioral signals over static identity checks. It analyzes live indicators such as:
- Business impact: A user’s title, department, access scope, and role sensitivity
- Simulated attack response: How users perform in phishing, smishing, and encrypted-channel simulations
- Training activity: Engagement with assigned training based on role and risk level
- Risk signals: Login failures, unusual access, policy violations, and behavioral drift
By analyzing these factors continuously, security teams can pinpoint high-risk users early. That includes insider risk from compromised vendors, over-entitled contractors, and internal users whose actions fall outside expected norms.
Dune gives security teams the context they need to act with confidence. By surfacing real-time signals at the user level, it enables early detection of risk and automatic, targeted response to insider threats wherever they emerge.
Key Takeaways
Featured Speakers
Never Miss a Human Risk Insights
Subscribe to the Dune Risk Brief - weekly trends, threat models,and strategies for enterprise CISOs.
FAQs
Complete the form below to get started.
The Workforce Has Expanded: How Attackers Are Targeting Enterprise AI Agents
AI agents are being deployed across the enterprise at scale, and attackers have already started engineering against them. Learn how agentic AI expands the enterprise attack surface in ways legacy security programs were never designed to defend.
.avif)
Making Cyber Risk Board Ready: Strategies for Winning Boardroom Confidence
Winning board confidence on cyber risk requires more than technical reporting. Security leaders need to support better governance decisions and communicate exposure in a way directors can act on.
Tax Season Scams: How Refund Fraud Escalates Into Enterprise Risk
Each filing season, threat actors execute coordinated, identity-driven campaigns that begin with refund fraud and rapidly escalate into credential harvesting and enterprise exposure.
