Home
Blog
Identity-investigations
October 16, 2025
7
min read

Shadow Identities: The Common Attack Target You Can't See

Shadow identities represent a critical security blind spot, with 80% of enterprise SaaS logins invisible to IT and security teams. Unlike shadow IT, which focuses on unauthorized applications, shadow identities are unmanaged user accounts, service principals, OAuth tokens, and API keys that exist outside your identity provider. These hidden credentials create three major risks: security blind spots from unmonitored authentication, compliance violations from untracked data access, and forensic black holes during incident investigations. Security teams need systematic discovery of application registrations, service principals, personal access tokens, and third-party integrations across their infrastructure. Command Zero provides the visibility and investigation capabilities to identify shadow identities across Microsoft Entra, Okta, GitHub, AWS, and other systems, enabling rapid correlation of identity activity during security incidents when response time is critical.

identity investigations
Microsoft EntraID
password spray attacks
Okta
Eric Hulse
Director of Security Research
In this article
H2 Title
H3 Title

Introduction

80% of enterprise SaaS logins are invisible to IT and security teams (Source: The LayerX "2025 Identity Security Report). These aren't rogue applications—they're unmanaged identities quietly accumulating access to your most sensitive systems. And attackers only need one way in.

When a laptop gets stolen, IT wipes it remotely. Problem solved. But what happens to the service account created in that forgotten CI/CD pipeline three years ago? Or the legacy VM still running in a stale AWS region? Or unused admin privileges sitting on a Salesforce account?

Those are shadow identities. Silent threats that don't need malware—just credentials.

Shadow IT vs shadow identities: why the distinction matters

Shadow IT focuses on unauthorized tools and user devices (aka BYOD). Shadow identities zero in on the human access footprint—the accounts, credentials, and digital personas that exist outside your identity provider.

We're talking about:

  • Service accounts created by third-party SaaS tools never placed in a management system
  • OAuth tokens granted to browser extensions or generative AI assistants
  • Developer credentials stored in Git repositories
  • API keys and tokens that aren't monitored as closely as they should be

As of early 2025, the data shows shadow AI now costs enterprises $4.63 million per breach—16% above the average breach cost. Even more concerning, 97% of breached organizations lack basic AI access controls. (Source: IBM Cost of a Data Breach Report 2025)

The triple threat of shadow identities

Shadow identities create three overlapping risks:

Security blind spots. When employees create accounts outside your identity provider, they reuse passwords across platforms. They skip MFA setup. They use weaker, compromised credentials. You have no visibility, no control, and no security oversight for four out of five logins happening in your environment right now.

Compliance nightmares. These untracked identities lead to violations of data protection regulations. Sensitive information becomes accessible through unmanaged accounts. Your compliance posture is only as strong as your weakest link—that unmonitored account nobody knows exists.

Forensic black holes. During an incident, you need to know what applications a user logged into, what actions were taken, what device and location they used. Shadow identities eliminate that visibility. When something goes wrong, you can't see how the breach occurred or how it spread.

Nearly half of organizations expect Shadow AI incidents within the next 12 months, yet most security teams have no systematic way to discover or manage these identities.

What shadow identities look like in practice

Here's a real life scenario: A developer sets up a GitHub personal access token to automate deployments. The token has organization-wide repo access. Six months later, the developer moves to a different team. The token? Still active. Still has full access. Nobody knows it exists.

Or consider this: A sales team member authorizes a third-party integration to access your CRM data. The integration creates its own service principal with read access to customer records. The sales person leaves the company. The integration keeps running. The service principal keeps accessing data.

These aren't theoretical risks. I've seen organizations discover hundreds of active OAuth tokens granted to applications they've never heard of. API keys with production database access sitting in public repositories. Service accounts with domain admin rights that haven't authenticated in years but still have valid credentials.

Why traditional tools miss shadow identities

Your SIEM doesn't see the account creation if it happened outside your IdP. Your EDR doesn't flag it because there's no endpoint activity. Your CASB might catch some SaaS usage, but it won't see the service-to-service authentication happening behind the scenes.

The problem compounds with AI. Organizations now manage 45 times more machine identities than human ones, with total identities expanding 240% annually. Each AI agent, each automation script, each integration creates new identities that operate beyond traditional IAM controls.

Getting visibility into shadow identities

The starting point is knowing what exists. You need to answer questions like:

  • What application registrations exist in your environment?
  • What service principals are active across your infrastructure?
  • Which GitHub users have requested or granted personal access tokens?
  • What personal access tokens have access to organization-owned resources?
  • Which third-party integrations and GitHub apps are authorized to access your repositories?

These questions reveal the shadow identity footprint in your environment. But asking them manually across different systems takes hours or days. By the time you've compiled the data, it's already stale.

How Command Zero addresses shadow identities

Command Zero provides the visibility and investigation capabilities that security teams need to tackle shadow identities systematically. The platform leverages both hunting and lead-based questions to surface these hidden access points across your infrastructure.

Rather than forcing analysts to write complex queries across multiple consoles, Command Zero delivers expert-level questions that can be executed immediately:

  • What application registrations exist across your identity providers?
  • What service principals are currently active, and which haven't authenticated recently?
  • What GitHub users have requested or granted access to personal access tokens?
  • What personal access tokens have access to organization-owned GitHub resources?
  • Which third-party integrations and GitHub apps have been authorized to access organization-owned resources?

These questions—plus dozens of others built into the platform—provide the deep visibility your organization needs in a central location. When an incident occurs, you don't have time to figure out which systems to check or how to correlate data across them. You need answers immediately.

The platform integrates with your existing infrastructure: Microsoft Entra, Okta, GitHub, AWS, CrowdStrike, Proofpoint, and other data sources. This means you can investigate shadow identities alongside other security events, correlating identity activity with endpoint telemetry, email events, and cloud infrastructure changes.

For instance, when investigating a suspicious login, Command Zero automatically:

  • Identifies all service principals and OAuth tokens associated with that identity
  • Shows recent authentication patterns across all integrated systems
  • Reveals what resources were accessed and when
  • Correlates activity with other security events in your environment
  • Builds a complete timeline without manual log aggregation

This investigation depth is critical because shadow identities rarely exist in isolation. A compromised personal access token might lead to lateral movement through multiple systems. An orphaned service account might have access to resources across AWS, Azure, and SaaS applications. Command Zero connects these dots automatically, giving you the complete picture during investigations when time matters most.

What security teams should do now

Start with discovery. You can't protect what you can't see. Map every identity across your cloud environments, SaaS applications, and development platforms. This includes human users, service accounts, API keys, and OAuth tokens.

Establish ownership. Every identity needs an owner responsible for its lifecycle. Service accounts shouldn't be "owned" by former employees or shared distribution lists. When someone leaves, you should know exactly which identities to revoke.

Implement least privilege. A service account doesn't need domain admin rights to read a configuration file. An OAuth token doesn't need full repository access to trigger a deployment. Scope permissions as narrowly as possible.

Monitor for anomalies. Even legitimate shadow identities can be compromised. Watch for unusual authentication patterns, new locations, or access to resources that don't match the identity's historical behavior.

Build investigation workflows. When an alert fires, your team needs to quickly determine scope. Did this identity access other systems? What data was touched? Are there related identities that should be investigated? Having pre-built investigation paths dramatically reduces response time.

The stakes are high

Attackers know that identity is the new perimeter. They're not breaking through your firewall—they're authenticating with legitimate credentials they obtained from shadow identities you didn't know existed.

When you have no visibility into 80% of logins, you're operating blind. Every shadow identity is a potential entry point. Every unmanaged service account is a persistence mechanism. Every forgotten OAuth token is a lateral movement path.

The question isn't whether you have shadow identities. You do. The question is whether you'll discover them before an attacker does.

Book a demo today to see how Command Zero can help identify and investigate shadow identities in your environment.

Eric Hulse
Director of Security Research

Continue reading

Identity-investigations
Highlight

When Brute Force Still Works: The 80 Billion Credential Problem Nobody's Talking About

Brute force attacks remain a critical threat in 2025, with 80 billion credentials compromised from stealer logs in a single year. Despite modern security controls, credential stuffing attacks succeed because users reuse passwords across services—and threat actors have unprecedented access to breach databases. Security teams struggle to detect these attacks because failed login attempts blend into normal activity, lacking the context to distinguish legitimate user errors from active reconnaissance. In this post, we explore how credential-based attacks exploit password reuse at scale, why traditional security stacks miss these patterns, and what security operations teams can do to investigate and respond effectively. Learn how to correlate authentication logs with breach exposure data, identify high-risk accounts under attack, and implement structured investigation workflows that transform credential threat hunting from manual, time-intensive analysis into standardized, repeatable processes accessible to tier-2+ analysts across your security team.
Eric Hulse
Nov 21, 2025
6
min read
Identity-investigations
Highlight

Investigating Microsoft 365 Direct Send Abuse: When Convenience Becomes a Vulnerability

Microsoft 365 Exchange Online's Direct Send feature has become a critical vulnerability exploited by threat actors for phishing and business email compromise campaigns. This legitimate operational feature bypasses standard email authentication protocols (DKIM, SPF, DMARC), enabling adversaries to send spoofed messages that appear to originate from trusted internal sources. The primary challenge isn't detection—it's investigation complexity. Security operations teams face extensive context switching across Office 365, identity providers, EDR systems, and network infrastructure, often requiring 90+ minutes per incident. Traditional SIEM platforms struggle with these cross-system investigations, particularly for analysts lacking specialized Exchange Online expertise. Command Zero's Custom Questions feature transforms Direct Send investigations from hours to minutes by codifying expert investigative knowledge into automated workflows. This approach enables tier-2 analysts to conduct comprehensive investigations spanning email routing, identity context, and endpoint telemetry without manual correlation—turning investigation bottlenecks into organizational strengths while building institutional knowledge for long-term security resilience.
Eric Hulse
Oct 29, 2025
min read
Identity-investigations
Highlight

Investigating Business Email Compromise: How Modern Attacks Exploit Trust in 2025

Business Email Compromise (BEC) attacks in 2025 have evolved into sophisticated campaigns that exploit Microsoft 365 collaboration tools and organizational trust relationships. Modern attackers use OAuth application abuse, mail flow manipulation, and SharePoint phishing to bypass MFA and establish persistent access. Traditional SOC investigations struggle with fragmented data sources across Microsoft Entra ID, Exchange Online, and SharePoint—requiring complex KQL queries and Graph API expertise that delays incident response. Command Zero's investigation framework solves this by providing pre-built questions that automatically query relevant data sources and map to BEC attack patterns. This approach enables tier-2 analysts to investigate at specialist level without memorizing API endpoints or query languages. Combined with defensive controls like disabling user OAuth consent, implementing phishing-resistant MFA, and monitoring suspicious mail flow patterns, organizations can transform their BEC response from reactive firefighting to proactive threat hunting.
Eric Hulse
Oct 22, 2025
8
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All