Catching an attacker who uses legitimate credentials is like trying to spot an intruder who walked in through the front door with a valid key. They don't trip the alarm, they don't break a window, and every sensor in the building says they belong.

That's the core challenge of identity-based attacks: they increasingly rely on valid credentials, hijacked sessions, and OAuth abuse, which can produce no malicious signatures and few obvious rule violations.

This creates a growing detection gap for security teams. SIEMs, signature-based detection, and email gateways were built to catch threats that look malicious, not ones that look like legitimate activity. When attackers operate within normal behavior, traditional defenses have far less to work with.

This article maps the specific identity threat detection and response (ITDR) gaps that legacy tools leave open. It also shows how AI-driven techniques can help close them, from behavioral baselining and multi-signal analysis to NLP-based social engineering detection and cross-platform correlation.

ITDR focuses on how identities are used after authentication and whether that activity aligns with expected behavior. It is a cybersecurity discipline focused on detecting and stopping attacks that exploit digital identities, from stolen credentials to compromised service accounts and OAuth grants.

ITDR applies behavioral analysis across directory services, cloud identity providers, and SaaS applications to distinguish legitimate activity from compromise.

The scale of the problem underscores why this matters: the Verizon 2025 DBIR found that credential abuse was the initial attack vector in 22% of breaches, reinforcing the need for visibility that extends well beyond the login event itself.

Legacy tools miss identity-based attacks because their detection models depend on isolated events and known artifacts, not behavior across sessions and platforms. These gaps are structural, not tuning problems, and they span the three core layers of traditional defense: SIEM rules lack behavioral context for individual accounts, signature-based detection has limited visibility when no malicious artifact exists, and email gateways lose sight of compromised accounts after authentication succeeds.

Static Security Information and Event Management (SIEM) rules match discrete events against pre-defined thresholds, which makes subtle identity abuse hard to model.

An analyst must anticipate the pattern in advance and encode it as a rule. Modern identity attacks often operate within normal event parameters, including plausible access times, authorized tooling, and successful use of legitimate accounts.

Identity behavior is also highly variable:

• A rule for new geography may trigger on routine business travel.
• A rule for after-hours access may trigger across time zones.
• A rule for privileged tool usage may trigger on legitimate admin activity.

Without per-account behavioral baselines, static rules may struggle to separate a legitimate deviation from a malicious one.

Signature-based detection may miss identity attacks when there is no malicious artifact to inspect. This model depends on known artifacts such as file hashes, malware binaries, or blocklisted IPs.

Many identity attacks involve none of these. Attackers may operate through legitimate administrative tools and authorized access paths. When activity relies on valid credentials rather than malicious artifacts, a detection system that depends on artifacts has far less to evaluate. Even EDR tools can face this limitation when the attacker uses legitimate administrative tools already authorized in the environment.

Email gateways may stop malicious inbound messages, but they often have limited visibility into what happens inside a compromised account after authentication.

SEGs evaluate inbound email using reputation-based signals such as blocklists, domain reputation, SPF, DKIM, and DMARC validation. This creates a blind spot when an attacker operates from a legitimately compromised account. The account is real, the domain is real, and email authentication passes.

Post-authentication indicators may sit inside the email platform itself, including forwarding rules, OAuth token grants, and session anomalies. A compromised account exfiltrating email through auto-forwarding rules may generate no SEG alert because the gateway was not designed to monitor post-authentication account behavior.

Specific identity attack techniques expose gaps that rule tuning alone may not resolve.

Valid account abuse is difficult to detect because the activity can look legitimate at the point of authentication. Attackers using stolen credentials produce authentication events that can resemble normal user activity.

A CISA advisory found that harvested credentials, including the krbtgt account hash, enabled lateral movement to "nearly any system in the Windows domain." It also noted that "it is rare to find network defenders who can secure and monitor it quickly and effectively."

Detection signals exist mainly in behavioral deviations:

• Access to systems never previously touched by a given account.
• Logins at atypical hours for the specific user.
• Service accounts initiating interactive sessions.

These patterns require per-account behavioral baselines that static SIEM rules cannot maintain at scale.

Session token theft shifts the detection problem from authentication itself to suspicious activity after authentication succeeds. Adversary-in-the-middle (AiTM) phishing kits intercept authenticated session tokens after the victim completes multi-factor authentication (MFA).

The attacker never needs to know the victim's MFA secret. Post-authentication, the attacker replays the stolen token from a different context and accesses the victim's environment while generating only successful session events. Detection requires comparing session and device signals against the original authentication event, a correlation that static rules often do not perform.

Some MFA bypass techniques still end in a successful login, which limits the value of failure-based detection. Push bombing, SS7 exploitation, and SIM swap can all result in completed authentication.

Push bombing exploits user fatigue until a victim approves an attacker-initiated prompt. SS7 and SIM swap attacks occur outside the enterprise's network perimeter, generating no enterprise log events. In each case, the completed authentication may appear legitimate without added behavioral context.

OAuth abuse creates persistent access that may continue even after credentials change. OAuth consent grants create application-level access that survives password resets and MFA changes.

SEGs may block the initial phishing email delivering a consent grant link, but downstream OAuth permission abuse generates no authentication failures. The OAuth flow completes successfully, and detection requires monitoring consent grant events that many SIEMs do not ingest by default.

Cross-platform identity pivots are hard to reconstruct when identity data remains siloed. Attackers routinely steal credentials from one identity system and use them in another (MITRE ATT\&CK), such as exfiltrating the AD database on-premises and then using those credentials to access cloud tenants.

Log schema differences across platforms can prevent automated correlation in SIEM deployments that treat each platform as a separate data source. An attacker can maintain persistence in one platform while conducting operations in another, making full kill-chain reconstruction difficult without unified identity correlation.

AI helps close identity detection gaps in four key ways: building per-user behavioral baselines that add context, static rules lack context, combining multiple signals to reduce false positives, applying NLP to detect social engineering, and correlating activity across platforms to surface attacks that no single channel reveals on its own. We discuss them deeply in the section below.

Behavioral baselining improves identity detection by adding per-user context. Instead of applying uniform thresholds across all users, AI-driven detection builds dynamic behavioral baselines for each individual. Login times, access volumes, device usage, and communication patterns are profiled per user and continuously updated.

A deviation significant for one user may be routine for another, providing context that rule-based systems cannot capture. Continuous baseline updating also accounts for legitimate behavioral drift, such as role changes, new projects, and travel, without requiring manual recalibration.

Multi-signal analysis reduces the limits of single-event detection by evaluating related indicators together. Single-signal anomaly detection produces high false-positive rates because any individual signal can have a plausible, legitimate explanation. AI evaluates signals across multiple dimensions and combines them into a risk score reflecting the overall pattern.

For example, a higher-risk pattern may include:

• A new device.
• A new geolocation.
• Access to a sensitive resource.
• Activity outside normal hours.

When evaluated collectively, these signals paint a far more convincing picture of compromise than any individual indicator could on its own.

NLP helps identify socially engineered messages that contain no obvious malicious artifacts. Business email compromise (BEC) attacks may contain no malicious links, attachments, or blocklisted domains.

They succeed by manipulating language. NLP techniques analyze tone, sentiment, urgency patterns, writing style consistency, and request context, all dimensions that signature matching does not evaluate. These models can help surface impersonation by comparing current message characteristics against historical communication patterns for each sender.

Cross-channel correlation can turn scattered low-severity events into a clearer compromise picture. Account takeover attacks frequently span multiple platforms. AI can unify signals from email, collaboration tools, cloud identity providers, and SaaS applications into a single risk picture.

An unusual login followed by inbox rule changes followed by internal phishing from the same account represents a stronger compromise signal. Without correlation, each event may appear as a low-severity alert in its respective platform.

Email remains a primary entry point for identity compromise and a valuable source of identity and behavioral signals. AiTM phishing, device code phishing, inbox rule manipulation, and BEC execution all originate in or operate through email. Yet these signals rarely feed into identity detection workflows.

Email also produces post-compromise indicators that directory logs may miss, including:

• Forwarding rule creation.
• Unusual outbound patterns.
• Notification suppression rules.

When email signals are correlated with authentication and access telemetry, identity compromise detection gains a layer of visibility that directory-only ITDR approaches may lack.

Abnormal is designed to help close identity detection gaps by adding email-centered behavioral context to existing security infrastructure.

It is designed to apply behavioral AI across cloud email and integrated SaaS platforms. It builds dynamic behavioral baselines for each user across identity signals, communication patterns, access timing, and workflow cadences. When behavior deviates from the baseline, those deviations are correlated into higher-confidence cases without requiring manual rule creation or policy tuning.

Abnormal can help identify suspicious activity across Microsoft 365, Google Workspace, Slack, and Microsoft Teams, correlating signals that single-channel tools may miss. This complements existing SIEM, SOAR, and ITDR infrastructure by adding email-layer behavioral context that these platforms were not designed to generate.

A stronger identity threat detection strategy treats identity behavior and email activity as connected parts of the same attack surface.

Closing the detection gap often requires layering behavioral analysis on top of existing rule-based and signature-based infrastructure to cover the spaces where static logic has limited context.

Organizations are better positioned to detect identity threats when they:

• Treat email as an identity signal surface.
• Invest in behavioral baselines alongside authentication controls.
• Make cross-platform correlation part of the detection architecture.

Book a demo to see how Abnormal helps detect identity-based threats that traditional email security tools often miss.