For a long time, enterprise cybersecurity has been built on the assumption that attackers are outside the system, trying to break in. Firewalls keep them out. Endpoint tools watch for malware. Intrusion detection systems look for suspicious traffic.
But according to esentry’s 2025 Annual Threat Report, by esentry, a Lagos-based African Managed Security Service Provider (MSSP), that assumption no longer holds, at least not across African enterprise environments. Increasingly, attackers are not breaking in. They are logging in.
The report paints a picture of a threat landscape in which the most damaging attacks no longer rely on high-profile exploits or obvious malware. Instead, attackers are abusing trusted access: valid usernames and passwords, compromised session tokens, and legitimate system tools. In many of the incidents esentry analysed in 2025, security controls were present and technically “working.” The problem wasn’t failure. It was trust.
From breaking into systems to inheriting trust
esentry describes this shift as an “inside job” style of attack. Once attackers gain access to a legitimate account, often through phishing, credential reuse, or token theft, they stop looking like intruders. Their activity blends into normal user behaviour, producing far less noise than traditional attacks.
This approach thrives in modern enterprise environments where employees, vendors, partners, and service providers all share cloud platforms and identity systems. When attackers compromise a valid account, they no longer need to bypass controls. They inherit trust by default.
According to the report, this allows attackers to stay hidden longer, quietly map environments, and move laterally before defenders realise something is wrong. In practical terms, it is often the difference between a contained incident and a full-scale breach.
Insider threats are no longer just about employees.
One of the report’s more striking conclusions is how clearly it reframes insider threats. These attacks do not usually involve malicious employees acting deliberately. More often, they involve compromised accounts, reused credentials, users unknowingly granting access via phishing links, or token theft.
Valid account abuse shows up repeatedly across the data. Attackers use real user accounts to gain an initial foothold, then rely on “living-off-the-land” techniques, built-in administrative tools, and legitimate system features to move through networks. Because these tools are already part of the environment, traditional security systems often treat the activity as routine.
The result is a dangerous blind spot where malicious actions go undetected.
Cloud identity becomes the new frontline.
The shift toward trusted-access exploitation is especially visible in cloud environments. Email platforms, collaboration tools, document storage, and identity providers now sit at the centre of enterprise operations. Compromising a single cloud account can unlock sensitive communications, financial data, and internal workflows.
The report references a high-profile case involving the abuse of Microsoft 365 environments that led to the arrest of a Nigerian threat actor in December 2025. It also notes that these attacks increasingly cross organisational boundaries. In several incidents, attackers gained access through fintech partners, third-party APIs, or shared infrastructure, turning trusted external relationships into attack paths.
What the data says about scale and speed
In 2025 alone, esentry processed more than 31 billion security events across African enterprises. From that dataset, over 3.5 million alerts were generated, with identity-related anomalies making up a growing share of high-severity detections.
Suspicious login activity emerged as one of the most consistent warning signs, indicating attempts to use legitimate credentials for unauthorised access. The report links trusted-access abuse to multiple digital forensics and incident response cases across key sectors, underscoring how widespread the issue has become.
What makes this trend especially risky is speed. Once attackers have valid access, they can move quickly from reconnaissance to lateral movement and data exfiltration—often before automated systems flag anything unusual.
Why traditional security tools fall short.
Most enterprise security stacks are designed to detect known indicators of compromise, such as malicious files, exploit attempts, or abnormal network traffic. Inside-job attacks bypass many of these signals entirely. When attackers use real accounts, approved tools, and valid tokens, there is often nothing obviously “malicious” to detect.
According to esentry, this has put pressure on alert-driven security models that only react once something breaks a predefined rule. By the time an alert fires, the attacker may already be well inside the environment.
How esentry’s Phalanx Formation Model responds
To deal with this reality, esentry has shifted away from purely reactive defence toward what it calls the Phalanx Formation Model—a coordinated operating approach that combines cyber defence operations, threat intelligence, offensive security insight, and security engineering.
Instead of waiting for alerts, esentry’s teams actively hunt for signals of trusted-access abuse: abnormal login patterns, subtle shifts in user behaviour, and quiet reconnaissance activity that automated tools tend to miss. The goal is to surface “inside-job” behaviour early, before it escalates.
According to the report, this approach has delivered measurable results. esentry says it now contains low-complexity incidents in under 90 seconds, significantly reducing attacker dwell time in environments where minutes matter.
Commenting on the findings, Gbolabo Awelewa, Chief Business Officer at esentry, said the real challenge facing African enterprises is no longer just technology.
“The most dangerous attacks we see today don’t break systems—they exploit trust. Attackers are using valid access and moving quietly, which means organisations have to rethink how they detect and respond. Speed, coordination, and context are now more important than adding more tools,” Awelewa said.
A trust problem, not just a security problem
The takeaway from esentry’s 2025 report is blunt. Enterprise breaches are no longer primarily about perimeter failure. They are about identity, access, and behaviour. Protecting infrastructure is no longer enough. Protecting trust has become the real battlefield.
As African organisations continue to digitise and move deeper into cloud-first operations, the report argues that coordinated, intelligence-led defence models—rather than fragmented security tooling—will determine who stays ahead of the next wave of attacks.
Download the full esentry 2025 Annual Threat Report.
