Threat actors are recruiting the people who hold cloud logins

Companies keep most of their data and applications in cloud platforms that anyone can reach with the right login. That setup turns each employee holding those credentials into a security variable, and members of the cybercrime underground have built methods to reach those people. Intel 471 tracked this activity into 2026 and sorted insider risk into three categories that cloud-reliant organizations contend with.

Three kinds of insiders

The work divides insiders into negligent, manipulated, and malicious types. Negligent insiders mean no harm yet open weak spots through password reuse, skipped multifactor authentication, or unapproved software. Manipulated insiders get tricked by social engineering into giving away credentials or installing malware. Malicious insiders willingly use their access to steal data or grant entry for payment or revenge.

Negligent insiders likely create the most risk to cloud services, with manipulated insiders second. The volume of incidents tied to negligence often goes unaddressed because many organizations picture the insider threat only as a disgruntled worker selling access.

Cloud environments raise the stakes for each category. Access piles up over an employee’s tenure and rarely gets reviewed, a problem the report calls permissions creep. Employees connect third-party applications to work accounts, granting those apps some reach into company data with little oversight. Remote and hybrid work add personal devices and reduced monitoring to the mix, and activity spread across many platforms makes a single view of company data hard to assemble.

Credentials feed an open market

Threat actors exploit negligent insiders by harvesting credentials for resale. Information-stealer malware collects saved passwords, session cookies, and cloud service credentials, then packages them into logs sold to other actors. Those logs supply initial access brokers, who sell structured entry into corporate cloud environments. The most popular stealers in May 2026, in descending order, were Vidar, Stealc_v2, and ACR, also known as Acreed.

Demand centers on credentials and cookies for services such as GoDaddy, Google Workspace, Microsoft 365, Office 365, Outlook on the web, and Slack.

Social engineering kits built for cloud logins

Manipulated insiders meet deception built to defeat the controls they rely on. Adversary-in-the-middle toolkits sit between a victim and a real login page, capturing credentials and session tokens in real time as the victim completes the multifactor prompt. These kits are sold, maintained, and updated in underground markets, lowering the barrier to entry.

Other methods include help desk impersonation, voice phishing for SaaS access, MFA fatigue through repeated prompts, OAuth consent phishing, fake single sign-on portals, cookie theft, developer platform lures, and vendor impersonation. In September 2025, an actor advertised an “Advanced Phishing Kit Targeting Okta & Google Workspace” that collected usernames, passwords, and session tokens. In October 2025, an actor identified as Gold sold phishing projects using a custom reverse-proxy technique against Gmail and Okta users, with stolen cookies, credentials, and two-factor codes routed to a Telegram bot.

Recruiting employees for direct access

Malicious insider recruitment continues across underground forums. Actors seek employees in roles with privileged access, offering payment for entry to systems, malware planting, or data theft. Much of this activity moves to private channels, so observed cases likely understate the real volume.

In 2025, Intel 471 counted 41 insider-related posts: 19 sought an insider, 14 claimed to have one, three claimed insider access, three claimed insider data, and two claimed to be insiders. One October 2025 actor claimed the recruitment succeeded and said it gained an insider with purported visibility into a U.S.-based organization.

Several cases targeted cloud platforms. On Sept. 28, 2025, an actor using the handle betway claimed to have bribed an employee at an Indian company for access to a Salesforce account holding more than 2.3 million customer records. On Oct. 31, 2025, an actor called Finduser advertised insider access to a system tied to roughly 100,000 restaurant computers and point-of-sale machines, along with internal network, email, and Slack access. On April 4, 2026, an actor named samsepi0l ran an auction for master admin, Slack, and Okta access backed by an insider available around the clock for login verification and alert monitoring. Other posts sought Meta insiders for account unbans and user data lookups.

Reducing the exposure

Adoption of SaaS, PaaS, and IaaS will keep growing, expanding the attack surface available to actors who target the human layer. Intel 471 recommends regular permissions reviews under least privilege, a central inventory of third-party app connections, immediate access removal at offboarding, and tooling that monitors SaaS usage and flags deviations from baseline behavior.

Enforcing MFA across platforms, with a path toward phishing-resistant options, and training employees to recognize social engineering round out the steps. The negligent and manipulated insiders, who account for most incidents, respond to investment in identity controls, visibility, and awareness.

Download: Simplify security management with CIS SecureSuite Platform