Threat actors recruit employees with cloud access

Companies store the bulk of their data and applications in cloud environments accessible to anyone with the right credentials. This reality turns every employee who holds those login keys into a potential security risk, and cybercriminals have developed sophisticated methods to reach them. Intel 471 tracked these activities into 2026, categorizing insider threats into three distinct types that cloud-dependent organizations must confront.

Three categories of insider risk

Intel 471 divides insider threats into negligent, manipulated, and malicious actors. Negligent insiders do not intend harm but create vulnerabilities through password reuse, skipping multifactor authentication, or installing unapproved software. Manipulated insiders fall victim to social engineering, tricked into surrendering credentials or downloading malware. Malicious insiders deliberately exploit their access to steal data or grant entry for financial gain or revenge.

Negligent insiders likely pose the greatest risk to cloud services, followed by manipulated ones. The sheer volume of incidents tied to carelessness often goes unaddressed because many organizations still picture the insider threat only as a disgruntled employee selling access.

Cloud environments amplify each risk category. Access rights accumulate over an employee’s tenure and are rarely reviewed, a problem the report calls permissions creep. Employees connect third-party applications to work accounts, granting those apps some reach into company data with minimal oversight. Remote and hybrid work add personal devices and reduced monitoring to the equation, and activity spread across multiple platforms makes a unified view of company data difficult to maintain.

Credentials fuel an open market

Threat actors exploit negligent insiders by harvesting credentials for resale. Information-stealer malware collects saved passwords, session cookies, and cloud service credentials, packaging them into logs sold to other criminals. These logs supply initial access brokers, who sell structured entry into corporate cloud environments. The most popular stealers in May 2026, in descending order, were Vidar, Stealc_v2, and ACR, also known as Acreed.

Demand centers on credentials and cookies for services such as GoDaddy, Google Workspace, Microsoft 365, Office 365, Outlook on the web, and Slack.

Social engineering kits built for cloud logins

Manipulated insiders encounter deception designed to defeat the controls they rely on. Adversary-in-the-middle toolkits sit between a victim and a real login page, capturing credentials and session tokens in real time as the victim completes the multifactor prompt. These kits are sold, maintained, and updated in underground markets, lowering the barrier to entry.

Other methods include help desk impersonation, voice phishing for SaaS access, MFA fatigue through repeated prompts, OAuth consent phishing, fake single sign-on portals, cookie theft, developer platform lures, and vendor impersonation. In September 2025, an actor advertised an “Advanced Phishing Kit Targeting Okta & Google Workspace” that collected usernames, passwords, and session tokens. In October 2025, an actor identified as Gold sold phishing projects using a custom reverse-proxy technique against Gmail and Okta users, with stolen cookies, credentials, and two-factor codes routed to a Telegram bot.

Recruiting employees for direct access

Malicious insider recruitment continues across underground forums. Actors seek employees in roles with privileged access, offering payment for entry to systems, malware planting, or data theft. Much of this activity moves to private channels, so observed cases likely understate the real volume.

In 2025, Intel 471 counted 41 insider-related posts: 19 sought an insider, 14 claimed to have one, three claimed insider access, three claimed insider data, and two claimed to be insiders. One October 2025 actor claimed the recruitment succeeded and said it gained an insider with purported visibility into a U. S.-based organization.

Several cases targeted cloud platforms. On Sept. 28, 2025, an actor using the handle betway claimed to have bribed an employee at an Indian company for access to a Salesforce account holding more than 2.3 million customer records. On Oct. 31, 2025, an actor called Finduser advertised insider access to a system tied to roughly 100,000 restaurant computers and point-of-sale machines, along with internal network, email, and Slack access. On April 4, 2026, an actor named samsepi0l ran an auction for master admin, Slack, and Okta access backed by an insider available around the clock for login verification and alert monitoring. Other posts sought Meta insiders for account unbans and user data lookups.

Reducing the exposure

Adoption of SaaS, PaaS, and IaaS will keep growing, expanding the attack surface available to actors who target the human layer. Intel 471 recommends regular permissions reviews under least privilege, a central inventory of third-party app connections, immediate access removal at offboarding, and tooling that monitors SaaS usage and flags deviations from baseline behavior.

Enforcing MFA across platforms, with a path toward phishing-resistant options, and training employees to recognize social engineering round out the steps. The negligent and manipulated insiders, who account for most incidents, respond to investment in identity controls, visibility, and awareness.