Compromised credentials remain one of the most common entry points for attackers. In the first half of 2025 alone, identity-based attacks surged more than 32% and its estimated that 97% of them are password focused. While that scale is overwhelming, it only takes a single exposed account to give an attacker a foothold from which they can move laterally towards the critical assets they are after. At today’s attack scale, identity signals need to be connected with broader context to stop attacks earlier in the kill chain.
Today we are excited to share more about how Microsoft Defender can help security professionals proactively understand how identity-related risks, like leaked credentials, relate back to critical assets, helping security professionals proactively close potential entry points before they can be exploited.
Understanding leaked credentials and attack paths:
Leaked credentials refer to valid usernames and passwords that have been exposed beyond their intended scope. Whether this exposure occurs as part of a data breach, phishing attack, or postings on dark web forums, the result is the same: an attacker may be using legitimate credentials to access your organization.
Similarly, attack paths describe the sequence of misconfigurations, permissions, and trust relationships that an attacker can chain together to move from an initial foothold to high‑value resources. Rather than relying on a single vulnerability, attackers tend to think in graphs, following paths of least resistance to systematically escalate privileges and expand access. This makes identities the primary control plane they target and leaked credentials as an extremely common entry point. The recent Microsoft digital defense report put this into focus, stating that more than 61% of attack paths lead to a sensitive user. These user accounts have elevated privileges or access to critical resources meaning that if they were to be attacked or misused it would significantly impact the organization.
Microsoft’s differentiated approach
Most solutions stop at the alert and can only tell you that a password was exposed, found, or leaked. That information matters, but it is incomplete, it describes an event, not the risk.
The real differentiation starts with the next question: what does this exposure mean for my environment right now. Not every exposed password creates the same level of risk. Context is what determines impact. Which identity does the password belong to? What assets can that identity access? Does that access still exists? And are those assets truly sensitive?
That is why exposed password detection is a starting point, not an end state. Effective protection begins when organizations move beyond technical alerts and toward an identity-aware understanding. This shift from detection to context is where better decisions are made and where meaningful security value is created. This is why we took our identity alerts a step further, connecting these risks with broader security context to reveal how an initial identity signal can lead to sensitive users, critical assets, and core business operations.
This perspective moves security beyond isolated alerts to prioritized, actionable insight that shows not just if risk exists, but how identity‑based threats could unfold and where to intervene to stop them before they have impact.
In the case of leaked credentials, Microsoft continuously scans for exposed accounts across public and private breach sources. If a match is found, Microsoft’s Advanced Correlation Engine (MACE) automatically identifies the affected user within your organization and surfaces the exposure with clear severity and context. By bringing this powerful detection into Defender, teams can investigate and respond with better context, allowing leaked credentials to be evaluated alongside endpoint, email, and app activity, giving teams additional context needed to prioritize response. Additionally, for Microsoft Entra ID accounts we can go a step further validating whether the discovered credentials actually corresponds to a real, usable password for an identity in the tenant. This confirmation further reduces unnecessary noise and gives defenders an early signal - often before any malicious activity begins.
Next, Microsoft Defender steps in to correlate these signals with your organization’s unique security context. Connecting the alert and associated account with other signals and like unusual authentications, lateral movement attempts, or privilege escalations, elevating the isolated alert into a complete story about any potential incidents related to that vulnerability.
At the same time, Microsoft Exposure management is analyzing the same data to create a potential attack path related to the exposed credentials. By tracing permissions, consents, and access relationships, Attack Paths show exactly which routes an attacker could take and what controls will break that path.
When these capabilities work together, visibility becomes action. MACE identifies who is exposed, Defender connects other signals into an incident level view and Attack Paths reveal where the attacker could go next. The result is a single, connected workflow that transforms early exposure data into prioritized, measurable risk reduction.
Conclusion
Leaked credentials should be treated as the beginning of a story, not an isolated event. Microsoft Defender is uniquely able to enrich security teams visibility and understanding of Identity-related threats from initial exposure to detection, risk prioritization, and remediation. This connected visibility fundamentally changes how defenders manage identity risk, shifting the focus from reacting to individual alerts to continuously reducing exposure and limiting blast radius. One leaked password doesn’t have to become a breach. With Microsoft’s identity security capabilities, it becomes a closed path, and a measurable step toward greater resilience.
Learn more about attack paths and the new leaked credentials capabilities in Defender.
Microsoft