June, 2026
Threat actors are shifting their focus from forcing entry to simply logging in. By leveraging stolen credentials, attackers can easily bypass traditional perimeter defenses. However, to execute their attacks without exposing their actual command-and-control infrastructure or physical location, they must hide behind anonymized infrastructure like unauthorized VPNs, proxy servers, or the TOR network.
Once inside, these threat actors use the compromised identity as a launchpad to move laterally across your network, map internal drives, and escalate privileges to access high-clearance cloud environments. Spotting these stealthy entry points requires looking beyond the credentials themselves to analyze the infrastructure used to connect.
To help your security team instantly detect and unmask these hidden threats, we are thrilled to announce that Anonymized Login Incidents are now live in the Lumu Portal, powered by our out-of-the-box Microsoft Entra ID integration.
Unmask Identity Compromise and Account Takeover
- Automated Account Flagging: See EntraID accounts that authenticate via anonymizing services like IP concealers, VPNs, or high-risk TOR networks.
- Contextual Behavioral Benchmarking: Evaluate suspicious logins against historical user data to isolate unusual activity, such as access from unmanaged devices, unusual browsers, or unauthorized application requests.
- Root-Cause Analysis: Find out exactly how a breach happened. Review critical account modifications and pinpoint the ultimate source of the compromise, like underlying malware.



