Product · 4 MIN READ · SARAH CRONE · JUL 29, 2025 · TAGS: Announcement
TL;DR
- We’ve updated our threat alerts to be clearer, so you can instantly tell if a hacker has simply stolen credentials or is actively using them.
- You’ll now see three distinct alerts for credential theft, account compromise, and business email compromise.
- This change helps you prioritize faster, respond smarter, and easily explain the risks to leadership without confusing technical jargon.
Ever had that sinking feeling when you reach for your car keys, and they’re just…not there? You check your pockets, your bag, the countertop. Panic starts to settle in. Where’d they go? Who might have them? And what could happen if they’re in the wrong hands?
For security leaders, that “missing keys” feeling is a daily reality, but instead of car keys, it’s about user credentials. Your team is sifting through alerts, trying to figure out if someone just misplaced their digital “keys” (maybe they clicked a bad link), or if someone malicious has snatched them and is now trying to unlock your most important doors. The challenge isn’t just knowing a key is missing; it’s understanding how it went missing, who has it, and what they’re doing with it right now.
We hear it all the time: “Did someone actually log in with those stolen credentials?” The answer to this question dictates everything—how fast you need to act, who needs to be involved, and how much sleep you’re going to lose.
That’s why we’ve been hard at work, making some pretty significant updates to how we classify identity-related threats in Expel Workbench™. Our goal? To give you and your team a much clearer picture of what’s actually happening when those digital keys are compromised, so you can make smarter, faster decisions.
Cutting through the noise: A sharper view of identity attacks
Our SOC analysts are constantly battling identity-driven attacks—phishing, credential harvesting, and outright account takeovers. They’re seeing the full spectrum, from a bad actor just grabbing a password to actively using that password to cause real damage. We realized we needed to get more precise in how we describe these events to make it easier for our customers to understand the urgency and the potential impact.
So, here’s what you’ll start seeing in Workbench.
Credential theft (what we used to call credential compromise)
The scenario: This is like someone tried to pick your digital pocket and succeeded. They got a hold of some credentials—maybe through a tricky phishing email, maybe from a data breach they bought—but we haven’t seen them use those credentials to log in anywhere (yet).
The risk: Even if there’s no immediate login, these stolen keys are still dangerous. An attacker could be holding onto them; waiting for the perfect moment, or selling them off.
What to do: It’s simple: reset those credentials. It’s the fastest way to make those stolen keys useless.
Account compromise (this is a new one)
The scenario: This is when that sinking feeling gets real. Not only were the credentials stolen, but we’ve now confirmed a successful login using them. Someone is inside the account. We may not know how they got in, but we know they’re up to no good. We haven’t yet confirmed if they’re moving laterally or causing widespread chaos.
The risk: This is an active situation. The attacker has a foothold. They could be poking around, trying to understand your systems, or setting up backdoors.
What to do: You need to act fast. Reset the credentials and disable the account immediately. In fact, Expel has auto remediations you can enable that do just this on your behalf. This is about containing the threat while your team, with our help, digs deeper to understand the full extent of the compromise.
Business email compromise (BEC)
The scenario: This is the nightmare scenario for an identity threat. It’s a full-blown account takeover, and the attacker isn’t just in; they’re actively using the account for malicious purposes. Think: sending fraudulent invoices, impersonating executives, or manipulating inboxes.
The risk: The attacker is actively causing damage, often with direct financial or reputational consequences.
What to do: This requires immediate, decisive action. Reset the credentials and disable the account right away. By enabling us to auto remediate this process on your behalf, you can decrease the time to contain to seconds, rather than minutes or hours. Every second you delay increases the potential impact.
Why this matters for your day-to-day
We get it. You’re juggling a million things. The last thing you need is more ambiguity in your security alerts. These updated classifications are designed to give you:
- Clearer priorities: No more guessing if an alert is a “watch and wait” or a “drop everything.” You’ll know the exact stage of the identity attack, and know specifically what attack methods they’re using so you can optimize your security controls and policies. This will help you justify targeted security investments and help you prioritize where to focus.
- Faster and smarter response: With precise language, you can quickly understand the exact threat, prioritize critical risks instantly, and decide on the most effective response, saving precious time in a critical moment.
- Clearer reporting and compliance: When you need to explain an incident to leadership or other departments, these distinct classifications help you communicate the risk and the necessary actions without technical jargon or fuzzy definitions. You’ll have access to meaningful metrics beyond basic incident counts and reports that help you demonstrate due diligence for audits and compliance (e.g., GDPR, HIPAA).
This whole process is a great example of how our SOC rotation works. Our analysts are constantly learning from the latest attacks they see, and that knowledge directly feeds back into how we classify and respond to threats. It’s about continually improving our game so we can help you improve yours.
At the end of the day, protecting your organization means protecting every digital identity. We’re constantly working to give you the clearest possible view of what’s happening with those “keys” so you can secure your environment and, hopefully, get a bit more sleep.
Want to learn more? Schedule a demo!
