The Service Account Blind Spot: How FortiGate Intrusions Expose the Lateral Movement Crisis

There is a number that every Active Directory administrator should tape to their monitor: 90. That is the percentage of incident response investigations in 2026 where identity weaknesses played a material role, according to Palo Alto Networks' Unit 42 Global Incident Response Report published in February 2026. Not network exploits. Not zero-days. Not ransomware payloads. Identity. Stolen credentials, abused service accounts, and hijacked sessions are now the dominant attack vector in enterprise breaches — and a wave of intrusions documented by SentinelOne in March 2026 demonstrates exactly how surgical and silent this problem has become.

The attackers did not need to write malware. They did not need to bypass your EDR. They decrypted service account passwords that were sitting inside a FortiGate firewall configuration file, authenticated to Active Directory with a legitimate account that had been quietly waiting there for years, and enrolled two rogue workstations into the corporate domain. By the time defenders noticed, the attackers were already moving laterally under the cover of a trusted identity.

This is the service account blind spot. And it is almost certainly present in your environment right now.

How the FortiGate Intrusions Actually Worked

In February and March 2026, SentinelOne documented a series of intrusions targeting FortiGate Next-Generation Firewalls that followed a disturbingly consistent playbook. The attackers exploited a trio of critical authentication bypass vulnerabilities — CVE-2025-59718, CVE-2025-59719 (both CVSS 9.8), and the January 2026 zero-day CVE-2026-24858 — to gain unauthenticated administrative access to FortiGate devices.

Once inside, the attackers issued a single command: show full-configuration. This extracted the complete device configuration, including embedded service account credentials — specifically LDAP bind accounts used by the firewall to authenticate to Active Directory for VPN and authentication services. The critical flaw is that FortiOS uses a reversible encryption scheme for storing these credentials. The attackers simply decrypted the service account password and had a fully valid Active Directory credential in their hands, with no brute force required and no malware deployed.

The subsequent steps were methodical. Using the decrypted fortidcagent service account credentials, the attackers authenticated to the victim's Active Directory environment. They then exploited the mS-DS-MachineAccountQuota attribute — a default AD configuration that allows any authenticated domain user to join up to 10 computers to the domain — to enroll two rogue workstations. These rogue machines gave the attackers a persistent foothold that survived firewall remediation, sitting quietly inside the network as legitimate-looking AD objects.

In the cases documented by SentinelOne, password spraying originating from the compromised FortiGate device, combined with artifacts linked to SoftPerfect Network Scanner, eventually triggered alerts and halted progression to ransomware deployment. The attackers were stopped during the lateral movement phase — but they had already achieved deep AD compromise and established persistent access.

Why Traditional Security Controls Fail Here

The FortiGate campaign illustrates a structural flaw in how most enterprises think about identity security. Service accounts — the machine-to-machine credentials that databases, firewalls, backup systems, and middleware use to talk to each other — are notoriously under-monitored. They rarely rotate. They often carry over-privileged access accumulated over years of infrastructure changes. And they are almost never enrolled in the same user behavior analytics that monitor human identities.

When an attacker uses a real service account credential to authenticate to Active Directory, the event looks indistinguishable from a routine infrastructure operation. The Darktrace Annual Threat Report 2026 describes this precisely: adversaries are "logging in with stolen credentials, hijacked tokens and abused permissions, then moving laterally under the cover of legitimacy." Modern compromises increasingly resemble normal user behavior rather than traditional breaches.

Your EDR cannot flag this. It was not designed to. EDR tools operate at the endpoint level — they look for malicious code executing on a machine. When an attacker uses a real credential to authenticate via Kerberos and enumerate the domain, there is no malicious code to detect. SIEMs can correlate authentication logs, but the signal-to-noise ratio on service account logins is catastrophic — these accounts generate thousands of legitimate authentication events daily.

The Darktrace report found that identity has become the primary target across all geographies, with 70% of incidents in the Americas beginning with stolen or misused accounts. Unit 42's data shows attacks are now four times faster than in 2023: the median time from initial access to lateral movement has compressed to under two hours. Security teams running reactive, alert-driven processes cannot respond at that speed.

Why Deception Technology Catches What Everything Else Misses

The FortiGate attacker's fatal weakness was not technical. It was behavioral: they had to use the credential. The moment a threat actor takes a stolen service account and authenticates with it — to the domain, to a file share, to an internal application — they reveal themselves. The question is whether there is a control in place to observe that moment.

This is precisely the use case that Credential Mines and AD Mines were designed for. Unlike monitoring tools that watch real accounts and try to distinguish legitimate from malicious behavior, deception technology plants fake accounts that have no legitimate use whatsoever. Any access is an attack.

Credential Mines are fake service account credentials — LDAP bind accounts, API service accounts, database connection strings, backup agent credentials — that are seeded across your environment. They appear in configuration files, credential stores, and documentation exactly where a real service account credential would appear. When an attacker extracts a FortiGate configuration file and attempts to use one of these decoy credentials, the Mine fires an immediate, zero-false-positive alert.

AD Mines extend this concept directly into Active Directory. Fake user accounts, computer objects, and service principals are created with names that match your real naming conventions. They have no legitimate use — no application or user should ever attempt to authenticate with them, enumerate their attributes, or query their group memberships. When the attacker who enrolled rogue workstations begins enumerating AD to understand the domain structure, they inevitably touch AD Mine objects, generating an instant detection event.

MineField — Mine2's network of decoy TCP services — addresses the lateral movement phase directly. Port scanning and service enumeration, which attackers use to map the internal network after gaining an initial foothold, trigger connections to MineField decoys. The FortiGate attackers used SoftPerfect Network Scanner for exactly this purpose. A single connection to a MineField decoy produces an actionable alert before any data has been exfiltrated.

The operational advantage of deception technology in this scenario is absolute: there are no false positives, because nothing legitimate ever touches a Mine. There is no threshold tuning, no baseline modeling, no analyst triage. The alert means exactly one thing: a real attacker is in your network using a stolen credential right now.

The Compliance Dimension: What a Rogue AD Workstation Costs You

Organizations that dismiss deception technology as a "nice to have" need to understand the regulatory exposure created by the lateral movement phase. The FortiGate intrusions involved rogue workstations enrolled in Active Directory — a form of unauthorized access that triggers breach notification obligations across every major compliance framework.

GDPR (Articles 33 and 34): The enrollment of rogue AD workstations constitutes unauthorized access to systems that process personal data. Under Article 33, organizations must notify the supervisory authority within 72 hours of becoming aware of a personal data breach. Article 34 requires direct notification to individuals when the breach is likely to result in high risk. The 72-hour clock starts from awareness — and the question regulators will ask is: why did it take you weeks to detect rogue machines on your domain?

India DPDP Act (2023): India's Digital Personal Data Protection Act requires Data Fiduciaries to notify the Data Protection Board in the event of a personal data breach without undue delay. Organizations operating in India with AD environments used to process personal data face the same fundamental problem: lateral movement via service accounts creates the access conditions for a data breach, and delayed detection extends the notification obligation.

CERT-In 6-Hour Reporting Mandate: India's CERT-In directive requires reporting of cybersecurity incidents — including unauthorized access, data breaches, and compromise of critical systems — within six hours of detection. The FortiGate playbook shows that attackers can compromise AD and enroll rogue workstations within hours of initial access. Without real-time deception-based detection, organizations face the impossible task of detecting, investigating, and reporting a complex AD compromise within a six-hour window.

PCI-DSS (Requirement 11.5): Payment Card Industry standards require organizations to deploy change-detection mechanisms and alert personnel to unauthorized modification of critical system files. Rogue AD workstations created via mS-DS-MachineAccountQuota exploitation represent exactly the unauthorized system modification that Requirement 11.5 is designed to detect.

RBI and SEBI Directives: The Reserve Bank of India and Securities and Exchange Board of India both mandate prompt reporting of cybersecurity incidents for regulated financial institutions. SEBI's circular on cybersecurity requires stock brokers and depositories to report incidents within 24 hours. RBI's operational risk guidelines similarly require immediate escalation. Service account compromise events that remain undetected for days or weeks create severe regulatory exposure for Indian financial institutions.

HIPAA Security Rule: Healthcare organizations under HIPAA must conduct regular reviews of information system activity, including logon monitoring. The Security Rule's audit controls requirements (§ 164.312(b)) and access control requirements (§ 164.312(a)(1)) are directly implicated when attackers use stolen service accounts to traverse networks containing electronic protected health information. Deception technology generates the exact audit trail that demonstrates active monitoring and rapid detection.

Mine2's deception platform addresses each of these requirements directly. Every Mine interaction generates an immutable audit record with timestamp, source IP, accessed resource, and credential used. This is not a side effect of deception technology — it is a core deliverable. The moment a Credential Mine fires, the audit record is created, the incident response clock starts, and the regulatory notification timeline is defined. Organizations using Mine2 can demonstrate to regulators exactly when they detected unauthorized access and exactly what their response timeline was.

The Practical Playbook: Closing the Service Account Blind Spot

The FortiGate campaign is not the last time an attacker will extract service account credentials from a network device configuration file and attempt to use them against your Active Directory. This technique is well-documented, widely understood by threat actors, and applicable to every organization that has ever configured a firewall, VPN concentrator, or network appliance with domain credentials. Here is how to build detection coverage before the next campaign reaches your network.

Audit your firewall and network appliance configurations today. Every service account credential embedded in an appliance configuration file is an attack surface. Conduct an immediate audit of all LDAP bind accounts, AD connector credentials, and domain-joined service accounts referenced in firewall, VPN, and proxy configurations. Identify which accounts have write access to sensitive AD attributes and which carry domain join privileges.

Reduce mS-DS-MachineAccountQuota to zero. This AD attribute defaults to 10, allowing any authenticated domain user to enroll machines. There is no legitimate operational reason for this default in most enterprise environments. Set this attribute to zero and require privileged accounts with specific delegation to perform domain joins. This single configuration change would have prevented the rogue workstation enrollment step in every FortiGate intrusion SentinelOne documented.

Plant Credential Mines in your appliance configurations. Alongside every real LDAP bind account in your firewall configurations, add a Mine2 Credential Mine — a fake service account credential that looks identical to a real one. When an attacker extracts and attempts to use it, you receive an immediate alert. This transforms the attacker's most reliable technique — extracting credentials from configuration files — into a guaranteed detection event.

Deploy AD Mines with realistic service account naming. Create AD Mine accounts that match your existing naming conventions: svc-fortigate-backup, svc-vpn-auth, svc-ldap-bind-2. These accounts should have no legitimate use but should appear in AD precisely where a real service account would appear. Any authentication attempt, attribute query, or group membership lookup against these accounts is an instant, zero-false-positive detection.

Activate MineField across your internal network segments. SoftPerfect Network Scanner and similar tools are standard components of the post-initial-access playbook. MineField decoy services listening on common ports across your network segments ensure that lateral movement reconnaissance generates alerts before persistence is established. A single port scan touching a MineField decoy is your earliest warning of active intrusion.

Harden with Fortify. Mine2's Fortify module addresses the upstream vulnerability: misconfigured AD attributes like mS-DS-MachineAccountQuota, over-privileged service accounts, and reversible password encryption settings that enable credential extraction. Fortify identifies these misconfigurations and provides one-click remediation, closing the initial access paths before an attacker reaches your Mines.

The Bottom Line

The FortiGate intrusion campaign is a forensic record of exactly how lateral movement works in 2026. Attackers do not break in — they log in, using credentials that your own infrastructure handed them. They move using legitimate tools. They blend into normal activity patterns until they are ready to deploy ransomware or exfiltrate data. The Darktrace and Unit 42 reports confirm this is not an edge case: it is the dominant methodology in enterprise breaches.

Detection controls built around behavioral baselines and signature matching fail structurally against this technique. The only control that fires the instant a stolen service account is used — regardless of how legitimate the authentication looks — is a Mine that has no legitimate use and therefore no false positive threshold.

Zero false positives. Single-click deployment. Zero performance impact. And when an attacker decrypts your service account credentials and tries to use them, a Mine fires before they reach their first file share.

The service account blind spot is real. Mine2 closes it.

---

Ready to map your service account exposure and deploy Credential Mines and AD Mines across your environment? Start with Mine2 →