The Service Account Blind Spot: How FortiGate Intrusions Expose the Lateral Movement Crisis
Kabir12 min read

The Service Account Blind Spot: How FortiGate Intrusions Expose the Lateral Movement Crisis

SentinelOne's analysis of March 2026 FortiGate intrusions reveals a brutal playbook: attackers decrypt service account LDAP credentials from firewall config files, enroll rogue workstations in Active Directory, and move laterally before a single alert fires. Identity weaknesses drove 90% of Unit 42's 2026 incident investigations. Credential Mines and AD Mines planted inside your environment are the only controls that fire the instant a stolen service account is used — regardless of how legitimate it looks.

Share:

Tape one number to your monitor: 90. That is the percentage of incident response investigations in 2026 where identity weaknesses played a material role, according to Palo Alto Networks' Unit 42 Global Incident Response Report published in February 2026. Not network exploits. Not zero-days. Not ransomware payloads. Identity. Stolen credentials, abused service accounts, and hijacked sessions have become the dominant attack vector in enterprise breaches, and a wave of intrusions documented by SentinelOne in March 2026 shows just how surgical and quiet the problem has become.

I've spent a lot of time inside post-incident reviews, and the FortiGate cases follow a pattern that still surprises people: the attackers didn't write malware. They didn't bypass anyone's EDR. They decrypted service account passwords sitting inside a FortiGate firewall configuration file, authenticated to Active Directory with a legitimate account that had been quietly waiting there for years, and enrolled two rogue workstations into the corporate domain. By the time defenders noticed, the attackers were already moving laterally under the cover of a trusted identity.

This is the service account blind spot. And it's almost certainly present in your environment right now.

Walking Through the FortiGate Intrusions

In February and March 2026, SentinelOne documented a series of intrusions targeting FortiGate Next-Generation Firewalls that followed a disturbingly consistent playbook. The attackers exploited a trio of critical authentication bypass vulnerabilities — CVE-2025-59718, CVE-2025-59719 (both CVSS 9.8), and the January 2026 zero-day CVE-2026-24858 — to gain unauthenticated administrative access to FortiGate devices.

Once inside, the attackers issued a single command: show full-configuration. This extracted the complete device configuration, including embedded service account credentials — specifically LDAP bind accounts used by the firewall to authenticate to Active Directory for VPN and authentication services. The critical flaw is that FortiOS stores these credentials with a reversible encryption scheme. The attackers simply decrypted the service account password and had a fully valid Active Directory credential in their hands, with no brute force required and no malware deployed.

What came next was methodical. Using the decrypted fortidcagent service account credentials, the attackers authenticated to the victim's Active Directory environment. They then abused the mS-DS-MachineAccountQuota attribute — a default AD configuration that lets any authenticated domain user join up to 10 computers to the domain — to enroll two rogue workstations. Those rogue machines gave the attackers a persistent foothold that survived firewall remediation, sitting quietly inside the network as legitimate-looking AD objects.

In the cases SentinelOne documented, password spraying originating from the compromised FortiGate device, combined with artifacts linked to SoftPerfect Network Scanner, eventually triggered alerts and halted progression to ransomware deployment. The attackers were stopped during the lateral movement phase, but they had already achieved deep AD compromise and established persistent access.

Where Traditional Controls Go Quiet

The FortiGate campaign exposes a structural flaw in how most enterprises think about identity security. Service accounts — the machine-to-machine credentials that databases, firewalls, backup systems, and middleware use to talk to each other — are notoriously under-monitored. They rarely rotate. They often carry over-privileged access accumulated over years of infrastructure changes. And they're almost never enrolled in the same user behavior analytics that watch human identities.

When an attacker uses a real service account credential to authenticate to Active Directory, the event looks indistinguishable from a routine infrastructure operation. The Darktrace Annual Threat Report 2026 describes this precisely: adversaries are "logging in with stolen credentials, hijacked tokens and abused permissions, then moving laterally under the cover of legitimacy." Modern compromises increasingly resemble normal user behavior rather than traditional breaches. We dug into the same dynamic in our write-up on how ransomware crews move laterally with stolen identities.

Your EDR can't flag this. It wasn't designed to. EDR tools operate at the endpoint level — they look for malicious code executing on a machine. When an attacker uses a real credential to authenticate via Kerberos and enumerate the domain, there's no malicious code to detect. SIEMs can correlate authentication logs, but the signal-to-noise ratio on service account logins is brutal — these accounts generate thousands of legitimate authentication events daily.

The Darktrace report found that identity has become the primary target across all geographies, with 70% of incidents in the Americas beginning with stolen or misused accounts. Unit 42's data shows attacks are now four times faster than in 2023: the median time from initial access to lateral movement has compressed to under two hours. Security teams running reactive, alert-driven processes can't respond at that speed.

Why Deception Catches What Everything Else Misses

The FortiGate attacker's fatal weakness wasn't technical. It was behavioral: they had to use the credential. The moment a threat actor takes a stolen service account and authenticates with it — to the domain, to a file share, to an internal application — they reveal themselves. The only question is whether a control is in place to observe that moment.

That is exactly what Credential Mines and AD Mines were built for. Unlike monitoring tools that watch real accounts and try to separate legitimate from malicious behavior, deception plants fake accounts that have no legitimate use whatsoever. Any access is an attack.

Credential Mines are fake service account credentials — LDAP bind accounts, API service accounts, database connection strings, backup agent credentials — seeded across your environment. They appear in configuration files, credential stores, and documentation exactly where a real service account credential would appear. When an attacker extracts a FortiGate configuration file and tries to use one of these decoy credentials, the Mine fires an immediate, zero-false-positive alert. If you've read our breakdown of the BeyondTrust PAM breach and credential mines, the mechanics will feel familiar.

AD Mines extend the idea straight into Active Directory. Fake user accounts, computer objects, and service principals are created with names that match your real naming conventions. They have no legitimate use — no application or user should ever try to authenticate with them, enumerate their attributes, or query their group memberships. When the attacker who enrolled rogue workstations starts enumerating AD to understand the domain structure, they inevitably touch AD Mine objects, generating an instant detection event. The same approach defends against Kerberoasting after the CVE-2026-20833 enforcement.

MineField — Mine2's network of decoy TCP services — covers the lateral movement phase directly. Port scanning and service enumeration, which attackers use to map the internal network after gaining a foothold, trigger connections to MineField decoys. The FortiGate attackers used SoftPerfect Network Scanner for exactly this purpose. A single connection to a MineField decoy produces an actionable alert before any data has been exfiltrated.

The operational advantage here is absolute: no false positives, because nothing legitimate ever touches a Mine. No threshold tuning, no baseline modeling, no analyst triage. The alert means exactly one thing — a real attacker is in your network using a stolen credential right now.

What a Rogue AD Workstation Costs You

Teams that dismiss deception as a "nice to have" need to understand the regulatory exposure created by the lateral movement phase. The FortiGate intrusions involved rogue workstations enrolled in Active Directory — a form of unauthorized access that triggers breach notification obligations across every major compliance framework.

GDPR (Articles 33 and 34): The enrollment of rogue AD workstations constitutes unauthorized access to systems that process personal data. Under Article 33, organizations must notify the supervisory authority within 72 hours of becoming aware of a personal data breach. Article 34 requires direct notification to individuals when the breach is likely to result in high risk. The 72-hour clock starts from awareness — and the question regulators will ask is: why did it take you weeks to detect rogue machines on your domain?

India DPDP Act (2023): India's Digital Personal Data Protection Act requires Data Fiduciaries to notify the Data Protection Board in the event of a personal data breach without undue delay. Organizations operating in India with AD environments used to process personal data face the same fundamental problem: lateral movement via service accounts creates the access conditions for a data breach, and delayed detection extends the notification obligation.

CERT-In 6-Hour Reporting Mandate: India's CERT-In directive requires reporting of cybersecurity incidents — including unauthorized access, data breaches, and compromise of critical systems — within six hours of detection. The FortiGate playbook shows that attackers can compromise AD and enroll rogue workstations within hours of initial access. Without real-time deception-based detection, organizations face the impossible task of detecting, investigating, and reporting a complex AD compromise within a six-hour window.

PCI-DSS (Requirement 11.5): Payment Card Industry standards require organizations to deploy change-detection mechanisms and alert personnel to unauthorized modification of critical system files. Rogue AD workstations created via mS-DS-MachineAccountQuota exploitation represent exactly the unauthorized system modification that Requirement 11.5 is designed to detect.

RBI and SEBI Directives: The Reserve Bank of India and Securities and Exchange Board of India both mandate prompt reporting of cybersecurity incidents for regulated financial institutions. SEBI's circular on cybersecurity requires stock brokers and depositories to report incidents within 24 hours. RBI's operational risk guidelines similarly require immediate escalation. Service account compromise events that remain undetected for days or weeks create severe regulatory exposure for Indian financial institutions.

HIPAA Security Rule: Healthcare organizations under HIPAA must conduct regular reviews of information system activity, including logon monitoring. The Security Rule's audit controls requirements (§ 164.312(b)) and access control requirements (§ 164.312(a)(1)) are directly implicated when attackers use stolen service accounts to traverse networks containing electronic protected health information. Deception generates the exact audit trail that demonstrates active monitoring and rapid detection.

Mine2's platform addresses each of these requirements directly. Every Mine interaction generates an immutable audit record with timestamp, source IP, accessed resource, and credential used. That isn't a side effect of the technology; it's a core deliverable. The moment a Credential Mine fires, the audit record is created, the incident response clock starts, and the regulatory notification timeline is defined. Organizations using Mine2 can show regulators exactly when they detected unauthorized access and exactly what their response timeline was.

Closing the Service Account Blind Spot

The FortiGate campaign won't be the last time an attacker extracts service account credentials from a network device configuration file and turns them against your Active Directory. This technique is well-documented, widely understood by threat actors, and applicable to every organization that has ever configured a firewall, VPN concentrator, or network appliance with domain credentials. Here's how to build coverage before the next campaign reaches your network.

Audit your firewall and network appliance configurations today. Every service account credential embedded in an appliance configuration file is an attack surface. Run an immediate audit of all LDAP bind accounts, AD connector credentials, and domain-joined service accounts referenced in firewall, VPN, and proxy configurations. Identify which accounts have write access to sensitive AD attributes and which carry domain join privileges.

Reduce mS-DS-MachineAccountQuota to zero. This AD attribute defaults to 10, letting any authenticated domain user enroll machines. There's no legitimate operational reason for this default in most enterprise environments. Set the attribute to zero and require privileged accounts with specific delegation to perform domain joins. This single configuration change would have stopped the rogue workstation enrollment step in every FortiGate intrusion SentinelOne documented.

Plant Credential Mines in your appliance configurations. Alongside every real LDAP bind account in your firewall configurations, add a Mine2 Credential Mine — a fake service account credential that looks identical to a real one. When an attacker extracts and tries to use it, you get an immediate alert. This turns the attacker's most reliable technique — pulling credentials from configuration files — into a guaranteed detection event.

Deploy AD Mines with realistic service account naming. Create AD Mine accounts that match your existing naming conventions: svc-fortigate-backup, svc-vpn-auth, svc-ldap-bind-2. These accounts should have no legitimate use but should appear in AD precisely where a real service account would. Any authentication attempt, attribute query, or group membership lookup against them is an instant, zero-false-positive detection.

Activate MineField across your internal network segments. SoftPerfect Network Scanner and similar tools are standard components of the post-initial-access playbook. MineField decoy services listening on common ports across your segments make sure lateral movement reconnaissance generates alerts before persistence is established. A single port scan touching a MineField decoy is your earliest warning of active intrusion.

Harden with Fortify. Mine2's Fortify module addresses the upstream vulnerability: misconfigured AD attributes like mS-DS-MachineAccountQuota, over-privileged service accounts, and reversible password encryption settings that enable credential extraction. Fortify identifies these misconfigurations and provides one-click remediation, closing the initial access paths before an attacker reaches your Mines.

The Bottom Line

The FortiGate intrusion campaign is a forensic record of exactly how lateral movement works in 2026. Attackers don't break in — they log in, using credentials your own infrastructure handed them. They move using legitimate tools. They blend into normal activity until they're ready to deploy ransomware or exfiltrate data. The Darktrace and Unit 42 reports confirm this is no edge case. It's the dominant methodology in enterprise breaches.

Detection built around behavioral baselines and signature matching fails structurally against this technique. The only control that fires the instant a stolen service account is used — regardless of how legitimate the authentication looks — is a Mine that has no legitimate use, and therefore no false positive threshold.

Zero false positives. Single-click deployment. Zero performance impact. And when an attacker decrypts your service account credentials and tries to use them, a Mine fires before they reach their first file share.

The service account blind spot is real. Mine2 closes it.


Want to map your service account exposure and place Credential Mines and AD Mines across your environment? See the Mine2 platform in action →

M2

Kabir

Incident Response Lead, Mine2

Kabir leads incident response work at Mine2, dissecting breaches after the fact to show where earlier detection would have changed the outcome.

Share this article

Secure Your Network Today

Ready to implement advanced cyber deception in your organization? See how MINE2 can transform your threat detection capabilities.