Public-source evidence that access risk is path-shaped.

Microsoft's public reporting described a modern identity path across a weak legacy identity, OAuth applications, app consent, app-only permission, and mailbox resources.

Microsoft's public guidance from January 2024 describes a path that crossed identity, application, consent, permission, and resource - a chain that no single object on its own would have explained.

The evidence is not only that one legacy non-production account lacked MFA. The evidence is the chain: identity -> OAuth application -> app permission -> mailbox resource.

CISA's Emergency Directive 24-02 reinforced the same lesson at enterprise scale: the risk connected identity, email, credentials, and trust rather than a single isolated configuration row.

Mandiant reported a campaign targeting customer Snowflake instances with stolen customer credentials, weak controls, and data-platform reach.

In June 2024, Google Mandiant reported a campaign attributed to UNC5537 targeting customer Snowflake instances using credentials harvested by infostealer malware. Many affected customer accounts lacked multi-factor authentication. Snowflake's own enterprise environment was not the breached system; customer-managed tenants without MFA were the path.

The blast radius reached beyond any single company because the affected platform pattern was shared across customers. A single attacker's credential harvest scaled across organizations.

Snowflake later mandated MFA for human users in new accounts - a control change that closed the dominant path for newly created human users and underlined that the risk was authentication-configuration-shaped.