Across hundreds of Lares and Damovo engagements, the same root issues appear again and again, regardless of whether environments are primarily on‑premises, cloud, or hybrid:

• Weak passwords and ineffective password policies
• Insecure handling of sensitive information and poor data governance
• Insufficient network segregation

Misconfigurations and unpatched vulnerabilities are also common, but these three areas consistently underpin the most damaging attack paths.

Weak passwords: the starting point for many attacks

Weak passwords are still one of the most reliable ways to gain access to enterprise assets, from Windows domains to cloud applications and everything in between. Compromised credentials from external password spraying or cracked hashes from domain attacks remain the most common findings.

Password reuse is a closely related problem. Compromising one set of credentials can open multiple doors if the same password is used across VPN, email, SaaS, and internal systems. Many users in non‑technical roles do not fully understand why strong, unique passwords matter, or how quickly one password can be weaponised once it is exposed.

Typical attacker workflow:

• Use OSINT and breach data to find passwords already exposed in database dumps and previous incidents.
• Profile an organisation’s likely patterns: companyname123, seasonal words combined with years, or predictable dictionary words followed by numbers.
• Perform credential stuffing and password spraying against portals and services used by the organisation until access is gained.

Combatting weak passwords is easier said than done. Users tend to choose passwords they can remember, even if they are easy to guess. At a high level, effective measures include:

• Implementing password blocklists and banned word lists so common and predictable passwords are rejected.
• Auditing password usage and policies regularly to identify poor practices.
• Focusing on user education and positive reinforcement rather than purely punitive controls, so people understand the impact of poor password hygiene.
• Using technical controls such as Microsoft Entra Password Protection and similar services to reduce common password usage across hybrid environments.

Data governance: attackers treat data as gold dust

Alongside weak passwords, poor data governance is one of the most powerful enablers for attackers. Public oversharing on LinkedIn, GitHub, and other channels can reveal internal systems, configurations, and credentials. Inside the network, loose practices around documents and file storage often give attackers everything they need to escalate.

Weak data governance typically stems from habits and convenience: administrators and users scattering sensitive information across SharePoint, file shares, scripts, and spreadsheets because it is easy in the moment. Over time, this creates a landscape where almost anyone can find something useful if they know what to search for.

SharePoint

SharePoint frequently becomes a rich source of credentials and sensitive configuration. Once attackers have a foothold and valid credentials, they can search for terms such as “password”, “passwd”, “pwd”, “credential”, and similar variations. Documentation and configuration files often contain hard‑coded passwords or connection strings that unlock further systems.

Hybrid environments increase this risk. As more documents, credentials, and configuration details move into cloud collaboration platforms, poorly governed SharePoint sites and similar services become a straightforward path to elevated permissions.

File shares

Windows file shares often contain years’ worth of accumulated data. The main risks come from:

• Over‑permissive access controls on shares
• Lack of retention and clean‑up policies
• Scripts, configuration files, and spreadsheets that store live credentials

Tools such as Snaffler were built specifically to exploit this reality. They enumerate computers and shares from Active Directory, index files, and use patterns and regular expressions to identify “juicy” data such as credentials, keys, and configuration secrets. Spreadsheets are particularly common sources of credentials, as users treat them as informal password managers.

How to adopt a better approach

Improving data governance is part policy, part technical control, and part culture change:

• Establish clear policies that prohibit storing passwords in documents and spreadsheets wherever possible.
• Restrict sensitive file shares to specific directories with least‑privilege access, and regularly audit who can access what, especially for high‑value administrative shares.
• Monitor high‑value shares for anomalous access patterns, such as a standard user suddenly reading thousands of files (for example, using Windows SACLs and Event ID 5145 for detailed file share auditing).
• Refactor maintenance and automation scripts so they avoid hard‑coding credentials, instead using secure password stores, APIs, or managed identities where supported.
• When credentials must be stored, ensure they are unique to a specific purpose, hardened, and monitored.

Automated tools are widely available to attackers, so defenders should be comfortable using the same tools to close gaps in detection and remediation. Crawlers like Snaffler or similar approaches can be tuned to search for particular file types or patterns, helping security teams find and fix issues before adversaries do.

Lack of network segregation: making lateral movement easy

Insufficient network segregation is another recurring weakness, especially in less mature environments. Poorly segmented networks increase the attack surface and make lateral movement far easier.

In a properly segregated network:

• Exposed services are reduced to a minimum.
• Systems are separated into segments according to their purpose and sensitivity.
• Compromise in one zone does not automatically expose everything else.

In flat or weakly segmented networks, attackers can:

• Perform ARP poisoning and other man‑in‑the‑middle attacks.
• Intercept network services (SQL, HTTP, RDP, VoIP, SMB, etc.) and traffic to external locations.
• Steal credentials and downgrade or exploit weak authentication protocols.
• Launch mass client‑side attacks and rapidly spread malware such as ransomware.

Even with Endpoint Detection and Response (EDR) products deployed, misconfigurations, firewall gaps, and missing segmentation often leave sensitive systems unnecessarily exposed. Once a foothold is established, containing a breach becomes difficult, and attackers have time to establish multiple access routes and persistence mechanisms.

Combining weaknesses into real attack paths

When weak passwords, poor data governance, and lack of network segregation come together, attackers have multiple, overlapping ways to win. Compromised credentials allow initial access, credentials and configuration details stored in file shares or SharePoint drive escalation, and flat networks make lateral movement trivial. It is one of the reasons ransomware and similar attacks remain so effective in immature environments.

These patterns apply in both on‑premises and cloud environments. Azure and other cloud platforms reduce some exposure through enforced best practices, but configuration mistakes, identity weaknesses, and overly permissive sharing can still create exploitable paths. Lares maintains public attack kits and research to help both testers and defenders understand these patterns in hybrid environments.

Taking a bottom‑up view of your environment

A practical way to reduce these attack paths is to take a bottom‑up view of the organisation’s security posture:

• Provide staff security awareness training that focuses specifically on password management, data handling, and recognising risky behaviours.
• Review network design and plan for meaningful segmentation, especially around critical systems and administrative interfaces.
• Review Windows and hybrid cloud estates for weak data governance, and back policies with enforceable technical controls.
• Prioritise prevention where possible, and ensure that where prevention is not realistic, detection and response are tuned and tested regularly.

How Damovo and Lares can help

Damovo helps organisations  design, integrate, and operate secure networks, collaboration platforms, and cloud environments, with a strong focus on visibility and control. Lares, operating as the offensive security arm within Damovo, tests those environments the way real attackers would, exposing weak passwords, poor data governance, and segmentation gaps through penetration testing, red teaming, and insider threat assessments.

Together, Damovo and Lares can help you:

• Identify the real‑world paths attackers could use to compromise your environment.
• Prioritise remediation across identity, data governance, and network design.
• Validate improvements through adversarial testing aligned with threat reports and frameworks such as the ENISA Threat Landscape and NIST CSF.

If you want to understand which weaknesses in your environment are most likely to turn into full compromise, and how to close those paths in a practical way, Damovo can walk you through an assessment approach tailored to your context.