Sequenxa Intelligence Agency
Back to Intelligence Archive
UNCLASSIFIED // FOR OFFICIAL USE ONLY
Intelligence

Contractor access is an identity intelligence problem

Someone in the right shirt walks past reception with a name, a work order, and a reason to be there. Onboarding never saw them coming, because onboarding was vetting a company, not a person. Contractor access is not a procurement step. It is an identity intelligence problem.

R.J. FinneganJuly 1, 20269 min read
Contractor access is an identity intelligence problem

Someone in the right shirt walks past your reception desk. They have a name, a work order, and a reason to be there. A printer is acting up, a server needs a firmware update, the cameras need a quick look. Thirty minutes later they are gone, and so is a copy of something that mattered.


That scene is not hypothetical anymore.


In its June 2026 reporting on the threat cluster UNC3753, also tracked as Luna Moth and Silent Ransom Group, Google's Mandiant team documented a data-theft campaign that began with phone calls and, in some cases, ended with people physically walking into offices. Google Threat Intelligence Group assessed that actors likely linked to the campaign sent individuals posing as IT technicians into corporate buildings to copy data onto USB drives, an escalation consistent with an FBI Cyber FLASH Alert. The forensic evidence on the physical incidents is limited, but the targeting and timing line up. The same group ran most of its remote intrusions inside a single business day. A few took less than an hour.


Here is the part that should bother you. None of that required breaking in. It required being let in.


That is the gap in how most organizations think about contractor access. They treat it as a procurement step. A company gets vetted, a contract gets signed, a badge gets printed, and the relationship goes quiet until something breaks. The vetting looked at the vendor. It rarely looked at the person who would actually be in the building, badge in hand, asking for an exception.


A contractor can clear onboarding and still fail the identity intelligence test.


Why contractor access gets reviewed too late and too narrowly


Most contractor review happens once, at the start, and never again. The questionnaire gets filed. The insurance certificate gets saved. The background check comes back clean, and clean quietly becomes permanent in everyone's mind.

The trouble is that access is not an event. It is a standing condition. The technician who was vetted in March is not necessarily the technician who shows up in September. The vendor that passed review can change hands, add subcontractors, or rotate staff without telling anyone. We wrote about that drift in third-party access is a counter-intelligence problem. Contractor access is where the drift gets physical.

Narrow is the other failure. A background check answers one limited question: does this person have a record in the jurisdictions you searched. That is useful. It is not the same as knowing who the person is, who they work for now, and whether the story they are telling holds up.


That is not identity verification. That is records retrieval with a name attached.


The difference between vendor review, background checks, and identity intelligence


These three get used as if they mean the same thing. They do not, and the space between them is exactly where trusted access goes wrong.

Vendor review evaluates a company. Can it produce a controls report, proof of insurance, a list of policies. It answers a contracting question.


A background check evaluates a record. Criminal history, employment dates, license status, in the places you knew to look. It answers a compliance question.

Identity intelligence evaluates a claim. Is this person who they say they are. Do they still work for who they say they work for. Does the access they want match the reason they gave for being here. It answers the corporate intelligence question the other two were never built to answer.


We drew the same line for senior hires in vendor due diligence is not executive due diligence. The logic holds for contractors, with one difference that makes it worse. A contractor often gets proximity and access faster than an executive hire, and with far less scrutiny.


What 2026 threat reporting is actually showing


The reason this matters now is that the people doing the borrowing have gotten good at sounding legitimate.


Mandiant's M-Trends 2026 report, published in late March, found that highly interactive voice phishing climbed to the second most common way attackers gained initial access, behind only software exploits, appearing in 11% of investigations where a vector could be identified. The phone call that sounds like IT is no longer a fringe move. It is a primary one.


The same report tracked something stranger and more relevant. North Korean IT workers using fabricated identities to get hired at Western technology companies remained a persistent insider threat through 2025, with a median dwell time of 122 days, and in some cases more than a year. These were not break-ins. These were people who applied, interviewed, passed, and collected a paycheck, all under an identity that was never real. M-Trends said it plainly: this stretches what the word "insider" even means, and it breaks background-check and access programs that were designed for ordinary employees.


In May 2026, GTIG documented the BlackFile operation, tracked as UNC6671, which used voice phishing and fake, victim-branded login pages to compromise single sign-on accounts and capture multi-factor codes. The point GTIG kept returning to is the one that applies here: the corporate perimeter has moved to the identity layer. The phone call, the fake login page, the MFA prompt, and the stolen session are one continuous chain, not four separate problems.


And the tooling keeps getting faster. GTIG's May 2026 AI threat tracker reported the first case of a threat actor using a zero-day exploit it believes was developed with AI, alongside broader use of AI to speed up reconnaissance and operations. What that means for contractor access is simple. A convincing identity, a plausible work order, and a rehearsed pretext are cheaper to produce than they used to be. Polish is no longer evidence of legitimacy.


Put those findings next to each other and a pattern shows up. The fastest way into an organization in 2026 is not a vulnerability. It is a person you decided to trust.


Seven contractor-risk indicators worth escalating before anything breaks


You do not need a confirmed incident to act on these. Each one is a reason to slow down and verify, not proof that someone has done something wrong. Treat them as escalation triggers, not verdicts.

  1. The document is real but the history is not. The ID, license, or certificate checks out, but the person's work history is thin, discontinuous, or seems to appear all at once. A real credential attached to a hollow background deserves a second look.

  2. The request comes with urgency and a reason to skip the normal channel. "We need this today." "The usual contact is out." "Just let me in and we'll do the paperwork after." Pretext plus time pressure is the oldest trick in social engineering, and it still works because it makes verifying feel rude.

  3. The introduction came through a trusted intermediary nobody re-checked. Someone vouched for the contractor, so no one verified them. Borrowed trust is still unverified trust.

  4. The access granted is wider than the work being done. The maintenance vendor holds standing domain credentials. The contractor hired for one project can reach systems unrelated to it. Access that quietly exceeds scope is one of the most common and least examined risks in any building.

  5. The person on site is not the person who was vetted. Staff substitution happens constantly and is almost never re-screened. The entity you approved and the individual now standing in your space can stop being the same thing without anyone noticing.

  6. The contractor resists out-of-band verification. A legitimate technician will tolerate a callback to a known company number. An impersonator improvises around it, because the callback is the one thing the pretext cannot survive. After the UNC3753 campaign, GTIG's guidance was exactly this: require out-of-band identity verification for all external contractors, technical staff, and facilities visitors.

  7. The relationship changed after onboarding and nobody re-reviewed it. Ownership changed. A subcontractor got added. Credentials never rotated. The scope grew. The original vetting is now describing a relationship that no longer exists.

None of these alone proves anything. Together, they map where trusted access tends to fail.


How intelligence-led review differs from paperwork and software scoring


A questionnaire records what someone tells you. A risk score reduces a relationship to a number. Both have a place, and neither one answers whether the person in front of you is operating in good faith.


Intelligence-led review starts from a different assumption. It assumes the claim has to be tested, not just collected. In practice that means corroborating identity against more than the document presented, confirming current employment and authorization rather than the version from onboarding, checking that the stated reason for access matches the access actually requested, and watching for the behavioral signals above instead of waiting for an incident to make them obvious.


It is the difference between a smoke detector and a fire inspection. One tells you something is already burning. The other tells you where it is likely to start.


This is the same discipline behind workplace investigations and early warning indicators. Read the pattern early enough that you are making a decision, not writing a report after the fact.


What to verify before granting proximity, access, or an exception


Before a contractor, technician, advisor, or temporary specialist gets near your people, your systems, or your sensitive spaces, a few things are worth confirming directly:

  • The individual showing up is the one who was vetted, not a substitute sent under the same vendor name.

  • Their employment and authorization are real as of now, not as of the day the contract was signed.

  • The access they are asking for matches the work they were hired to do, with no quiet extras.

  • Any urgent, off-channel, or exception request can survive a callback to a known number before it gets granted.

  • The relationship is re-reviewed when ownership, staffing, or scope changes, rather than running on a vetting that is months or years stale.


None of this means treating every contractor as a threat. It means treating identity as a claim you verify every time it matters, instead of a box you checked once.


If a single individual with borrowed trust is the access path you have the least visibility into, that is the part of the program worth a confidential, intelligence-led review.


Frequently asked questions


What is the difference between a background check and identity intelligence?


A background check confirms whether a person has a criminal, employment, or licensing record in the jurisdictions searched. Identity intelligence goes further. It verifies that the person is who they claim to be, that their current employment and authorization are real, and that the access they request matches the reason they gave for needing it.


Why isn't vendor due diligence enough for contractor access?


Vendor due diligence evaluates a company at the start of a relationship. Contractor access involves a specific individual who shows up later, often after staffing, ownership, or scope has changed. A vendor can pass review while the person actually granted access was never separately verified against the entity that was approved.


What are the signs that a contractor or technician might be an impersonator?


The common signals are urgency paired with a request to skip normal channels, resistance to out-of-band verification such as a callback to a known number, a person on site who differs from the one who was vetted, and access requests that exceed the stated scope of work.


How do you verify a contractor's identity beyond documents?

You corroborate the claim instead of accepting the document at face value. That means confirming current employment and authorization directly with the stated employer, matching the individual present against the one who was vetted, validating the work order through a known channel, and checking that the requested access fits the job.


What is contractor risk in a security context?

Contractor risk is the exposure created when an outside individual is granted proximity, access, or exception authority on trust that was never fully verified or has gone stale. Managing it treats access as a standing condition that needs ongoing identity verification, not a one-time onboarding step.

The badge was never the thing to verify. The person holding it was.

Contractor Access Is an Identity Intelligence Problem