The Invisible Kill Chain: Detecting Non-Human Identity Attacks Across Telemetry Boundaries

**Executive summary:** This report analyzes a surge in attacks targeting non-human identities (service principals, application registrations, API keys, tokens) used across enterprise cloud environments, documents multiple real-world breaches (including a Russian SVR compromise of Microsoft via service-principal abuse and follow-on Okta/Cloudflare/BeyondTrust incidents), and provides a five-stage NHI kill chain with production-ready KQL detections, cross-domain correlation queries, response playbooks, and prioritized mitigation steps to reduce NHI attack surface.