Access-as-a-service (AaaS) is a new underground business model in cybercrime where threat actors steal enterprise user credentials and sell them to other attack groups, leading to the exfiltration of confidential data.