Identity Attacks Explained
Identity attacks are attempts to gain access by impersonating a legitimate user, service account, or workload identity—typically by stealing, guessing, replaying, or abusing authentication factors and session artifacts (passwords, MFA approvals, tokens, cookies, API keys).
Identity attacks target the systems that prove who you are—credentials, MFA prompts, session cookies, and OAuth tokens—to impersonate users or services and trigger account takeover (ATO). Because identity attacks often use “legitimate” logins and APIs, they can bypass traditional malware-focused defenses unless you’re monitoring identity and access events.
How identity attacks work
Identity attacks usually follow a predictable path: acquire something that proves “who you are,” then use it to log in or act as you—often without deploying obvious malware.
1) Credential acquisition (the “get in” phase)
Attackers first obtain or derive authentication material. Common routes include:
- Phishing and social engineering: Fake login pages, QR-phishing, phone-based “helpdesk” scams, or adversary-in-the-middle (AiTM) phishing that captures credentials and session tokens.
- Credential stuffing: Reusing leaked username/password pairs from other breaches against your SSO, email, VPN, or SaaS apps.
- Password spraying: Trying a few common passwords across many accounts to avoid lockouts.
- Malware-assisted theft: Infostealers grabbing browser passwords, session cookies, and tokens; keyloggers capturing credentials.
- Secrets exposure: API keys in repos, tokens in CI logs, cloud access keys in config files,
.envleaks, or public buckets.
2) Bypassing or abusing MFA (the “stay in” phase)
If MFA is present, attackers may:
- MFA fatigue / push bombing: Repeated prompts until a user approves.
- SIM swap / SMS interception: Taking over phone numbers where SMS OTP is used.
- OTP relay and proxying: Real-time proxy phishing that forwards the login flow to the real IdP and captures the resulting session.
- Token theft: Stealing refresh tokens, OAuth authorization codes, or device-bound tokens (varies by platform and configuration).
- MFA enrollment abuse: If an attacker gains initial access (e.g., via password), they may register their own MFA method if controls are weak.
3) Session and token abuse (the “be you” phase)
Modern identity attacks often avoid repeated logins and instead hijack existing sessions:
- Session hijacking: Stealing session cookies from browsers or endpoints.
- Refresh token replay: Using refresh tokens to mint new access tokens without user interaction.
- OAuth consent abuse: Tricking users/admins into consenting to malicious apps that gain mailbox or file access via delegated permissions.
- SSO misconfiguration exploitation: Overly broad trust relationships, weak conditional access, or permissive app sign-in policies.
4) Privilege escalation and lateral movement (the “own more” phase)
Once inside, attackers typically: - Enumerate users, groups, and roles. - Target admins and high-value service accounts. - Create persistence (new users, API keys, OAuth apps, MFA devices, forwarding rules). - Access data (email, files, CRM, finance apps) and pivot to cloud infrastructure.
What identity attacks look like in logs
Below are patterns practitioners commonly hunt for. Exact fields vary by provider, but the behaviors are consistent.
Suspicious sign-in characteristics
- Many failed logins across many users (spraying)
- High volume logins for one user from multiple IPs (stuffing or attacker testing)
- New geo / “impossible travel” patterns
- Logins from hosting/VPS or known anonymizers
- Unusual user-agent strings or device fingerprints
Example log-search ideas (adapt to your SIEM)
# Password spray indicator: many users, same IP, few passwords
count(failed_logins) by src_ip, password_guess_window > threshold
AND distinct(user) high
# MFA fatigue: many MFA prompts, few successful challenges
count(mfa_prompts) by user in 10m > threshold
AND successful_mfa = false OR later_successful_mfa = true
# OAuth consent abuse: new app consent followed by mailbox/file access
new_oauth_app_consent by user
THEN api_calls to mail.read OR files.read within 1h
Quick triage checks (generic)
# If you export identity logs as JSON, look for high-risk signals
jq -r '.events[] | select(.type=="login" and .result=="fail") | [.time,.user,.ip,.userAgent] | @tsv' idp_logs.json | head
# Identify repeated failures per IP (rough local analysis)
jq -r '.events[] | select(.type=="login" and .result=="fail") | .ip' idp_logs.json \
| sort | uniq -c | sort -nr | head
Where you’ll encounter identity attacks
Identity attacks appear anywhere authentication happens, but a few scenarios show up repeatedly in real environments.
Cloud email and collaboration (Microsoft 365 / Google Workspace)
Email is a prime target because it enables password resets, invoice fraud, and sensitive data access. Expect to see: - Suspicious inbox rules (auto-forward, delete, mark as read) - New OAuth app grants with mailbox permissions - Logins from new locations/devices right before fraud attempts
Operational cue: a user reports “I approved an MFA prompt by accident” or “my sent items show messages I didn’t send.”
SSO and federated identity (IdP as the control plane)
When you centralize authentication, the IdP becomes the blast radius multiplier. Common encounters: - Password spraying against the IdP login portal - AiTM phishing that bypasses basic MFA - Admin takeover leading to new privileged accounts, app integration changes, or weakened conditional access
Operational cue: multiple users receive MFA prompts or password reset emails they didn’t initiate.
Remote access and VPN / Zero Trust access
Attackers target edge authentication to gain footholds: - Credential stuffing against VPN portals - Legacy protocols or weak MFA configurations - Compromised contractor accounts with broad access
If you’re evaluating hardening at the endpoint and access layer, pair identity controls with strong endpoint protection—see our comparison of options for business fleets: best antivirus for windows business endpoints 2026.
DevOps and cloud workloads (service accounts, API keys, tokens)
Not all “identities” are humans. In CI/CD and cloud environments you’ll encounter: - Exposed long-lived access keys - Compromised GitHub/GitLab tokens used to push code or read secrets - Over-permissioned service principals abused to mint new credentials or access storage
Operational cue: unexpected token creation, access key rotation events you didn’t schedule, or CI jobs running from unusual contexts.
Incident response and breach investigations
Identity attacks often show up as: - “No malware found” on the endpoint, but accounts were accessed - Business Email Compromise (BEC) with clean device posture - Data access through legitimate APIs rather than exploitation
Operational cue: access logs show “successful authentication” followed by sensitive downloads, exports, or mailbox searches.
Fast containment checklist (identity-first)
If you suspect an identity attack, the quickest wins are often identity controls—not endpoint reimaging.
1) Disable or lock the affected account(s) and revoke active sessions/tokens.
2) Reset passwords and rotate secrets (API keys, app passwords, service creds).
3) Remove malicious MFA methods and re-enroll MFA with phishing-resistant options if possible.
4) Review OAuth app consents and remove unknown/high-risk grants.
5) Hunt for persistence: inbox rules, forwarding, new users, role changes, access key creation.
6) Tighten conditional access: block legacy auth, require MFA, restrict high-risk geos/IPs.
7) Notify users and watch for follow-on targeting (finance/payroll accounts).
Tools that help reduce identity-attack risk (practical picks)
A few security controls commonly reduce the success rate of identity attacks when deployed correctly:
- Password managers (reduce password reuse + improve complexity): For SMB teams, a managed vault and shared item controls help prevent credential stuffing from turning into ATO. If you’re shopping, you can review our guide here: password manager for small business 2026. If you choose 1Password, you can start here: Try 1Password →.
- Endpoint anti-malware (reduce infostealer risk): Many identity compromises start with infostealers that exfiltrate browser cookies and saved passwords. Malwarebytes is a common option to consider: Get Malwarebytes →.
- VPN for high-risk travel or untrusted networks (reduce exposure on hostile Wi‑Fi): A VPN is not a substitute for MFA or conditional access, but it can reduce opportunistic interception risks on unmanaged networks. Options include NordVPN: Check NordVPN pricing → or Surfshark: Try Proton VPN →.
Identity attacks aren’t “just login problems”—they’re a primary intrusion path. Treat identity telemetry (sign-ins, token events, consents, role changes) as high-signal detection data, and assume rapid escalation once an attacker successfully impersonates a trusted identity.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.
Related terms
The outcome where an attacker gains control of a user account—often via stolen credentials or sessions.
Automated testing of reused credentials from previous breaches.
Trying a small set of common passwords across many accounts to avoid lockouts.
Deceptive messages to capture credentials or push users into harmful actions.
Proxy-based phishing that can capture session cookies/tokens during real-time sign-in.
Repeated MFA prompts to pressure users into approving.
Taking over an authenticated session by stealing cookies or tokens.
Abusing application consent to obtain API access without stealing a password directly.
Systems and policies controlling authentication and authorization (users, roles, permissions).
Policies that require stronger auth or block sign-ins based on signals (device, geo, risk).
Granting only the minimum permissions required; critical to limiting blast radius in identity compromise.