Full Report
An episode of the Talos Threat Perspective on the 2025 Year in Review trends. We explore how identity is being used to gain, extend, and maintain access inside environments.
Analysis Summary
Based on the Talos Threat Perspective episode regarding the 2025 Year in Review, the following summary focuses on the evolution of identity-based attacks and the TTPs used to subvert trusted access.
# Tool/Technique: Identity-Based Intrusion & MFA Subversion
## Overview
Identity-based intrusion refers to a shift in attacker methodology where, instead of deploying traditional malware, threat actors focus on compromising legitimate user credentials and subverting Multi-Factor Authentication (MFA) to "log in" rather than "break in." This allows them to blend into normal network traffic and maintain long-term persistence as a "trusted user."
## Technical Details
- **Type**: Technique (Adversary TTP)
- **Platform**: Multi-platform (SaaS, Cloud Environments, Windows/Active Directory, macOS)
- **Capabilities**: Credential harvesting, MFA bypass, lateral movement via internal phishing, and privilege escalation.
- **First Seen**: Increasing dominance throughout 2024–2025.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1078 - Valid Accounts]
- [T1566.002 - Phishing: Spearphishing Link]
- **[TA0003 - Persistence]**
- [T1098 - Account Manipulation]
- [T1556.006 - Modify Authentication Process: Multi-Factor Authentication]
- **[TA0008 - Lateral Movement]**
- [T1534 - Internal Phishing]
- **[TA0005 - Defense Evasion]**
- [T1550.004 - Use Alternate Authentication Material: Web Session Cookie]
## Functionality
### Core Capabilities
- **MFA Fatigue/Push Bombing**: Flooding a user’s device with MFA prompts until they accidentally or out of frustration approve the request.
- **Adversary-in-the-Middle (AiTM)**: Using proxy tools to intercept login tokens and bypass MFA in real-time.
- **Session Token Theft**: Stealing active browser cookies to bypass the need for a password or MFA prompt entirely.
### Advanced Features
- **Internal Phishing**: Using a compromised high-trust account (e.g., HR or IT) to send phishing links to other employees, significantly increasing the success rate of lateral movement.
- **AI Agent Exploitation**: Targeting over-permissioned AI agents that have access to identity-linked data to extract sensitive information or execute actions on behalf of the user.
- **Living-off-the-Cloud**: Utilizing legitimate administrative tools within M365 or Azure to exfiltrate data without triggering file-based malware alerts.
## Indicators of Compromise
*Note: Because these attacks use legitimate credentials, indicators are primarily behavioral.*
- **File Names**: `rclone.exe` (often used for data exfiltration via legitimate cloud APIs).
- **Network Indicators**: Logins from unusual geolocations or known VPN/TOR exit nodes (e.g., `hxxp[:]//[suspicious-proxy-provider]`).
- **Behavioral Indicators**:
- Impossible Travel (logins from geographically distant locations in a short timeframe).
- Multiple MFA "Deny" actions followed by a single "Allow."
- New MFA device enrollment for an existing user account.
- Large-scale mail forwarding rules created in Outlook/O365.
## Associated Threat Actors
- **LUNC-style groups (Scattered Spider / UNC3944)**: Known masters of social engineering and MFA bypass.
- **APT29 (Cozy Bear)**: Known for sophisticated cloud-based identity attacks and session token theft.
## Detection Methods
- **Behavioral Detection**: Monitoring for "Impossible Travel" and anomalies in User and Entity Behavior Analytics (UEBA).
- **MFA Logs**: Auditing for high frequencies of failed MFA challenges or "MFA Fatigue" patterns.
- **Token Analysis**: Detecting concurrent sessions from different IP addresses using the same session cookie.
## Mitigation Strategies
- **FIDO2/WebAuthn**: Moving toward hardware-based phishing-resistant MFA (e.g., YubiKeys) rather than push notifications or SMS.
- **Conditional Access Policies**: Restricting logins to managed devices or specific geographic regions.
- **Least Privilege for AI**: Hardening permissions for AI integrations to ensure they cannot access identity stores or perform administrative actions.
- **Session Revocation**: Implementing the ability to instantly kill all active sessions for a user upon suspected compromise.
## Related Tools/Techniques
- **Evilginx2**: Framework used for AiTM phishing and session token theft.
- **Modlishka**: Reverse proxy tool for bypassing MFA.
- **Golden SAML**: Technique used to forge authentication tokens in federated environments.