Identity Security: Why It’s More Critical Than Ever
Identity attacks pose a significant threat to an organisation’s sensitive data often serving as the gateway to large-scale security breaches. In today’s digital landscape, where employees, contractors, and third-party vendors access corporate networks from various locations and devices, the attack surface continues to expand. According to Microsoft, 7,000 password attacks were blocked every second last year, highlighting the staggering scale of identity-related threats.
Cybercriminals are no longer relying solely on brute-force attacks; they are continuously refining their tactics, leveraging advanced social engineering techniques, phishing campaigns, and credential-stuffing attacks to exploit legitimate and authorised identities. By masquerading as trusted users, these attackers can move laterally within networks, escalate privileges, and exfiltrate sensitive business data undetected. The increasing adoption of cloud services, remote work, and bring-your-own-device (BYOD) policies has further complicated identity security, making it crucial for organisations to implement robust identity protection measures. Without strong defenses, businesses risk financial losses, reputational damage, and severe regulatory penalties, all of which can have long-lasting consequences.
In this blog, we’ll explore the top methods threat actors are using, based on Microsoft’s 2024 Digital Defense Report, and provide actionable steps to strengthen your identity security.
How are Threat Actors Responding to Multifactor Authentication?
According to data from Microsoft Entra, over 600 million identity attacks occur daily, with more than 99% being password-based, underscoring the vast scale and persistence of cyber threats targeting user credentials. As organisations increasingly rely on cloud services and digital platforms to conduct business, the stakes for securing identity access have never been higher. A single compromised account can serve as an entry point for attackers to infiltrate entire networks, steal sensitive data, and disrupt operations.
Innovations such as default security configurations and Conditional Access policies have driven broader adoption of multifactor authentication (MFA), now used by 41% of Microsoft enterprise customers. However, as MFA effectively blocks the majority of password-based attacks, threat actors are adapting their strategies to target other vulnerabilities in the cyberattack chain.
1. Attacking Infrastructure
Infrastructure attacks are popular with both nation-state and criminal threat actors due to their difficult detection if an organisation does not have careful configuration monitoring, AI-driven threat detection, and log analysis. Once the threat actor has gained access to an organisation’s infrastructure, they can make changes to maintain persistence and remain unnoticed.
Example:
An attacker may steal credentials to impersonate a non-human identity, briefly elevate permissions, create new credentials to access and exfiltrate data, and then restore the identity to its original state to avoid detection.
Preventative actions to take:
- Utilise advanced AI-powered monitoring and threat detection systems to identify anomalous patterns.
- Closely monitor access and configuration changes within the identity infrastructure.
- Strengthen monitoring for devices and networks on which identity infrastructure depends.
2. Bypassing Authentication
As MFA blocks most password-based attacks, threat actors have shifted focus to Adversary-in-the-Middle (AiTM) phishing and token theft. Over the last year Microsoft report a rise of 146% in AiTM phishing attacks, which occur when attackers trick users into clicking a link and completing MFA on the attacker’s behalf. AiTM phishing enables attackers to intercept MFA approvals, while token theft exploits authenticated sessions to bypass MFA entirely.
Key Stats:
- Microsoft detects approximately 39,000 token theft incidents daily.
- AiTM phishing attacks rose 146% last year.
Preventative actions to take:
- Replace passwords with phishing-resistant, passwordless authentication methods like passkeys.
- Ensure all users operate their devices as standard users rather than administrators.
- Prevent AiTM and token theft attacks by implementing policies that mandate strong interactive authentication whenever anomalies are detected.
- Implement access policies that enforce token protection and block access from untrusted environments.
- To enhance detection capabilities and accelerate response times, adopt applications that support continuous access evaluation.
3. The Exploitation of Applications
Threat actors are looking to exploit abandoned, unmonitored, and overprivileged cloud-based applications with insecure credentials to gain access to high-value resources.
Many organisations accumulate significant security debt in these applications. For instance, developers often grant broad permissions and embed credentials in code to streamline development and testing but neglect to address these vulnerabilities before the application is deployed.
Over the past year, Microsoft discovered that only 2.6% of workload identity permissions were utilised, while 51% of workload identities remained entirely inactive.
Between January and June 2024, Microsoft identified over 1.5 million credentials, including passwords and certificates, exposed in locations accessible to attackers, such as source code repositories. Notably, 18% of the code repositories we reviewed in the past year contained such secrets.
These findings highlight the critical need for secure development practices, such as avoiding the inclusion of secrets in code, securing test environments, minimising application permissions, and retiring unused applications and tenants.
Preventative actions to take:
- Utilise managed service identities in place of developer-shared secrets.
- Manage permissions to ensure that all identities, including workload identities, are granted only the privileges necessary for their tasks.
- Secure test environments and decommission unused applications and tenants.
Most Common Social Engineering Tactics Impacting Identity Security
Social engineering continues to pose a persistent threat to organisations and cannot be fully mitigated through technology alone. As a result, comprehensive training and education—both for helpdesk staff and end-users—are crucial in preventing attackers from exploiting human vulnerabilities. Below are some of the most prominent tactics observed by Microsoft.
1. Teams and Skype Phishing
In recent years, phishing techniques have surged, including the use of QR codes and collaboration platforms like Teams and Skype. Microsoft have observed threat actors leveraging previously compromised tenants to create new onmicrosoft.com tenants with tech support themes. These malicious tenants are then exploited to distribute harmful files, links, and requests, with their aim being to steal user credentials or obtain MFA approvals.
Preventative actions to take:
- Educate users on phishing tactics and perform phishing simulation training.
- Restrict Tenant Communication by limiting collaboration to known and trusted tenants using Microsoft Teams’ “Safe Links” and other communication restrictions.
- Use Microsoft Defender for Office 365 or equivalent tools to detect and block malicious messages, files, and links.
- Set up alerts for unusual account behaviour, such as multiple failed login attempts or logins from unusual locations.
- Regularly update Teams, Skype, and other collaboration tools to patch vulnerabilities.
- Ensure endpoint security solutions are up to date to block malware or phishing payloads.
2. SIM Swapping
The growth in organisations adopting MFA has pushed threat actors to find alternative methods of impersonating users. One increasingly popular tactic, led by groups like Octo Tempest, is SIM swapping. In this attack, the threat actor convinces a mobile carrier to transfer the victim’s SIM card to their own device. To succeed, the attacker first gathers personal information about the target to answer security questions and gain access to the account.
Once the SIM is under their control, the attacker can intercept MFA codes and one-time passcodes, granting them access to the victim’s accounts. Maintaining strong operational security is essential to preventing such attacks. Individuals should regularly monitor their online presence to identify and remove publicly available information that could be used by threat actors for impersonation.
Preventative actions to take:
- Secure mobile accounts with PINs or passwords.
- Enable alerts for changes to mobile accounts, such as SIM swaps.
- Enforce least privilege for data access which will limit the exposure of sensitive. information to employees, systems, or external parties on a need-to-know basis.
3. Helpdesk Social Engineering
Microsoft has observed a rise in threat actors targeting helpdesks, impersonating users to request password resets or register new MFA devices. Over the past year, more than half of all Microsoft Incident Response engagements attributed to Octo Tempest were linked to helpdesk social engineering tactics. In response, many helpdesks have implemented additional verification measures, such as requiring video calls. However, the growing prevalence of deepfake technology allows attackers to mimic a victim’s voice, image, and video, making even these advanced identity verification methods increasingly vulnerable.
Octo Tempest and similar threat actors have also been observed directly communicating with senior executives and other key individuals involved in investigations. These interactions are often part of extortion campaigns or efforts to obtain sensitive credentials. In cases involving extortion, threat actors may further exploit their victims by sending coercive text messages to apply pressure and demand payment.
Preventative actions to take:
- Transition to passwordless authentication, as MFA alone is insufficient to ensure security.
- Implement phishing-resistant MFA for administrators.
- Review and enhance helpdesk password reset procedures.
- Conduct regular training and tabletop exercises to prepare for these attacks.
- Thoroughly assess key suppliers involved in SIM card and helpdesk services.
4. AiTM Credential Phishing
Microsoft continues to observe high-volume credential phishing attacks leveraging AiTM capabilities, often executed through phishing-as-a-service (PhaaS) platforms. These campaigns are delivered daily via email, with tens to hundreds of millions of phishing messages sent each month. In 2024, the top five PhaaS kits by email volume included Caffeine, Tycoon, Greatness, NakedPages, and Dadsec.
While the top platforms have remained largely consistent between 2023 and 2024, notable changes have occurred:
- Dadsec disappeared from Microsoft’s tracking in late 2023. In January 2024, its operator, Storm-1575, rebranded the service as Rockstar2FA, resuming operations with updates to phishing techniques and client communication channels.
- In May 2024, NakedPages was discontinued by its operator, Storm-1101, who claimed to have shared its source code with former support staff. At least one of these individuals has since launched a new phishing service based on that code.
- Caffeine was rebranded as ONNX in January 2024, with updated communication channels and a new feature allowing customers to use their own domains, complicating tracking efforts. By May, Tycoon surpassed ONNX in phishing email volume. In June, Caffeine’s operator, Storm-0867, abruptly ceased operations after their identity was exposed in a DarkAtlas blog post.
Phishing actors have continued to rely on HTML and PDF attachments to evade detection and deliver malicious content:
- HTML Attachments: These files often contain URLs redirecting recipients to phishing pages or code that downloads and displays phishing content when opened. HTML files are frequently hidden within ZIP files, Microsoft Office documents, or multiple layers of email attachments.
- PDF Attachments: These typically include URLs leading to phishing pages, sometimes through a series of redirects or captcha checks, though occasionally directing straight to malicious domains. Like HTML files, PDFs are often embedded within other file types or hosted on legitimate file-sharing platforms accessed via links in the phishing email.
The evolution of these platforms and techniques highlights the continued sophistication of phishing campaigns and the challenges in detecting and mitigating these threats.
Preventative actions to take:
- Quarantine or flag emails containing suspicious HTML or PDF attachments.
- Use real-time URL scanning to detect phishing pages or malicious domains.
- Leverage phishing-resistant MFA methods, such as FIDO2 keys.
- Monitor the activities of known PhaaS kits (e.g., ONNX, Tycoon) and adapt defenses to the latest techniques and trends.
- Conduct regular simulated phishing campaigns to train employees on recognising and reporting phishing attempts.
- Restrict the delivery of high-risk file types (e.g., HTML, PDF in ZIP files) in emails or scan them thoroughly before allowing user access.
- Block access to known malicious domains through web proxy or DNS filtering.
- Conduct adversary emulation exercises to test your defenses against AiTM and PhaaS tactics.
- Regularly update software, especially email systems and web browsers, to mitigate vulnerabilities exploited in phishing campaigns.
Strengthening Defenses Against Identity Attacks
Identity security is a critical component of modern cybersecurity. As threat actors employ increasingly advanced techniques, organisations must adopt robust authentication methods, improve monitoring capabilities, and foster a culture of security awareness to stay ahead of these evolving threats.
How mobco Can Help
At mobco, we specialise in enhancing your organisation’s Identity Management to safeguard your critical assets. Our comprehensive Identity services are designed to protect your users’ identities by leveraging robust, secure solutions.
Take control of your identity security today. Get in touch with us to learn how we can help protect your organisation from identity attacks.
