Top 10 Identity Attack Techniques Used by Hackers

Most cyberattacks today start with a compromised identity. Stolen passwords, hijacked sessions, forged authentication tokens, and bypassed MFA are now the primary tools in a threat actor’s arsenal.

As organizations move to cloud and hybrid environments, the identity layer has become the most targeted attack surface in cybersecurity. Identity threats have evolved far beyond simple password theft.

Today’s identity-based attacks target every stage of the authentication chain, from initial credential access to post-authentication token abuse and privilege escalation through Active Directory.

1. Phishing and Spear-Phishing

Phishing is the oldest trick in the book, and it still works. Attackers send fraudulent emails, SMS messages, or chat messages that lead victims to fake login pages designed to harvest their credentials. Spear-phishing is the targeted version: the attacker studies a specific person or role using open-source intelligence, then crafts a message that feels personal enough to bypass suspicion.

How Scattered Spider Took Down a Retail Giant

In April 2025, British retail giant Marks & Spencer was hit by a ransomware attack that forced the company to suspend online orders, and they took an estimated £300m hit to profits.

The breach was attributed to Scattered Spider, a group known for its social engineering expertise. The attackers did not break through M&S’s perimeter defenses directly. Instead, they phished employees at a third-party IT vendor, Tata Consultancy Services (TCS), and used the stolen credentials to access M&S’s network.

Once inside, they impersonated M&S staff and convinced the IT helpdesk to reset passwords, giving them the foothold they needed to escalate privileges and eventually deploy DragonForce ransomware.

2. Password Spraying

Password spraying flips the brute-force model. Instead of trying thousands of passwords against one account (and triggering a lockout), the attacker tries a handful of common passwords across thousands of accounts. It is a slow, quiet technique that works especially well against legacy tenants, service accounts, and identity providers that lack MFA.

An Iranian Campaign Against Defense and Space

Between April and July 2024, Iranian state-sponsored actor Peach Sandstorm (also tracked as APT33, Refined Kitten, and HOLMIUM) carried out a sustained password spraying campaign against organizations in the defense, space, education, and government sectors in the United States and Australia.

Microsoft Threat Intelligence noted that the group had been running password spray campaigns since at least February 2023, but the 2024 wave introduced a notable escalation. Once inside, the attackers deployed a custom multi-stage backdoor called Tickler, hosted command-and-control infrastructure on fraudulently created Azure subscriptions, and conducted social engineering on LinkedIn by posing as students, developers, and recruiters.

3. Credential Stuffing

People reuse passwords, and attackers know this. Credential stuffing takes username-password pairs leaked from one breach and replays them against unrelated services at scale. The success rate is low on a per-account basis, but when you’re testing millions of pairs, even a fraction of a percent translates into thousands of compromised accounts.

Reused Passwords Cost Retirees Half a Million

Over the weekend of March 29-30, 2025, a coordinated wave of credential stuffing attacks hit multiple major Australian superannuation (pension) funds, including AustralianSuper, Rest Super, Hostplus, Australian Retirement Trust, and Insignia Financial. The attackers used credentials stolen in unrelated prior breaches to log into member accounts.

AustralianSuper reported that around 600 accounts were compromised and $500,000 was drained from four member accounts. Rest Super confirmed that approximately 8,000 members had limited personal information accessed before the portal was shut down. The key failure was that AustralianSuper did not require MFA for account login, despite prior warnings from regulators to implement it.

4. Adversary-in-the-Middle (AiTM) Phishing Attacks

AiTM phishing is what happens when attackers decide that stealing passwords alone is not enough. A reverse proxy (tools like Evilginx, EvilProxy, or Tycoon 2FA) sits between the victim and the real identity provider. The victim logs in normally, completes the MFA challenge, and gets their session cookie. The proxy captures all of it: username, password, MFA response, and the session token. The attacker replays that token and walks right in. MFA never fires again.

The Phishing-as-a-Service Platform Behind 30 Million Emails a Month

Tycoon 2FA phishing-as-a-service platform became the most widespread AiTM phishing operation on record following its emergence in August 2023. Sold as a subscription service, it gave thousands of cybercriminals access to ready-made phishing kits that proxied live authentication sessions against Microsoft 365, Outlook, and Gmail, capturing credentials, MFA codes, and session cookies in real time.

By mid-2025, Tycoon 2FA accounted for roughly 62% of all phishing attempts blocked by Microsoft, with over 30 million malicious emails intercepted in a single month. Campaigns using Tycoon2FA have appeared across nearly all sectors, including education, healthcare, finance, non-profit, and government.

In March 2026, Europol, Microsoft, and a coalition of security partners seized 330 domains forming the platform’s backbone.

5. MFA Fatigue (Push Bombing)

MFA fatigue exploits a simple human weakness: annoyance. The attacker already has the victim’s credentials (usually bought from infostealer markets or stolen through phishing) and repeatedly triggers MFA push notifications until the target, overwhelmed or confused, taps “Approve” just to make it stop. Often, the attacker follows up with a WhatsApp or phone call impersonating IT support, coaching the victim to accept.

How an MFA Fatigue Attack Gave a Teenager Full Access to Uber’s Internal Systems

In September 2022, an 18-year-old affiliated with Lapsus$ purchased stolen credentials of an employee from the Dark Web. The attacker then flooded the contractor with MFA push notifications and simultaneously contacted them on WhatsApp, posing as Uber IT. The contractor approved a prompt. From there, the attacker accessed Uber’s internal systems, Slack, and admin dashboards.

6. Token Theft and Session Hijacking

Authentication happens once. After that, everything runs on tokens: OAuth access tokens, refresh tokens, session cookies, and Primary Refresh Tokens. If an attacker steals one of those, they skip the login entirely. No password needed, no MFA challenge, no alerts. They simply present the token, and the system treats them as a legitimate, already-authenticated user.

How Stolen Session Tokens Gave Attackers Access to 165 Snowflake Customer Environments

Starting in mid-April 2024, a financially motivated threat actor tracked as ShinyHunters used credentials and session tokens harvested by infostealer malware, some dating back to 2020, to log into Snowflake cloud data warehouse instances belonging to over 165 organizations.

There was no zero-day, no infrastructure compromise at Snowflake itself. The attackers simply replayed stolen credentials against accounts that lacked MFA.

The victims included AT&T (call and text records of nearly all wireless customers, roughly 73 million people), Ticketmaster (560 million customer records), Santander Bank (30 million customer files), Advance Auto Parts, and Neiman Marcus. The majority of compromised credentials came from historical infostealer infections by various malware families.

ShinyHunters then extorted the victims and auctioned the stolen data on cybercrime forums. Two individuals were later arrested: Connor Riley Moucka in Canada and John Erin Binns in Turkiye.

7. Kerberoasting

In Active Directory environments, any authenticated domain user can request a Kerberos service ticket for any account associated with a Service Principal Name (SPN). The ticket is encrypted using a key derived from the service account’s password. An attacker can extract the ticket and attempt offline password cracking at full GPU speed, with no account lockout threshold and often no alerts. If the service account uses a weak or stale password, the attacker may recover the credentials within hours, sometimes minutes.

From Service Account to Domain Admin: Akira’s Identity Attack Playbook

Akira ransomware affiliates have made Kerberoasting a standard part of their playbook. The joint CISA/FBI/Europol/NCSC-NL advisory (AA24-109A) documents the technique across 250+ victims.

Akira operators have been unusually transparent about it: in ransom-note chat logs, they have told victims outright that initial access was purchased on the Dark Web and that Kerberoasting gave them domain admin. Named victims include Stanford University, where the breach exposed personal data of 27,000 individuals.

8. Golden Ticket / Silver Ticket Attacks (and Golden SAML)

A Golden Ticket is forged using the KRBTGT account’s password hash, and it lets the attacker impersonate any user in the domain. A Silver Ticket does the same at the service level using individual service-account hashes, trading breadth for stealth. Golden SAML is the cloud equivalent: steal the ADFS token-signing certificate, forge SAML assertions, and walk into any federated SaaS application as any user, completely bypassing MFA.

How Russia’s SVR Used Golden SAML to Bypass MFA and Access Federal Agencies

During the SolarWinds campaign in 2020, Russia’s SVR used Golden SAML against multiple victims after compromising on-premises ADFS servers. CISA’s official advisory confirms the method and states that the attackers stole the ADFS token-signing certificate, forged SAML tokens, and moved laterally into Microsoft 365 environments. The U.S. Department of the Treasury was among the named victims.

9. DCSync

DCSync abuses Active Directory replication protocols to request password-hash data directly from a domain controller. With replication privileges, typically obtained through a compromised Domain Admin or delegated replication rights, an attacker can retrieve hashes for any account in the domain, including KRBTGT. That hash can then be used to forge Golden Tickets and maintain persistent domain access.

Because the technique operates remotely over normal replication channels, it often leaves fewer filesystem artifacts on the target domain controller. The main difference between DCSync and Golden/Silver Ticket attacks is that DCSync is a credential extraction technique, while Golden Ticket, Silver Ticket, and Golden SAML are token forgery techniques.

How Storm-0501 Used DCSync to Steal Domain Credentials and Pivot to the Cloud

In August 2025, Microsoft Threat Intelligence published a detailed case study of Storm-0501’s techniques, a financially motivated actor who performs DCSync against enterprise victims, harvesting password hashes across several Active Directory domains before pivoting from on-prem into Microsoft Entra ID to deploy hybrid-cloud ransomware.

In a campaign detailed by Microsoft Threat Intelligence in August 2025, financially motivated actor Storm-0501 compromised a large enterprise composed of multiple subsidiaries, each running its own Active Directory domain connected through trust relationships. After gaining domain admin privileges, Storm-0501 performed a DCSync attack to request password hashes for any user in the domain, including privileged accounts. But the attack didn’t stop at on-prem. Using the extracted credentials, the actor compromised an Entra Connect Sync server, enumerated cloud identities and roles with AzureHound, then traversed into a second tenant by laterally moving across AD domains and compromising a second Entra Connect server. There, they found a non-human synced identity assigned as Global Administrator in Entra ID with no MFA registered. They reset its on-premises password, let Entra Connect sync the change to the cloud, registered their own MFA method, and signed in from a hybrid-joined device to satisfy Conditional Access. From that point, Storm-0501 had full control of the cloud tenant.

10. SIM Swapping and MFA Bypass

SIM swapping is social engineering aimed at the weakest link in SMS-based MFA: the wireless carrier. The attacker convinces a carrier employee or bribes an insider to port the victim’s phone number to an attacker-controlled SIM card. Once the number is transferred, SMS verification codes, password reset codes, and MFA prompts are routed directly to the attacker. Victims often notice only after losing cellular service, by which point account takeover activity may already be underway.

How a SIM Swap Attack Hijacked the SEC’s Official Account and Moved the Bitcoin Market

On January 9, 2024, the official X account of the U.S. Securities and Exchange Commission posted that Chairman Gary Gensler had approved Bitcoin ETFs for listing on all registered national securities exchanges. Bitcoin surged by around $3,000 within minutes.

The problem was that the SEC had not approved anything yet. The post was fake, planted by attackers who had taken over the account through a SIM swap.

Eric Council Jr., a 25-year-old from Alabama, had created a fake ID using stolen personal information of an SEC staff member, walked into a carrier store in Huntsville, and obtained a new SIM card linked to the victim’s phone number. With control of the number, the conspirators reset the password for the @SECGov account and posted the fraudulent announcement. MFA had been disabled on the account since July 2023 due to access issues and was never re-enabled.

Conclusion

These ten techniques share a common thread: they all target identity, and most of them render traditional MFA insufficient on its own. AiTM phishing captures session tokens after MFA completes, push bombing tricks users into approving MFA prompts, and SIM swapping hijacks the MFA channel itself.

The defenses that hold up against this list are phishing-resistant MFA (FIDO2/WebAuthn), conditional access with device compliance, hardened Active Directory with rotated KRBTGT, and identity threat detection that catches Kerberoasting, DCSync, and anomalous token grants before the attacker reaches their objective.

But defense is only half the equation. Many of the techniques in this blog, especially credential stuffing, token theft, and session hijacking, rely on credentials stolen long before the attack itself. SOCRadar’s Identity Threat Landscape Report 2026 found over 4.6 billion records across analyzed stealer log datasets, with 809 million unique users. The infostealer families driving this (LummaC2, RedLine, Raccoon, Vidar, Stealc) all run as Malware-as-a-Service, making credential harvesting accessible to anyone.

This is where identity threat intelligence becomes critical. SOCRadar’s Identity & Access Intelligence module turns raw breach and stealer data into actionable insight: reconstructing infection chains mapped to MITRE ATT&CK, surfacing third-party SaaS credential exposures, and analyzing stolen session cookies to assess hijacking risk. When an attacker logs in with valid credentials, they look like a legitimate user. Knowing which credentials are already compromised is the difference between catching an identity attack in progress and reading about it in a breach notification.