The old model is dead. For decades, security was built on the same premise: a wall around the network, sensors at the edge, and the assumption that malicious code would trigger alerts. Malware was the primary threat; the firewall was the primary defense. If something malicious ran on an endpoint, EDR should catch it, SIEM should correlate it, and an analyst should investigate.

cover

That model assumed attackers needed to exploit software vulnerabilities to gain entry. In 2026, that assumption is obsolete.

Malware is now optional

In 2026, a significant portion of confirmed breaches do not involve malware. Many initial access points trace back to compromised identities, stolen session tokens, or manipulated authentication factors.

Red teams at firms like Cyber Security Pentesting Inc. demonstrate this daily. In real-world penetration tests, valid credentials often eliminate the need for zero-day exploits entirely.

When an attacker logs in with stolen credentials, they remain invisible to traditional tools. EDR doesn’t flag them because they use legitimate processes; the firewall doesn’t block them because the traffic looks like a normal employee’s; and SIEM doesn’t alert because authentication events appear authorized.

This is the core shift: identity is the new perimeter. The boundary is no longer the network edge, but the authentication event. Once that line is crossed, controls designed to stop lateral movement often operate blind.

The challenge now is understanding how attackers compromise these identities and how defenders can respond.

The attacker’s toolchain

Modern identity-based attacks do not rely on sophisticated code. They rely on techniques that manipulate the authentication flow itself. Here are the four primary methods that define the 2026 threat landscape.

Adversary-in-the-Middle (AiTM) phishing

The most effective technique in targeted attacks is AiTM phishing, with tools like Evilginx making it highly accessible. The attack uses a reverse proxy: the victim authenticates to a spoofed legitimate login page, but traffic flows through an attacker-controlled server. The proxy forwards credentials to the real identity provider, the user completes MFA, and the attacker intercepts the resulting session token.

This attack is transparent to the victim. They see a normal login and approve a real MFA push notification, while a valid session cookie is captured in the background.

A recent example is the EvilTokens campaign (March 2026), which abused the Microsoft OAuth Device Code flow to obtain valid tokens without needing the victim’s credentials. The user authenticated legitimately, and the attacker intercepted the token post-authorization.

Session cookies grant access until they expire. Specialized malware like Redline, Lumma, and Vidar can extract these cookies from browsers in seconds. The attacker then injects the stolen cookie into their own browser to inherit the authenticated session, bypassing MFA since the challenge was already completed by the original user.

Token theft is now more dangerous than credential theft. While a password can be reset, a session cookie only needs to be used before it expires—a window that can last hours or days.

Here, the attacker registers a malicious OAuth application with broad permissions and tricks the victim into authorizing it. Once granted, the app maintains API access even through password resets. The organization may not notice the scope creep until the attacker exfiltrates data or establishes persistence.

This technique exploits the trust model of modern SaaS ecosystems, where users frequently click “Accept” on permission requests without auditing what the application can actually access.

MFA fatigue and SIM swapping

Attackers obtain credentials via phishing, leaked databases, or infostealer logs, then trigger repeated MFA push notifications. The victim, annoyed by the constant prompts, eventually approves one to stop the noise.

This method is a hallmark of Scattered Spider, a group of native-English speakers who use social engineering to convince help desks to reset MFA on targeted accounts. They rely on persuasion rather than malware or zero-day exploits.

Threat Actors

Scattered Spider

Scattered Spider provides a stark example of this trend. Primarily composed of young English speakers, the group eschews traditional hacking skills and CVE searches in favor of high-precision social engineering.

Coordinating via Telegram and emerging from “The Com” community, they target large enterprises in retail, insurance, and financial services. Their 2025 campaigns resulted in high-profile breaches and the exfiltration of millions of records.

Their operational model relies on vishing (voice phishing) for account resets, AiTM tools for OAuth tokens, and partnerships with ransomware groups like DragonForce for monetization. They also use residential proxy networks to make their traffic appear local to the victim, bypassing geolocation controls.

According to Outpost24’s 2026 threat landscape analysis, this profile of financially motivated cybercriminals will remain a significant threat due to their focus on persuasion over technical complexity.

Cl0p

Cl0p follows a different model, shifting from encryption to pure data theft and extortion. Instead of deploying ransomware, they exploit vulnerabilities in enterprise software (e.g., MOVEit, Oracle E-Business Suite) to extract data and demand payment to prevent its publication.

This trend reflects a broader shift in 2026: data theft is often easier to implement and as effective for negotiation as full-disk encryption.

Strategic Defense

Adding more authentication factors is an instinctive response, but traditional MFA (push, SMS, TOTP) is easily bypassed by AiTM proxies. The solution must be architectural.

Phishing-resistant MFA

FIDO2 and passkeys are designed to resist AiTM attacks. The cryptographic binding between the credential and the relying party domain prevents tokens obtained via proxy from being replayed against the legitimate service.

Deploying FIDO2 for privileged accounts—administrators, finance, and sensitive system access—is the most impactful security upgrade an organization can implement in 2026.

Continuous Access Evaluation (CAE) and short-lived tokens

Token lifetime is critical. In default Microsoft environments, refresh tokens can last 90 days. CAE allows applications to receive real-time signals from the identity provider to revoke tokens immediately if a user is disabled, a password is changed, or a session is revoked.

Organizations should minimize the window for stolen credentials; one hour is a recommended starting point for access tokens.

Identity Behavioral Analytics

While traditional controls evaluate the authentication event, behavioral analytics monitor the session. This includes detecting “impossible travel” (e.g., logins from London and Eastern Europe within minutes), residential IPs that deviate from enterprise ranges, and unusual access times or devices.

This is where Scattered Spider’s residential proxy attacks become detectable, as analytics can identify inconsistencies that proxies cannot fully mask.

Token Protection in Entra ID

Microsoft Entra ID Conditional Access offers token protection policies that bind tokens to specific devices and sessions. Enforcing device-based token binding makes stolen tokens significantly less useful, as they cannot be replayed from an unauthorized machine.

OAuth Application Auditing

Many organizations lack visibility into the third-party applications accessing their Microsoft 365 or Google Workspace tenants. Often, these apps were authorized years ago by users who have since left. Regular audits to remove unused integrations and enforce minimum viable permissions are essential to closing this overlooked attack surface.

Forensics in a Malware-Free World

This presents a unique challenge for DFIR professionals. Traditional forensics looks for artifacts of malicious code: suspicious processes, anomalous network connections, or unpacked binaries. When valid credentials are used, these artifacts are absent.

The evidence shifts entirely to authentication logs.

Sign-in logs from Azure AD, Google Workspace, and SaaS platforms become the primary evidence. Investigators must seek non-code anomalies: tokens issued from unexpected IPs, new OAuth grants not initiated by the account holder, or sessions from geographic locations that deviate from user patterns.

This is where Identity Threat Detection and Response (ITDR) is critical. ITDR evolves EDR for a world where attackers don’t need to run code, focusing detection on post-authentication anomalies.

Using Microsoft Sentinel or Defender for Identity, KQL hunting queries can detect Scattered Spider patterns: abuse of Conditional Access trusted locations, session tokens persisting after password resets, and MFA approvals immediately following credential reset requests.

Testing the organization’s response through tabletop exercises is an effective way to validate these capabilities. My previous guide on cybersecurity tabletop exercises provides practical steps for designing realistic scenarios.

Identity-based attacks are not fully preventable by technology alone; they exploit the intersection of security controls and human psychology. However, they are detectable through rigorous log monitoring and behavioral analytics.

Shifting from a perimeter-focused security model to an identity-focused one is essential in 2026. In a landscape where an attacker with a stolen password is indistinguishable from a legitimate user, the priority must be detecting the abuse of that identity.

The window between compromise and detection is where attackers operate—moving from initial access to exfiltration and persistence. The most effective tools monitor what happens after a successful login, not just the entry point itself.