ETS
Home
Created by Claudiu Tabac - © 2026
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Credential, MFA & Token Compromise
Executive briefing on identity attacks that bypass traditional security controls
Category Overview
This category focuses on executive-level storylines involving credential theft, MFA bypass, and token/session compromise — the identity attacks most commonly used by ransomware operators, hybrid intrusion groups, and cloud-native adversaries.
Executives often assume MFA prevents account takeover. These storylines demonstrate why that assumption is dangerously false in modern cloud environments.
Modern Cloud Intrusions Rely On
  • Bypassing MFA entirely through sophisticated techniques
  • Stealing session cookies from compromised endpoints
  • Replaying refresh tokens to maintain persistent access
  • Abusing OAuth consent flows and permissions
  • Manipulating authentication flows at the protocol level

This category consolidates ETS-002, ETS-003, ETS-005, ETS-006 and their equivalents into actionable executive intelligence.
MFA Fatigue, Reverse-Proxy Phishing & Social Engineering
Storyline Includes ETS-002
Executive Summary
Attackers overwhelm users with MFA prompts through "MFA fatigue" campaigns, redirect them through authentic-looking reverse proxies, or trick them into approving OAuth applications that grant full account access without password compromise.
What Attackers Exploit
  • User confusion during high-pressure scenarios
  • MFA push notification bombardment
  • Approval fatigue from repeated prompts
  • Misleading consent screens designed to deceive
  • Reverse-proxy MFA interception using Evilginx-like frameworks
Business Impact
The attacker logs in as the legitimate user — with valid MFA credentials — without ever needing to steal passwords. This represents a complete bypass of your primary authentication control.
IAC Stages: Stage 3 → Stage 4
Credential Theft at Scale
Password Spray & Credential Stuffing (ETS-003)
1
Attack Methodology
Attackers simultaneously test thousands of known passwords across corporate tenants using automated frameworks. A single weak password becomes the entry point for complete cloud environment compromise.
2
Exploitation Vectors
Reused passwords from previous breaches, weak passwords in hybrid directories, legacy authentication endpoints that lack modern protections, and passwords synchronized from unmanaged or shadow IT systems.
3
Critical Impact
One compromised low-privilege user account becomes the initial foothold for privilege escalation to cloud administrator roles. From there, attackers pivot to high-value assets and establish persistence.
IAC Progression: Stage 3 → Stage 4 → Stage 5
Session Hijack & Token Replay
Cookie Theft & OAuth Replay (ETS-005)
The Modern Reality
Modern attacks no longer steal credentials — they steal sessions. A stolen refresh token or session cookie can bypass MFA entirely, rendering password complexity and multi-factor authentication completely ineffective.
Even if passwords are rotated immediately and MFA is enforced across all accounts, attackers remain authenticated indefinitely through compromised session artifacts.
What Attackers Target
  • Browser cookies containing authentication state
  • Long-lived refresh tokens with excessive validity periods
  • OAuth authorization codes intercepted during flow
  • Machine identities storing tokens insecurely
  • Endpoint session artifact exposure through malware
IAC Stages: Stage 3 → Stage 6 → Stage 7 → Stage 8
Malicious OAuth Apps & Consent Abuse
Third-Party Application Threats (ETS-006)
Executive Summary
Attackers deploy malicious third-party OAuth applications, tricking users into granting full API or mailbox access — no credential theft required. The user believes they're authorizing a legitimate business tool.
Exploitation Techniques
Permissive tenant application consent policies allow users to self-consent to dangerous permissions. Misleading OAuth screens obscure true intent, while excessive API scopes grant broader access than necessary. Unmanaged multi-tenant apps operate outside security visibility.
Strategic Impact
The attacker receives a permanent token pipeline and bypasses identity governance entirely. This creates an ongoing data exfiltration channel that persists even after the initial compromise is discovered and remediated.
Identity Attack Chain (IAC) Stages: Stage 4 → Stage 5 → Stage 8
Identity Attack Chain Mapping
Understanding how these storylines progress through the attack lifecycle
1
Stage 3
Credential/Token Acquisition
Initial compromise of authentication artifacts through various techniques including phishing, social engineering, and technical exploitation.
2
Stage 4
Authentication Abuse
Leveraging stolen credentials or tokens to authenticate as legitimate users, bypassing traditional security controls and detection mechanisms.
3
Stage 6
Token Tampering
Manipulation of authentication tokens to extend access duration, elevate privileges, or impersonate different user identities within the environment.
4
Stage 7
Lateral Movement
Using compromised identities to access additional systems, applications, and data repositories across the cloud infrastructure.
5
Stage 8
Persistence
Establishing long-term access mechanisms that survive credential resets, policy changes, and initial remediation efforts.
Associated Breach Patterns
Key breach patterns from the Identity Breach Patterns Library (IBP) that enable these attacks
BP-005: Username Harvesting
Systematic enumeration of valid user accounts through authentication endpoint probing, error message analysis, and directory reconnaissance to build target lists.
BP-010: Password Spray
Distributed authentication attempts using common passwords across many accounts to avoid account lockout thresholds while maximizing compromise probability.
BP-013: Browser Cookie Theft
Extraction of authentication cookies from compromised endpoints or browsers, enabling session hijacking without credential knowledge or MFA bypass.
BP-027: Refresh Token Theft
Targeting long-lived refresh tokens that provide persistent authentication capabilities, often stored insecurely on devices or in application memory.
BP-028: Reverse-Proxy Token Replay
Interception and replay of authentication tokens through adversary-controlled proxy infrastructure that appears legitimate to end users.
BP-029: Session Hijack
Taking control of active user sessions through various techniques including token theft, session fixation, or man-in-the-middle attacks.

BP-030: OAuth Manipulation involves exploiting weaknesses in OAuth flows, consent mechanisms, and token validation to gain unauthorized access.
Critical Misconfigurations
Identity Misconfiguration Universe (IMU) — Enabling Factors
Policy & Governance Gaps
Weak Authentication Policies
Insufficient password complexity requirements, lack of conditional access enforcement, and inadequate authentication context evaluation.
Legacy MFA Exemptions
Service accounts, VPN connections, legacy applications, and administrative interfaces that bypass modern authentication requirements.
Permissive OAuth Consent
User self-service consent enabled without appropriate guardrails, excessive default permissions, and lack of application vetting processes.
Technical Control Deficiencies
Weak Session Governance
Inadequate session timeout configurations, missing continuous access evaluation, and lack of device binding for authenticated sessions.
Poor Token Lifetime Settings
Excessively long refresh token validity periods, missing token rotation requirements, and inadequate revocation mechanisms.
Insufficient Monitoring
Lack of real-time authentication anomaly detection, incomplete audit logging, and delayed incident response capabilities.
Identity Failure Modes
Understanding the human and organizational factors that enable these attacks
Human Error Under Pressure
Users make poor security decisions when facing tight deadlines, urgent requests from apparent authority figures, or during high-stress situations that reduce critical thinking.
Inconsistent Identity Governance
Fragmented policies across cloud platforms, inadequate lifecycle management for identities, and lack of unified visibility into authentication events and access patterns.
Weak MFA Design
Over-reliance on push notifications without context, lack of phishing-resistant authentication methods, and missing risk-based authentication triggers.
Excessive Trust in Third-Party Apps
Assumption that OAuth consent screens indicate safe applications, insufficient due diligence on third-party integrations, and lack of ongoing monitoring for granted permissions.
Executive Action Items
MFA is not an identity security strategy
Token replay, OAuth consent abuse, session hijacking, and push fatigue bypass MFA entirely. Identity compromise occurs long before endpoint compromise becomes visible.
01
MFA Strategy Redesign
Implement phishing-resistant authentication methods, enforce number matching, require device binding, and eliminate legacy authentication protocols.
02
OAuth Governance Framework
Restrict user consent permissions, implement application vetting processes, continuously audit granted permissions, and enforce least-privilege access for third-party apps.
03
Conditional Access Enhancement
Deploy risk-based authentication policies, enforce trusted device requirements, implement continuous access evaluation, and establish context-aware authorization controls.
04
Token Lifecycle Hardening
Reduce refresh token validity periods, implement automatic token rotation, enforce token binding to devices, and establish comprehensive revocation capabilities.
"This category should inform immediate strategic decisions regarding authentication architecture, governance frameworks, and security monitoring capabilities across your cloud identity infrastructure."
About
Created by Claudiu Tabac — © 2026
This framework is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Navigation