A comprehensive security intelligence system for modern cloud and identity environments
The Ten Critical Threat Storylines
ITIF catalogs ten distinct attack patterns that represent the most significant identity-based threats facing organizations today. Each storyline reveals how sophisticated adversaries exploit specific weaknesses in identity infrastructure to achieve their objectives.
External Discovery
Tenant enumeration and credential harvesting campaigns
MFA Bypass
Authentication weaknesses and fatigue attacks
Token Theft
Machine identity and service principal compromise
OAuth Abuse
Malicious application and consent exploitation
Federation Attack
Trust manipulation and SAML forgery
Role Escalation
Privilege inheritance and hidden admin paths
Identity Drift
Gradual privilege creep and configuration decay
Supply Chain
Vendor compromise and third-party pivoting
Session Hijack
Token replay and privileged session theft
SaaS Integration
Cross-platform trust chain exploitation
ETS-001: Cloud Tenant Discovery
The Initial Reconnaissance Attack
The attack begins with systematic external scanning and identity enumeration targeting cloud tenant endpoints. Adversaries leverage public identifier leakage, weak account lockout policies, and legacy authentication protocol exposure to build comprehensive target lists.
This storyline exploits fundamental misconfigurations in tenant visibility and authentication controls, specifically MC-001 (public identifier leakage), MC-019 (weak lockout policies), and MC-076 (legacy authentication exposure). These weaknesses allow attackers to enumerate valid usernames without triggering defensive controls.
Detection signals include enumeration anomalies (DL-001), naming-pattern probing (DL-009), and authentication attempt patterns (DL-010) that indicate systematic reconnaissance activities.
This attack pattern has been successfully employed by sophisticated threat actors including Scattered Spider and LAPSUS$, who have developed specialized techniques for MFA bypass. These groups (ICTAM-011, ICTAM-012, ICTAM-030) exploit gaps in MFA coverage, social engineering vulnerabilities in push notification systems, and legacy authentication protocols that lack strong authentication requirements.
The business impact extends beyond initial compromise. Once attackers obtain valid tokens, they can move laterally across cloud services, access sensitive data repositories, and maintain persistent access even if the original vulnerability is remediated. Organizations often discover these compromises only after significant data exfiltration or system manipulation has occurred.
ETS-003: Machine Token Theft
Automated Identity Compromise
Attack Mechanics
Machine identities represent a critical but often overlooked attack surface. Service principals, CI/CD pipeline credentials, automation scripts, and application tokens frequently contain elevated privileges necessary for operational efficiency. However, these same privileges make them high-value targets.
The theft typically occurs through exploitation of MC-138 (long-lived secrets without rotation), MC-211 (plaintext token storage in code repositories or configuration files), and MC-264 (overprivileged service principal role assignments). Attackers scan code repositories, compromise CI/CD environments, harvest credentials from endpoint scripts, and exploit insecure secret management practices.
Detection & Impact
Security teams can identify these attacks through machine replay anomalies (DL-078), multi-region token usage patterns (DL-087), and suspicious automation identity behavior (DL-107). These signals often indicate that stolen tokens are being used from unexpected locations or in unusual patterns.
APT41 and specialized machine-identity theft groups (ICTAM-004, ICTAM-032) excel at this attack vector. The impact is severe: attackers gain escalation pathways through app-only permissions that bypass user-centric controls, enabling automated data exfiltration and persistent access without traditional authentication requirements.
ETS-004: OAuth Application Misuse
Persistent Access Without Passwords
01
Initial Deployment
Attackers deploy malicious OAuth applications or compromise existing legitimate apps with broad permission scopes
02
Consent Harvesting
Users are tricked into granting consent through phishing, social engineering, or exploitation of misconfigured consent policies
03
Token Generation
Once consent is granted, the application receives access and refresh tokens with the requested permissions
04
Persistent Access
Attackers maintain ongoing access through token refresh, bypassing password changes and MFA requirements
This storyline exploits MC-147 (lack of consent restrictions), MC-143 (risky scope permissions), and MC-201 (misconfigured application role assignments). The OAuth Abuse Syndicate and APT29 (ICTAM-023, ICTAM-001) have demonstrated particular sophistication in this attack pattern.
Detection signals include scope escalation attempts (DL-028), consent event anomalies (DL-029), and mass consent spikes (DL-048). The critical business impact stems from the persistence mechanism—attackers gain long-term access that survives password resets and continues functioning even after the initial compromise vector is discovered and remediated.
Federation attacks represent the highest-severity identity threat, enabling unrestricted administrative access through manipulation of the fundamental trust mechanisms that underpin cloud authentication.
This attack pattern targets the token-signing trust path and exploits weaknesses in federation configurations. The trigger involves manipulation of SAML assertions, token-signing certificate theft, or exploitation of federation metadata misalignments. Attackers focus on MC-037 (weak signing key lifecycle management), MC-174 (misconfigured federation trust relationships), and MC-171 (misaligned federation metadata).
1
Reconnaissance
Identify federation endpoints and trust relationships
2
Token Signing Key Theft
Compromise or extract SAML signing certificates
3
Assertion Forgery
Craft malicious SAML tokens with elevated claims
4
Full Takeover
Achieve unrestricted administrative access
DarkHalo (UNC2452) and the Federation Manipulation Cartel (ICTAM-006, ICTAM-024) pioneered this technique in high-profile breaches. Detection relies on SAML anomaly detection (DL-033), claim validation monitoring (DL-035), and issuer verification (DL-067). The impact mirrors the infamous SolarWinds attack pattern—golden-SAML style impersonation enables complete administrative takeover with minimal forensic evidence.
Attackers systematically discover overprivileged role assignments, hidden inheritance paths, and legacy group mappings that provide unexpected administrative access. This exploitation leverages MC-134 (hidden role inheritance chains), MC-222 (legacy group mappings), and MC-221 (orphaned privileged assignments).
APT28 and the Cloud Privilege Escalation Collective (ICTAM-002, ICTAM-034) excel at mapping complex role hierarchies to identify escalation paths. Detection signals include unexpected admin role activations (DL-041), OAuth admin role assignments (DL-043), and privilege elevation events (DL-072).
Impact: Escalation to Global Administrator through overlooked identity pathways that bypass intended access controls.
Identity Drift Exploitation
Rather than dramatic attacks, this pattern exploits gradual configuration decay. Token lifetime extensions, privilege creep, conditional access gaps, and weakened device posture requirements accumulate over time, creating exploitable security gaps.
The Cloud Identity Drifter and insider threat actors (ICTAM-021, ICTAM-026) leverage MC-090 (privilege creep), MC-231 (outdated CA exclusions), and MC-451 (weak device posture). Profile mismatch detection (DL-020), anomalous device patterns (DL-060), and token lifetime analysis (DL-080) reveal these attacks.
Impact: Stealthy privilege escalation that generates minimal alerts while providing substantial access elevation.
Managed service provider identities with broad customer access become attack vectors for mass compromise
2
2
SaaS Provider Pivot
Compromised SaaS vendor credentials enable cross-customer data access and lateral movement
3
3
SCIM Integration Abuse
System for Cross-domain Identity Management connections provide privileged identity synchronization paths
4
4
Multi-Tenant Trust
Shared trust relationships in cloud environments create pivot points between organizations
This storyline represents the modern supply chain attack executed through identity infrastructure. The trigger is the compromise of MSP, SaaS provider, or integration service identities that maintain privileged access across multiple customer environments. Attackers exploit MC-291 (overprivileged connector accounts), MC-441 (SCIM elevation vulnerabilities), and MC-323 (multi-tenant trust misconfigurations).
APT10 and specialized supply-chain compromise groups (ICTAM-005, ICTAM-025) have demonstrated sophisticated capabilities in this domain. They understand the interconnected nature of modern cloud environments and exploit vendor relationships to achieve broad impact. Detection requires monitoring SCIM anomalies (DL-098), service principal enumeration (DL-099), and partner-tenant activity patterns (DL-114).
The business impact is multiplicative—a single vendor compromise can cascade across dozens or hundreds of customer environments through identity propagation, making this one of the highest-risk attack patterns in the ITIF framework.
Session cookie theft, refresh token harvesting, and bearer token extraction from privileged administrative sessions
Exploitation Focus
MC-018: Poor session governance
MC-132: Plaintext token storage
MC-452: Weak device controls
Privileged session hijacking represents one of the most dangerous attack patterns because it combines the access level of administrative accounts with the stealth of valid session tokens. Unlike credential theft, which may trigger authentication alerts, session token replay occurs within what appears to be a legitimate, already-authenticated session.
The Session Hijacker Collective and APT29 (ICTAM-022, ICTAM-001) have developed sophisticated techniques for extracting and weaponizing these tokens. Once obtained, the tokens enable fully automated data exfiltration that operates within the bounds of normal administrative activity.
Detection depends on token replay pattern analysis (DL-023), geographical switching detection (DL-024), and device fingerprint mismatches (DL-025). However, these signals can be subtle, especially when attackers carefully mimic the timing and behavior patterns of legitimate administrators.
The final storyline addresses the complex web of SaaS-to-SaaS and SaaS-to-cloud trust relationships that define modern enterprise architecture. These integration points, while essential for business operations, create identity propagation pathways that sophisticated attackers can traverse to achieve multi-system compromise.
OAuth Connections
SaaS applications maintain OAuth trust relationships that enable seamless data sharing and workflow automation across platforms
SCIM Mappings
Identity provisioning systems automatically synchronize user accounts and permissions across multiple SaaS environments
Cross-Platform Trust
Trust chains extend through multiple SaaS platforms, creating paths from one application to another and eventually to core cloud infrastructure
This attack pattern exploits MC-250 (SaaS overpermissions), MC-441 (SCIM privilege elevation), and MC-335 (multi-SaaS trust chain weaknesses). The SaaS Identity Manipulator and supply-chain operators (ICTAM-035, ICTAM-025) specialize in mapping these complex relationships to identify exploitation paths.
Detection signals include device code abuse (DL-065), SCIM injection attempts (DL-097), and identity attribute manipulation (DL-123). The critical business impact stems from the cascading nature of the compromise—initial access to a peripheral SaaS application can propagate through trust relationships to reach core cloud infrastructure and critical data repositories. This represents the convergence of OAuth abuse, federation weaknesses, and supply chain exposure into a unified attack pattern.
Maps the sequential stages of identity-based attacks from initial reconnaissance through privilege escalation and persistence. Each storyline corresponds to specific IAC stages, enabling security teams to understand where they are most vulnerable in the attack progression.
Catalogs the specific configuration weaknesses that enable each attack pattern. With over 450 documented misconfigurations across cloud identity platforms, IMU provides the technical foundation for understanding what must be remediated to prevent each storyline.
Defines the detection signals, log analysis patterns, and behavioral indicators that reveal active attacks. Each detection logic entry includes query templates, baseline establishment guidelines, and alert tuning recommendations for security operations teams.
Profiles the adversaries who execute these attacks, including their techniques, tools, targeting preferences, and operational patterns. Understanding which threat actors favor which storylines helps prioritize defensive investments based on relevant threats to your organization.
The power of ITIF emerges from the integration of these four components. Security leaders can trace a path from an observed detection signal back through the exploited misconfiguration to understand the attack stage and identify which threat actors might be responsible. Conversely, threat intelligence about specific adversaries can guide teams toward hardening the configurations those actors typically exploit and implementing the appropriate detection logic.
Implementing ITIF in Your Security Program
The Identity Threat Intelligence Framework provides security leaders with a structured approach to modernizing identity security. Rather than treating identity attacks as isolated incidents, ITIF enables systematic understanding of attack patterns, comprehensive misconfiguration remediation, and proactive threat detection.
Assessment
Map your current identity infrastructure against the ten storylines to understand which attack patterns pose the greatest risk to your environment
Prioritization
Use threat actor models to prioritize defenses based on adversaries most likely to target your organization and industry
Remediation
Address the specific misconfigurations that enable your highest-risk storylines using IMU guidance
Detection
Implement ITDLL detection logic to identify attacks in progress and validate your control effectiveness
Continuous Improvement
Monitor emerging threat patterns and adjust your defensive posture as the threat landscape evolves