Credential Acquisition marks the critical turning point where passive reconnaissance transforms into active compromise. At this stage, attackers obtain valid authentication material-passwords, tokens, session cookies, or OAuth grants-enabling them to authenticate as legitimate users. This is no longer guessing or probing; attackers now possess the keys to your identity infrastructure.
This stage encompasses a wide range of techniques: password spraying against validated usernames, brute-force attacks with refined target lists, MFA fatigue through push bombing, credential phishing campaigns, token theft from SaaS platforms and browser sync, session cookie extraction from compromised devices, OAuth consent phishing, API key and client secret theft, service principal token capture, and golden browser-cookie harvesting. Attackers also leverage credential reuse from previous breaches, exploiting users who recycle passwords across services.
Stage 3 is the foundation for every subsequent phase of the attack chain. Without valid credentials or tokens, adversaries cannot proceed to authentication abuse, privilege escalation, or lateral movement. Successful credential acquisition gives attackers the identity context they need to operate undetected within your environment.
Attacker Objectives and Enabling Misconfigurations
🧠 What Attackers Target
In Stage 3, adversaries aim to obtain authentication material that grants them legitimate access. Their primary objectives include logging in as real users with low or mid-level privileges, stealing session cookies or tokens for immediate access, obtaining long-lived refresh tokens that persist beyond password changes, compromising machine identities used by automation systems, stealing CI/CD automation tokens, harvesting OAuth consent flows through social engineering, bypassing MFA using fatigue attacks or token replay techniques, collecting credentials via sophisticated phishing kits, and extracting tokens from infected endpoint devices.
These objectives serve a single purpose: establishing authenticated access that appears legitimate to security monitoring systems. Once attackers possess valid credentials or tokens, they can move freely through Stages 4, 5, and 6 of the attack chain—authentication abuse, privilege escalation, and lateral movement—while masquerading as authorized users.
⚠️ Critical Misconfigurations
Several fundamental security gaps enable credential acquisition attacks. MC-007 (Weak Password Hygiene) allows attackers to exploit common passwords and credential reuse patterns. MC-019 (Weak Lockout Policies) permits unrestricted password spraying and brute-force attempts without account lockouts or rate limiting.
MC-111 (Incomplete MFA Configuration) leaves users vulnerable to password-only compromise when multi-factor authentication isn't universally enforced. MC-018 (Poor Browser Session Governance) enables session cookie theft from infected devices, allowing full user impersonation. MC-147 (Insufficient OAuth App Governance) permits users to unknowingly grant excessive permissions to malicious applications. Finally, MC-138 (Overprivileged API/Machine Identities) creates automation tokens with unnecessarily broad rights and dangerously long lifetimes.
Identifies excessive MFA prompts and push bombing attempts where attackers flood users with authentication requests hoping for accidental approval.
DL-024
Token Use from Unexpected Browser Sync
Detects stolen session tokens being used on foreign devices or browsers that don't match established user patterns.
DL-030
OAuth Token Anomaly Detection
Flags suspicious OAuth scopes and consent events, especially when applications request permissions inconsistent with their stated purpose.
DL-052
Machine Identity Used From Non-Associated Host
Identifies machine or automation tokens being used from unexpected hosts, indicating potential token theft or compromise.
Common Breach Patterns in Stage 3
Attackers leverage several well-documented breach patterns during credential acquisition. BP-010 (Password Spray Credential Acquisition) uses validated username lists with common passwords to gain initial access. BP-011 (Phished Credentials - Cloud Login) employs sophisticated phishing campaigns targeting cloud authentication portals. BP-012 (OAuth Consent Capture) tricks users into granting malicious applications broad access permissions through seemingly legitimate consent flows.
BP-013 (Browser Session Cookie Theft) extracts active session cookies from compromised endpoints, bypassing authentication entirely. BP-015 (Machine Identity Token Theft) targets long-lived automation tokens used by CI/CD pipelines and service accounts, providing persistent access to critical systems.
Russian state-sponsored group specializing in password spray campaigns combined with MFA fatigue attacks targeting government and defense sectors.
Hive (ICTAM-015)
Ransomware operation conducting large-scale password spraying against enterprise environments to establish initial access for encryption attacks.
BlackCat (ICTAM-009)
Sophisticated ransomware group targeting machine identity tokens and service principal credentials to move laterally through cloud environments.
Clop (ICTAM-014)
Ransomware gang specializing in session hijacking techniques, stealing active browser cookies to bypass authentication controls.
DarkHalo (ICTAM-006)
APT group focused on certificate and token theft, using stolen credentials to maintain long-term persistence in victim networks.
Automation Identity Hijacker (ICTAM-023)
Emerging threat pattern targeting CI/CD pipelines and automation tokens to compromise software supply chains and deployment infrastructure.
🔄 Stage 3 in the Attack Chain Context
Credential Acquisition serves as the critical bridge between reconnaissance and exploitation. Stage 2 (Enumeration) provides attackers with validated usernames, authentication endpoints, and identity infrastructure details. Stage 3 (Credential Acquisition) converts that intelligence into authenticated access. This access then enables Stage 4 (Authentication Abuse), where attackers leverage stolen credentials to establish persistent sessions, followed by Stage 5 (Privilege Escalation), where they elevate permissions and expand access.
Unlike traditional infrastructure-based attacks, identity-centric attacks focus on obtaining and abusing authentication material. Attackers no longer need to exploit software vulnerabilities or bypass network security controls—they simply authenticate using stolen credentials or tokens, appearing as legitimate users to security monitoring systems. This makes credential acquisition the most critical stage to detect and prevent.