ETS
Home
Created by Claudiu Tabac - © 2026
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Category 2 Credential Acquisition & Token Theft
Category 2 of the Identity Breach Patterns Library focuses on the systematic extraction of authentication secrets that enable adversaries to compromise enterprise identities.
Understanding Credential & Token Attacks
Attack Surface
Modern identity systems rely on multiple authentication factors and session management mechanisms. Adversaries target these components to acquire passwords, session cookies, OAuth tokens, MFA codes, and federated authentication secrets. These attacks exploit both technical vulnerabilities and human behavior patterns across cloud, SaaS, and hybrid enterprise environments.
Strategic Impact
Credential acquisition represents the initial compromise phase that enables broader identity-based attacks. Once authentication secrets are obtained, attackers can bypass security controls, establish persistent access, escalate privileges, and move laterally across enterprise systems. Token-based attacks are particularly dangerous as they circumvent traditional authentication protections entirely.
Primary Attack Vectors
Password-Based Attacks
Credential spraying, stuffing, and brute-force techniques targeting weak or reused passwords across enterprise authentication endpoints.
MFA Exploitation
Prompt bombing, fatigue attacks, and SIM swapping techniques designed to bypass or compromise multi-factor authentication systems.
Session Token Theft
Browser cookie extraction, OAuth token interception, and session hijacking through malware or adversary-in-the-middle positioning.
Social Engineering
Consent phishing, QR code attacks, and credential harvesting through deceptive websites and reverse proxy frameworks.
Breach Pattern Catalog
Each pattern represents a distinct attack methodology with specific technical characteristics, adversary TTPs, and defensive requirements.
1
BP-010: Password Spray Attacks
Systematic authentication attempts using common passwords against multiple accounts to evade account lockout mechanisms and detection thresholds.
2
BP-011: Credential Stuffing
Automated replay of previously breached username-password combinations across enterprise authentication systems exploiting credential reuse behaviors.
3
BP-012: MFA Fatigue Attacks
Overwhelming users with repeated push notification requests to induce approval fatigue and bypass multi-factor authentication controls.
4
BP-013: Browser Session Theft
Extraction of authentication cookies and session tokens from compromised endpoints enabling session hijacking without credential knowledge.
Advanced Token-Based Techniques
OAuth Consent Phishing
BP-014: Malicious application registration and consent grant manipulation to obtain OAuth authorization codes and persistent refresh tokens.
MitM Credential Interception
BP-015: Adversary-in-the-middle positioning using reverse proxies to capture authentication credentials and session tokens in real-time.
QR Code Phishing
BP-016: Malicious QR codes directing users to credential harvesting sites exploiting mobile device authentication workflows and trust assumptions.
Mobile-Centric Identity Compromise
BP-017: SIM Swapping
Telecommunications-based identity takeover through social engineering of mobile carrier personnel. Adversaries transfer the target's phone number to attacker-controlled SIM cards, enabling interception of SMS-based MFA codes, password reset workflows, and authentication push notifications. This technique bypasses technical security controls through exploitation of carrier operational procedures and insider access.
Attack Execution Chain
  1. Reconnaissance: Adversaries gather personal information through OSINT, data breaches, or social media profiling
  1. Carrier Compromise: Social engineering or insider access at telecommunications provider
  1. Number Port: Target phone number transferred to attacker-controlled SIM card
  1. Authentication Bypass: Interception of SMS codes enables password resets and account access
  1. Account Takeover: Complete control of identity including email, financial, and cloud accounts
Threat Actor Landscape
Nation-State APT Groups
Advanced persistent threats deploy sophisticated credential acquisition campaigns targeting government agencies, defense contractors, and critical infrastructure. These adversaries combine technical exploitation with strategic intelligence gathering to compromise high-value identities.
Ransomware Operators
Criminal enterprises leverage credential theft for initial access and privilege escalation. Modern ransomware groups maintain dedicated access broker relationships and deploy information stealers to harvest enterprise authentication secrets at scale.
Cloud-Native Adversaries
Specialized threat actors focus exclusively on SaaS and cloud identity systems. These groups exploit OAuth flows, API tokens, and federated authentication mechanisms unique to modern cloud architectures and multi-tenant environments.
Attack Progression & Consequences
1
Initial Compromise
Adversaries acquire valid credentials through spraying, phishing, or token theft establishing authenticated access to enterprise systems.
2
MFA Bypass
Session tokens and stolen cookies enable authentication without triggering MFA challenges circumventing security controls.
3
Session Hijacking
Attackers maintain persistent authenticated sessions independent of password changes or credential rotation policies.
4
Identity Persistence
OAuth refresh tokens and federated trusts provide long-term access mechanisms surviving traditional credential resets.
5
Privilege Escalation
Compromised identities enable access to administrative functions, sensitive data repositories, and high-privilege account targeting.
Critical Security Considerations

Defense Reality Check
Multi-factor authentication does NOT prevent most attacks in this category. Token-based techniques completely bypass authentication prompts. Browser-stealer malware extracts valid session cookies regardless of password complexity. SMS and phone-based MFA are considered compromised authentication methods in high-security environments. Organizations must implement phishing-resistant authentication, continuous session validation, and token-aware security monitoring.
Token-Based Attacks Bypass Traditional Controls
Session cookies and OAuth tokens provide valid authentication without triggering security mechanisms designed to detect credential abuse.
Browser Stealers Drive Enterprise Compromise
Information-stealing malware targeting browser credential stores represents the leading cause of identity-based breaches in enterprise environments.
Many Techniques Evade Security Perimeter
Credential acquisition often occurs on personal devices, through third-party services, or via social engineering completely outside organizational security boundaries.
About
Created by Claudiu Tabac — © 2026
This framework is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Navigation