The attacker's first reconnaissance move to map your external identity footprint and discover critical infrastructure details before launching targeted attacks.
🔍 Understanding the Breach Pattern
What Attackers Target
Domain & Identity Surface Scanning represents the critical reconnaissance phase where adversaries systematically probe your external identity infrastructure. Attackers leverage automated tools to discover login portals, tenant identifiers, federation metadata, and email pattern leaks across your digital perimeter.
This includes open SSO endpoints, OAuth authorization pages, SAML federation XML files, cloud tenant realms, and externally visible MFA behavior. While purely reconnaissance, this activity reveals the architectural blueprint of your identity ecosystem.
Core Intelligence Gathered
Identity provider detection and configuration details
Federation trust relationships and external connections
Cloud application login URLs and access patterns
MFA enforcement policies and implementation gaps
Organizational naming conventions and user patterns
External identity metadata and structural weaknesses
Cloud tenant identifiers across Azure AD, Okta, and others
This reconnaissance builds the foundation for Stage 2 enumeration and Stage 3 credential attacks, making it a critical early warning signal.
⚠️ Critical Misconfigurations Enabling This Attack
Authentication error messages that inadvertently leak account existence through differential responses, allowing attackers to validate username formats and confirm active accounts without credentials.
MC-075: Weak Network Segmentation
Identity endpoints accessible from any internet source without geographic or behavioral restrictions enable large-scale automated scanning campaigns from adversary infrastructure.
MC-146: Inconsistent Trust Boundaries
External cloud tenants and federation partners reveal sensitive metadata through misconfigured trust relationships, exposing internal identity architecture to reconnaissance.
Identifies systematic identity-surface probing activities originating from unknown or suspicious Autonomous System Numbers (ASNs), indicating reconnaissance operations against your authentication infrastructure.
DL-009: Failed Lookup Pattern Analysis
Detects repeated failed authentication attempts or lookup queries targeting identity endpoints, revealing structural probing of username formats, email patterns, and account enumeration activities.
DL-010: Naming Convention Probes
Identifies high-volume testing of email address and User Principal Name (UPN) naming patterns, suggesting automated reconnaissance to discover valid account structures before credential attacks.
🧩 Attack Chain Position & Threat Actor Intelligence
BP-001 scanning identifies targets and architecture
2
Stage 2: Identity Enumeration
Validated accounts enable credential attacks
This breach pattern is almost always the first step before password spraying, MFA bypass attempts, sophisticated phishing campaigns, or federation abuse operations.