Attackers systematically probe identity systems to confirm which user accounts actually exist, enabling precision-targeted credential attacks. Unlike format discovery, this pattern validates real, active identities through subtle system responses.
What This Breach Pattern Is
Valid Username Harvesting systematically confirms which accounts exist in your identity infrastructure. Attackers exploit subtle differences in system responses—login errors, password reset flows, SSPR portals, federation endpoints, and OIDC error codes—to distinguish valid from invalid usernames.
This pattern extends beyond BP-004's format discovery. Attackers validate identities through legacy protocols (IMAP, SMTP AUTH), MFA enrollment pages, and cloud platform behaviors across Azure, Okta, and Google Workspace. Once confirmed, these validated accounts become high-precision targets for password spraying and social engineering.
Build comprehensive lists of valid accounts while differentiating between active and inactive identities across the entire organization.
Privilege Detection
Identify high-value targets including privileged accounts, executive identities, and service accounts through timing analysis and response patterns.
Architecture Mapping
Distinguish cloud-only versus federated identities, enumerate guest and B2B accounts, and pinpoint identities without MFA enforcement.
This reconnaissance enables attackers to focus credential attacks exclusively on confirmed valid accounts, eliminating wasted effort on non-existent usernames and dramatically improving success rates for subsequent breach patterns.
Misconfigurations Enabling This Pattern
MC-001: Publicly Exposed User Identifiers
Login and password reset pages return different error messages for valid versus invalid accounts, creating an oracle for username validation.
MC-019: Weak Lockout Policies
Insufficient rate limiting allows attackers to validate thousands of usernames without triggering account lockouts or detection systems.
MC-075: Weak Network Segmentation
Identity enumeration endpoints remain globally accessible, enabling automated harvesting from any internet location without geographic restrictions.
MC-146: Inconsistent Trust Boundaries
Federation endpoints leak account existence through varying error codes and response times across different authentication flows.
BP-005 represents one of the most critical enumeration steps before authentication abuse. Validated usernames transform broad credential attacks into surgical strikes against confirmed targets, dramatically increasing breach probability.
Russian state-sponsored group conducts bulk username validation before executing coordinated password spraying campaigns against government and critical infrastructure targets.
Hive (ICTAM-015)
Ransomware operation performs mass identity harvesting to identify high-value accounts before deploying encryption payloads across enterprise environments.
MuddyWater (ICTAM-007)
Iranian threat actor validates target identities to enable precision spear-phishing campaigns with customized lures based on confirmed organizational roles.
Clop (ICTAM-014)
Financially motivated gang selects high-value identity targets through enumeration before launching extortion-based ransomware attacks against validated executives.
Demonstrates how username harvesting enables complete credential attack chains, from initial tenant discovery through full compromise of cloud infrastructure.
ETS-006: Federation Misuse
Shows how validated identities enable attackers to establish persistent identity backdoors through federation exploitation and trust relationship abuse.