Back

Identity-Based Attacks Target Authentication Systems and Credentials

Severity: High (Score: 69.5)

Sources: attack.mitre.org, Feeds.Feedburner, Duo, learn.microsoft.com

Published: 2026-05-29 · Updated: 2026-05-29

Keywords: threat, identity-based, attacks, against, identity, password, work

Summary

Recent identity-based attacks have exploited vulnerabilities in authentication systems, targeting credentials and identity infrastructure. Notable incidents include the compromise of over 18,000 routers by APT28 to steal OAuth tokens, a breach of France's National Agency for Secure Documents exposing citizen data, and phishing attacks using legitimate vendor notifications. Attackers bypassed multi-factor authentication (MFA) without breaking cryptography, indicating a shift in focus towards the identity attack surface. The incidents affected numerous organizations and individuals, with the router compromise impacting over 200 organizations and 5,000 consumer devices. These attacks highlight the need for enhanced security measures around authentication processes and trust relationships. Current defenses must adapt to prevent unauthorized access from authenticated sessions. Key Points: • Identity-based attacks are increasingly targeting authentication systems rather than application code. • APT28 compromised over 18,000 routers to harvest OAuth tokens, affecting 200 organizations. • Recent breaches exposed sensitive data and demonstrated the limitations of current MFA implementations.

Detailed Analysis

**Impact** Over 200 organizations and 5,000 consumer devices were affected by OAuth token theft via compromised routers, primarily impacting Microsoft Outlook on the web users. The breach of France's National Agency for Secure Documents exposed login credentials and personal data of an undisclosed number of French citizens. Additional impacts include phishing campaigns leveraging legitimate vendor notification systems and the compromise of thousands of messaging-app accounts, affecting government, private sector, and consumer communications globally. **Technical Details** Attackers employed credential stuffing, brute force, SIM swapping, push notification fatigue, and phishing proxy techniques to bypass authentication. Token theft involved DNS hijacking of Mikrotik and TP-Link routers by APT28 to intercept OAuth tokens post-MFA verification. Directory service attacks included Kerberoasting, ASREPRoasting, golden ticket, and pass-the-hash techniques targeting Active Directory and cloud identity providers. OAuth redirect URI manipulation and SAML assertion forgery were used to bypass federated authentication. Indicators include event_id=4769 with RC4_HMAC encryption, event_id=4768 with pre_auth_type=0, and excessive LDAP queries exceeding 100 unique objects per minute. **Recommended Response** Enforce multi-factor authentication methods resistant to SIM swapping and phishing, such as FIDO2 hardware tokens or certificate-based authentication. Monitor authentication logs for impossible travel patterns, failed login attempts, and Kerberos ticket requests matching known attack signatures. Rotate service account passwords frequently while managing application stability. Harden router firmware and network infrastructure to prevent DNS hijacking, and audit vendor notification systems for abuse. Deploy privileged access management with just-in-time elevation and monitor OAuth and SAML authentication flows for anomalies.

Source articles (4)

  • Token theft, vendor abuse, and the new identity threat surface — Duo · 2026-05-27
    This is the first edition of a new monthly identity threat brief for the Cisco Duo blog. Each month, I examine the identity-based attacks shaping the current threat environment, the structural weaknes…
  • Identity-based attacks: how they work and how to defend against them — Feeds.Feedburner · 2026-05-29
    Password breaches create immediate risk across all enterprise accounts using the same credentials. Attackers use previously compromised password databases against corporate login portals through crede…
  • learn.microsoft.com — learn.microsoft.com · 2026-05-29
    I am trying to figure out how to audit where group changes are initiated in AD. Auditing is enabled and aggregates in a SIEM. When a change occurs I see this chain of event IDs: 4662 - An operation wa…
  • attack.mitre.org — attack.mitre.org · 2026-05-29

Timeline

  • 2026-04-15 — Breach of France's National Agency for Secure Documents: ANTS disclosed a breach exposing login credentials and personal data of French citizens.
  • Recent — APT28 router compromise reported: APT28 compromised over 18,000 routers to intercept OAuth tokens for Microsoft Outlook, impacting many organizations.
  • Recent — Phishing through legitimate vendor notifications: Attackers used genuine Apple security notifications to deliver phishing lures that passed email authentication checks.

Related entities

  • Apt28 (Apt Group)
  • Fancy Bear (Apt Group)
  • Forest Blizzard (Apt Group)
  • Brute Force (Attack Type)
  • Credential Stuffing (Attack Type)
  • Data Breach (Attack Type)
  • Phishing (Attack Type)
  • France (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-269 - Improper Privilege Management (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • Cwe-327 - Use Of A Broken Or Risky Cryptographic Algorithm (Cwe)
  • [email protected] (Email)
  • Government (Industry)
  • T1021 - Remote Services (Mitre Attack)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • Active Directory (Platform)
  • Microsoft Outlook On The Web (Platform)
  • MikroTik (Platform)
  • Windows (Platform)
  • Apple (Company)
  • TP-Link (Company)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed