Identity-Based Attacks Dominate Breaches as Attackers Bypass Exploits

Executive Summary

Identity-based attacks, not software exploits, are the most reliable and dominant initial access vector for modern cyberattacks. According to an analysis by The Hacker News, attackers are increasingly bypassing complex exploit development by simply using stolen credentials and techniques to circumvent multi-factor authentication (MFA). This shift renders sophisticated zero-day vulnerabilities unnecessary for initial network entry, as threat actors walk through the "front door" using legitimate user identities.

Technical Analysis

The technical barrier to initial access has lowered significantly. Attackers primarily obtain valid credentials through large-scale credential stuffing attacks, leveraging vast databases of username and password pairs from previous breaches. Phishing remains a highly effective method for credential harvesting, often using deceptive login pages that mimic legitimate services.

Once credentials are acquired, attackers employ several methods to defeat MFA, a critical secondary defense layer. These include adversary-in-the-middle (AitM) phishing kits that intercept one-time codes in real-time, as well as the exploitation of "MFA fatigue" by bombarding a user with push notifications until one is accidentally approved. In some cases, attackers abuse legacy or weaker authentication protocols, like SMTP or IMAP, which may not enforce MFA, to gain a foothold even when stronger primary login methods are protected.

This approach is fundamentally different from exploiting software vulnerabilities. It targets the identity layer—a component outside traditional vulnerability management and patch cycles—making detection more challenging as malicious activity originates from authenticated accounts with legitimate permissions.

Tactics, Techniques & Procedures

The primary TTPs for these identity-based attacks align with the MITRE ATT&CK framework but emphasize initial access without exploitation:

• Initial Access (TA0001):
  • T1078 - Valid Accounts: Use of stolen credentials for legitimate user accounts.
  • T1589.001 - Phishing for Information: Credential harvesting via deceptive emails and websites.
• Credential Access (TA0006):
  • T1110 - Brute Force: Credential stuffing attacks using automated tools.
  • T1539 - Steal Web Session Cookie: Session hijacking after successful login.
• Defense Evasion (TA0005):
  • T1556 - Modify Authentication Process: Bypassing MFA through AitM phishing or token theft.

Threat Actor Context

The source material does not attribute these techniques to a specific named threat actor group. Instead, it describes a broad, pervasive trend adopted by a wide spectrum of attackers, from financially motivated cybercriminals to state-sponsored advanced persistent threats (APTs). The low cost and high success rate of identity-based attacks make them universally appealing, effectively commoditizing the initial access phase of an attack chain.

Mitigations & Recommendations

The source analysis suggests a strategic pivot is required, moving focus from purely exploit prevention to identity protection. Key mitigations include:

• Enforcing phishing-resistant MFA, such as FIDO2/WebAuthn security keys, which are resistant to real-time interception and fatigue attacks.
• Implementing continuous access evaluation and conditional access policies that assess user risk based on device health, location, and behavior in real-time, not just at initial login.
• Eliminating or strictly monitoring the use of legacy authentication protocols that do not support modern MFA standards.
• Deploying robust credential monitoring to detect and alert on the use of compromised passwords via integration with services like Have I Been Pwned.
• Conducting regular user awareness training focused on identifying sophisticated phishing attempts and the proper handling of MFA requests.