Identity threats to tune for

Identity attacks now often skip malware and go straight for logins, sessions, and support workflows that already have the keys. (cisa.gov) (learn.microsoft.com) Multifactor authentication, or MFA, still blocks most password attacks, but the weak spots are the steps around it: approval prompts, browser sessions, password resets, and app permissions. CISA says MFA makes accounts far harder to hack, while Microsoft’s incident-response guidance now centers on token theft, consent phishing, and identity-plane abuse. (cisa.gov) (microsoft.com) One common tactic is MFA fatigue, also called push bombing, where an attacker floods a target with approval requests until one is accepted. CISA urged organizations on October 31, 2022 to use phishing-resistant MFA where possible and number matching as an interim defense for mobile push prompts. (cisa.gov) (techcommunity.microsoft.com) Another tactic is adversary-in-the-middle phishing, which works like a fake receptionist standing between a user and the real login page. Microsoft says these kits can capture session cookies after a real MFA challenge, letting an attacker reuse the session without needing the password again. (techcommunity.microsoft.com) (learn.microsoft.com) That is why token replay and session hijacking keep showing up in identity investigations. Microsoft’s token-protection guidance says device-bound tokens are meant to reduce replay by making a stolen sign-in token unusable off the original device. (learn.microsoft.com 1) (learn.microsoft.com 2) Support desks and self-service reset tools are also part of the attack surface. Microsoft said in December 2023 that its responders had seen threat actors socially engineer service-desk staff into changing self-service password reset and MFA details for users. (microsoft.com) (cisa.gov) OAuth consent misuse is quieter but powerful: a user clicks “accept,” and a malicious cloud app gets delegated access to mail, files, or contacts. Microsoft’s Entra guidance says consent phishing targets users who can grant an app access directly, often through a legitimate Microsoft-hosted consent screen. (learn.microsoft.com 1) (learn.microsoft.com 2) Service accounts create a different persistence problem because they are non-human identities used by apps, scripts, and automation. Microsoft says these accounts often carry broad permissions across Azure, Microsoft 365, software as a service applications, and databases, which makes lifecycle control and least privilege central to defense. (learn.microsoft.com 1) (learn.microsoft.com 2) Detection gets sharper when identity alerts carry business and device context, not just a username and an internet address. Microsoft’s service-account and token-theft guidance points analysts toward details like account role, device state, unusual network origin, and recent changes to passwords, MFA methods, or app consent when deciding whether a sign-in is routine or hostile. (learn.microsoft.com) (learn.microsoft.com) Recent government and vendor guidance points in the same direction: harden the login, harden the session, and harden the recovery path. The attack is still about identity, but the decisive clues now sit in the prompt, the token, the consent screen, and the help-desk ticket. (cisa.gov) (learn.microsoft.com)