惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

大猫的无限游戏
大猫的无限游戏
Security Archives - TechRepublic
Security Archives - TechRepublic
T
Threat Research - Cisco Blogs
A
Arctic Wolf
S
Securelist
O
OpenAI News
T
Threatpost
Forbes - Security
Forbes - Security
N
News and Events Feed by Topic
S
Secure Thoughts
H
Heimdal Security Blog
S
Security Affairs
P
Privacy International News Feed
C
Cisco Blogs
C
CERT Recently Published Vulnerability Notes
Cyberwarzone
Cyberwarzone
N
News and Events Feed by Topic
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Palo Alto Networks Blog
S
Security @ Cisco Blogs
Hacker News - Newest:
Hacker News - Newest: "LLM"
博客园 - 三生石上(FineUI控件)
月光博客
月光博客
T
Tailwind CSS Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Hacker News: Ask HN
Hacker News: Ask HN
T
Troy Hunt's Blog
S
SegmentFault 最新的问题
腾讯CDC
V
Visual Studio Blog
Last Week in AI
Last Week in AI
H
Hacker News: Front Page
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Project Zero
Project Zero
WordPress大学
WordPress大学
NISL@THU
NISL@THU
博客园 - 【当耐特】
博客园 - Franky
Webroot Blog
Webroot Blog
博客园_首页
T
Tenable Blog
雷峰网
雷峰网
Google Online Security Blog
Google Online Security Blog
阮一峰的网络日志
阮一峰的网络日志
V2EX - 技术
V2EX - 技术
Recent Commits to openclaw:main
Recent Commits to openclaw:main
L
Lohrmann on Cybersecurity
The Hacker News
The Hacker News

Arctic Wolf

Home-Field Disadvantage: AiTM, QR-Code Phishing, and Infostealers at the 2026 FIFA World Cup arcticwolf.com arcticwolf.com Celebrating Arctic Wolf’s 2026 Partner of the Year Winners at Global Partner Kickoff Celebrating Arctic Wolf’s 2026 Partner of the Year Winners at Global Partner Kickoff Die Auswahl Einer Vulnerability Management-Lösung The Hidden Economics of the Agentic SOC The Hidden Economics of the Agentic SOC | Arctic Wolf Security Operations in Maschinen-Geschwindigkeit Aurora Mobile Threat Defense — Addressing Your Highest‑Trusted, Least Protected Endpoints - Arctic Wolf Aurora Mobile Threat Defense — Addressing Your Highest‑Trusted, Least Protected Endpoints - Arctic Wolf How Aurora Managed Endpoint Defense Combines Experts and Technology to Simplify Security Aurora Endpoint Sicherheitsportfolioa | Arctic Wolf From Token Bingo to MAX Takeover: Kali365 Operator Expands Operation Across Microsoft Outlook, Okta, Xerox DocuShare, and Other Services From Token Bingo to MAX Takeover: Kali365 Operator Expands Operation Across Microsoft Outlook, Okta, Xerox DocuShare, and Other Services arcticwolf.com arcticwolf.com Arctic Wolf Product Updates: May 2026 arcticwolf.com Arctic Wolf Product Updates: May 2026 FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch - Arctic Wolf FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch What’s New What’s Next with Arctic Wolf: May 2026 Update Cybersecurity Trends in the Age of AI arcticwolf.com Arctic Wolf、AI搭載のモバイル脅威防御ソリューションを発表、 増加するモバイル端末を標的としたサイバー攻撃から組織を保護 How Arctic Wolf Aurora Mobile Threat Defense Protects the Mobile Attack Surface How AI Is Transforming Detection Engineering 「Aurora Mobile Threat Defense」の提供が開始されました Accelerating Cloud Security Outcomes Together: Why Arctic Wolf and Wiz are Redefining What’s Possible - Arctic Wolf InfoSecurity Europe 2026 OpenAI Daybreak and the Future of Secure Software Development - Arctic Wolf OpenAI Daybreak and the Future of Secure Software Development Turning Security Telemetry Into Actionable Insights | Arctic Wolf Detecting Identity Attacks at Scale with Herd Immunity | Arctic Wolf arcticwolf.com arcticwolf.com PowerShell Security | Arctic Wolf How to Gain Visibility and Reduce Exposure with Aurora Attack Surface Management arcticwolf.com Mini Shai-Hulud: Supply Chain Malware Attack arcticwolf.com arcticwolf.com arcticwolf.com arcticwolf.com arcticwolf.com arcticwolf.com arcticwolf.com arcticwolf.com arcticwolf.com Arctic Wolf Introduces the Next Era of Exposure Management to Help Organizations Outpace AI-Accelerated Vulnerability Discovery Arctic Wolf Launches AI-Powered Mobile Threat Defense to Protect Organizations Against Growing Mobile-based Cyber Threats Aurora Mobile Threat Defense is Now Available Turning Visibility Into Action: Introducing Aurora Exposure Management Protecting Against IOT Security Risks | Arctic Wolf CVE-2026-0300 — Critical Buffer Overflow in PAN-OS User-ID Authentication Portal IoT Security Risks | Arctic Wolf arcticwolf.com Should Your Organization Rely on XDR? | Arctic Wolf 止まらないランサムウェア被害 - Qilinの事案から読み解く、検知、対応と経営判断 arcticwolf.com Why Cybersecurity Still Matters Even If AI Improves Secure Development | Arctic Wolf Aurora® Attack Surface Management For Healthcare arcticwolf.com arcticwolf.com arcticwolf.com arcticwolf.com arcticwolf.com CVE-2026-41940: Critical Exploited Authentication Bypass Vulnerability in cPanel & WHM Why Vulnerability Prioritization Requires More Than a Score | Arctic Wolf Token Bingo: Don’t Let Your Code be the Winner EFM Philadelphia IT Symposium MN Bankers Operations and Technology Conference SecureMiami 2025 Cyber Identity Summit – Ottawa MISA Exec Summit – Victoria Arkansas IT Symposium – efmEvents Cybersecurity Summit – Boston Houston Technology Summit – elevateIT Nevada Public Sector Cybersecurity Summit SecureWorld Philadelphia Nick Schneider of Arctic Wolf named Entrepreneur Of The Year® 2026 Heartland finalist by EY US arcticwolf.com arcticwolf.com Introducing Decipio: A Community Tool to Catch Credential Theft in the Act with Defense First AI Arctic Wolf Introduces Decipio, a Community Tool to Catch Credential Theft with Defense‑First AI Proxy Server Endpoint Endpoint Detection and Response AIマルウェアの急増:その挙動、攻撃主体の特定、防御体制の備え arcticwolf.com arcticwolf.com Project Glasswing Marks a Turning Point for Cybersecurity Frontier AI Models Mark a Turning Point for Cybersecurity arcticwolf.com arcticwolf.com Building Cyber Resilience with Arctic Wolf: A Practical Approach for Security Leaders Arctic Wolf、東映デジタルラボ株式会社を Aurora Managed Endpoint Defenseで保護 Arctic Wolf Named a 2026 Gartner® Peer Insights™ Customers’ Choice for Managed Detection and Response arcticwolf.com
Detecting Identity Attacks at Scale with Herd Immunity
Trevor Daher · 2026-05-15 · via Arctic Wolf

Modern identity‑based attacks often rely on shared infrastructure and reusable attack frameworks, rather than bespoke tooling built for a single target. Phishing kits and phishing‑as‑a‑service (PhaaS) platforms are the clearest example of this model — and today they are the most prevalent sources of account compromise across organisations of all sizes. Device code phishing illustrates how quickly this model evolves: First identified in the wild in August 2024, it moved from nation-state tradecraft to mainstream criminal adoption in a matter of months, and was recently accelerated by purpose-built PhaaS platforms like EvilTokens and Kali365 that made the technique accessible at scale.

For defenders tasked with safeguarding identities, the first line of defense is therefore clear: detect anomalous sign‑in activity. This generally means establishing a baseline of normal behavior for each user — typical geographic locations, ASNs, user agents, devices, client applications, target resources — and flagging sign ins that meaningfully deviate from that baseline.

This approach sits at the core of most identity threat detection and response (ITDR) solutions, and it has dramatically improved our ability to surface potential account compromises at the point of initial access. Yet defenders responsible for investigating, responding to, or authoring anomalous sign ‑in detections often reach the same conclusion: sign-in anomalies alone are frequently insufficient, especially in environments with large identity populations.

To illustrate why, consider the difference in operating context. In a small organisation with a dozen employees, a rare anomalous sign in — perhaps caused by personal vacations or business travel — is easy to validate. The defender likely knows the user personally and can quickly confirm whether the activity was legitimate.

Now contrast that with a small security team responsible for thousands of users. In that environment, anomalous sign‑in alerts may arrive multiple times per day, and the overwhelming majority turn out to be benign. The result is alert fatigue, slower response, and a difficult question that quickly becomes central to identity defense:

How do we reliably distinguish benign anomalies from malicious ones?

The Limits of Single‑Tenant Correlation

Many modern extended detection and response (XDR) solutions aim to answer this question by correlating anomalous sign‑in alerts from identity solutions with telemetry from email and endpoint security solutions. If the same user recently interacted with a phishing email, clicked a suspicious link, or connected to known malicious infrastructure, those additional signals should substantially increase confidence that an anomalous sign‑in event is part of a real compromise.

This correlation approach is genuinely powerful. Arctic Wolf actively develops these same cross‑attack surface correlation capabilities because they help defenders make better decisions, faster.

But even this strategy has limits.

What happens when an email security solution doesn’t flag any phishing, and an endpoint security product doesn’t detect any suspicious DNS queries or network connections to phishing infrastructure? In those cases — common in modern identity attacks — the defender is often left exactly where they started: with an anomalous sign‑in alert that might be malicious but could just as easily be another benign anomaly, lacking sufficient corroborating evidence within the organisation’s own environment to support a confident judgement.

A Data Advantage at Scale

This is where the scale and scope of Arctic Wolf® Managed Detection and Response (MDR)  provides a meaningful, data‑driven advantage that most defenders simply do not have access to.

Because we monitor identity activity across a vast number of customer tenants, we observe an enormous volume of anomalous sign‑in events. More importantly, those signals are paired with teams and systems that investigate and resolve these cases every day. We don’t just generate alerts and pass them on to our customers to sort out.

Every day, our teams and systems investigate these anomalies and confirm a large number of true-positive account compromises. The result is an ever-growing, high-fidelity dataset of confirmed malicious identity activity that can be used to refine detections and enrich future investigations.

From this foundation of data emerges a concept that we call “herd immunity.”

Herd Immunity: Confidence Through Correlation at Scale

Herd immunity leverages signals observed across many customer environments to identify malicious infrastructure and attacker behaviors earlier, with higher confidence, and at greater scale than is possible within any single, isolated tenant.

To revisit our earlier scenario: you’re faced with an anomalous sign‑in alert. XDR correlation hasn’t produced any supporting email or endpoint evidence. What next?

Here’s a concrete example of how herd immunity changes that picture. An analyst opens an anomalous sign‑in alert flagged for device code flow authentication — a technique in which the attacker initiates a legitimate Microsoft authentication request and tricks the victim into completing it, delivering a valid OAuth token directly to the attacker without the victim ever exposing their password or having their connection proxied through attacker infrastructure. Within the alert itself, before any investigation has been completed, the alert is already enriched with two additional, high‑impact forms of context.

First, the sign‑in characteristics — IP address, ASN, user agent, client application, and target resource, etc. — are compared against patterns observed in previously confirmed compromises. The degree to which these characteristics are prevalent in our true-positive dataset directly informs our confidence: High prevalence among confirmed malicious activity is a strong signal that this sign‑in is also malicious; low prevalence or absence shifts the calculus in the other direction. Either way, the enrichment moves the investigation forward.

Second, the solution checks whether the same IP has been observed exhibiting the same behavior — namely, device code flow authentication — across other, unrelated customer tenants in the past seven days. This enrichment doesn’t require the presence of a historical, confirmed, true-positive case in our dataset. The cross‑tenant authentication pattern itself is the enrichment layered onto the alert: the same IP, the same authentication method, across multiple unrelated organisations. That convergence is meaningful, regardless of whether any individual case has yet been confirmed as malicious.

Together, these two enrichments can transform an alert. What might otherwise look like an ambiguous anomaly in a single environment can become a high‑confidence indicator of malicious activity when enriched with context drawn from activity across thousands of customer environments, and the evidence collected from thousands of investigations.

What appears ambiguous in isolation can become unmistakable when viewed across the herd. Attackers benefit when their behavior patterns and infrastructure are a first-seen for every victim. The scale of Arctic Wolf MDR is how we take that advantage away.

Herd Immunity in Action

In April 2026, Arctic Wolf identified a large-scale device code phishing campaign impacting organisations across multiple regions and sectors. By the time we published our report on the campaign, we had observed a single IP address authenticate via device code flow against nearly 150 unique identities across more than 110 distinct customer tenants within a single week. Our investigators confirmed that the infrastructure was hosting a newly observed phishing‑as‑a‑service platform known as Kali365 — a multi-tenant PhaaS ecosystem supporting both device code abuse and adversary-in-the-middle session capture.

For a full technical breakdown of the campaign, the Kali365 platform, and a full list of recommended mitigations, see our Token Bingo report.

Conclusion

When dealing with modern identity-based attacks, detecting anomalous sign‑in activity is of paramount importance. Traditional defense solutions may bombard security teams with an overwhelming number of alerts — particularly in environments with large identity populations — leading to alert fatigue, suboptimal response times, and increased risk to the organisation. Herd immunity cuts through the noise at machine speed with enriched intelligence surrounding anomalies, shifting response from reactive to strategic, and providing defenders with scalable, high-fidelity alerts to deliver better security outcomes.

Learn more about Arctic Wolf MDR, or schedule a demo to see it in action.

Additional Arctic Wolf Resources