惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Hugging Face - Blog
Hugging Face - Blog
C
Cybersecurity and Infrastructure Security Agency CISA
G
Google Developers Blog
The Cloudflare Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
The GitHub Blog
The GitHub Blog
TaoSecurity Blog
TaoSecurity Blog
V
Visual Studio Blog
D
DataBreaches.Net
人人都是产品经理
人人都是产品经理
博客园 - Franky
S
Security @ Cisco Blogs
Hacker News - Newest:
Hacker News - Newest: "LLM"
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
C
Cyber Attacks, Cyber Crime and Cyber Security
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
H
Hackread – Cybersecurity News, Data Breaches, AI and More
腾讯CDC
T
Troy Hunt's Blog
B
Blog RSS Feed
A
About on SuperTechFans
IT之家
IT之家
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
J
Java Code Geeks
S
Securelist
T
Threatpost
SecWiki News
SecWiki News
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Y
Y Combinator Blog
Blog — PlanetScale
Blog — PlanetScale
aimingoo的专栏
aimingoo的专栏
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Forbes - Security
Forbes - Security
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
D
Docker
N
News and Events Feed by Topic
Schneier on Security
Schneier on Security
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
月光博客
月光博客
C
CXSECURITY Database RSS Feed - CXSecurity.com
罗磊的独立博客
H
Hacker News: Front Page
N
News and Events Feed by Topic
N
Netflix TechBlog - Medium
AWS News Blog
AWS News Blog
P
Privacy International News Feed
Scott Helme
Scott Helme
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
V
Vulnerabilities – Threatpost
The Register - Security
The Register - Security

The Duo Blog

Identity orchestration & cloud-native IAM: Time to rethink | Cisco Duo Active Directory security: how to stop modern threats | Cisco Duo Duo + PlainID: Dynamic Authorization Meets Enterprise Identity | Cisco Duo Continuous identity security explained | Cisco Duo Salesforce The modern MFA toolkit: push, biometrics, and security keys | Cisco Duo Cisco Duo Identity Summit Preview | Cisco Duo Duo Brings Identity and Authorization Across AI Agent Gateways | Cisco Duo Passwordless for Microsoft 365 starts with federation Custom Admin Roles: Granular control for every Duo admin How Duo Directory automates user lifecycle management Cisco Systems Named a Customers’ Choice in Gartner Peer Insights™ 2026 Voice of the Customer for Access Management Identity provider resilience: backup and split IdP approaches | Cisco Duo Agentic AI Security: Three Threats Your Team Should Know | Cisco Duo Secure client access at scale with Duo and Meraki | Cisco Duo IdP Concentration Risk: Why Single-IdP Dependency Puts You at Risk | Cisco Duo Endpoint Management as an Attack Vector: Lessons from Stryker | Cisco Duo Passwordless authentication without cookies: Duo Push updates Introducing Duo Agentic Identity Solving the double prompt: Better UX with AMR in Duo SSO Simplify compliance with MFA, device trust, and policies Cisco Systems Named a Customers’ Choice in Gartner® Peer Insights™ 2026 Voice of the Customer for User Authentication Why identity-led security matters for MSPs right now The Hitchhiker’s Guide to Shibboleth Launching Active Directory Defense: Strengthen On-Prem AD Security | Duo Security Industry specific IAM for MSPs Duo delivers: 99.99% uptime SLA for every customer Cisco Secures 125K user identities with Duo while advancing passwordless journey NIST AAL2/3 compliance with Duo Mobile Proximity Verification From protocol to practice: Secure the AI agent ecosystem with Duo How to secure the holidays & prep your 2026 IAM strategy Simplify MSP technician authentication with Duo Delegated Access Standing out in a crowded MSP market Securing for third-party risk with Duo for identity management Thwarting adversary-in-the-middle attacks with Proximity Verification OAuth 2.0's next chapter: Enabling the AI security revolution The dawn of a simpler, helpful policy experience
Token theft, vendor abuse, and the new identity threat surface
Tessa Collinge · 2026-05-27 · via The Duo Blog

Industry News

Identity-based attacks: How attackers bypassed MFA four times in one month

Headshot of Tessa Collinge

7 minute read

This is the first edition of a new monthly identity threat brief for the Cisco Duo blog. Each month, I examine the identity-based attacks shaping the current threat environment, the structural weaknesses they exploit, and the defenses that hold up against them.

Identity-based attacks target authentication systems, credentials, and identity infrastructure rather than application code or encryption. In recent weeks, four incidents made the pattern clear: attackers stole authentication tokens from compromised routers, breached a national identity agency, abused a trusted vendor's notification system to deliver phishing, and compromised messaging-app accounts to read encrypted communications.

None of these attacks broke cryptography. None defeated multi-factor authentication (MFA) head-on. Each one went around the authentication layer instead of through it. These incidents are a clear opening case for this series: identity is now the primary attack surface, and the authentication layer is where attackers concentrate effort.

What changed recently

Across the four incidents, the pattern is consistent. Attackers did not try to defeat the strong cryptographic controls protecting modern systems. They targeted the trust relationships, session artifacts, and infrastructure that surround authentication.

Stolen tokens granted access without credentials. A breached government identity system exposed citizen data at scale. Legitimate vendor infrastructure delivered phishing that passed every standard email authentication check. Compromised endpoints gave attackers plaintext access to encrypted conversations.

The strategic implication for identity teams is direct: controls designed to verify credentials cannot stop attackers who already hold authenticated sessions or who never needed credentials in the first place. The identity attack surface now extends well beyond the login prompt.

The four incidents at a glance

The pattern: attackers go around authentication, not through it

Each incident exploits a different surface, but the underlying logic is the same.

The router campaign stole tokens after MFA succeeded

APT28 did not phish credentials or defeat MFA. The group exploited known vulnerabilities in end-of-life Mikrotik and TP-Link SOHO routers, modified DNS settings to point to attacker-controlled servers, and intercepted OAuth tokens after users had already authenticated successfully.

Because OAuth tokens are issued after MFA verification, the stolen tokens granted fully authenticated sessions. No further credentials or one-time codes were required. Krebs on Security reported the campaign and noted the technique is highly effective at evading malware-focused detection.

This is an MFA bypass in the most practical sense: MFA worked exactly as designed, and the attacker waited for the token it produced.

The ANTS breach exposed identity data at the source

The compromised ANTS data included login credentials and the personal information used to verify identity in administrative procedures. The Record reported the breach as the latest in a series targeting French government identity infrastructure, including a February 2026 breach of France's National Bank Accounts File that exposed information on roughly 1.2 million accounts.

Stolen identity data of this kind feeds downstream attacks: account takeover, fraudulent document applications, and credential reuse against unrelated services.

The Apple notification abuse weaponized legitimate trust

BleepingComputer reported that attackers embedded fraudulent transaction notices and callback phone numbers inside genuine Apple account-change emails. Because the messages originated from Apple's verified sending infrastructure, they passed every email authentication check designed to detect spoofing.

The attack does not exploit a technical vulnerability. It exploits the gap between sender verification and content trust.

The messaging-app compromises bypassed encryption at the endpoint

The CISA and FBI joint advisory stated explicitly: attackers did not break the encryption of the messaging platforms. They compromised individual user accounts through credential phishing, session token theft, SIM swapping, and exploitation of weak authentication.

Once inside an account, attackers had plaintext access to historical messages, real-time conversations, and contact lists they could use to expand the attack.

Why authentication-layer attacks evade traditional controls

MFA, SPF, DKIM, DMARC, and end-to-end encryption are strong controls. They are also narrow controls. Each verifies one specific thing: that a user holds a second factor, that an email originated from an authorized sender, or that a message was encrypted in transit.

None of them verify that the session in use is legitimate, or detect when a trusted platform delivers malicious content. None of them protect a credential database or a token store. The four recent incidents land at exactly these gaps.

What stops authentication-layer attacks

The structural defense against this pattern is to make stolen credentials and stolen tokens harder to use, and to detect identity misuse when it occurs.

Phishing-resistant MFA

Phishing-resistant MFA uses cryptographic protocols such as FIDO2 (Fast Identity Online 2) and WebAuthn that bind authentication to the specific origin a user is signing into. Unlike one-time codes, push notifications, or SMS, phishing-resistant MFA cannot be replayed, intercepted on a fake site, or approved by a confused user.

It addresses the structural weakness behind credential phishing and many forms of session hijacking. For identity teams reviewing their authentication stack, phishing-resistant MFA is the highest-leverage control available today.

Token binding and conditional access

Token binding ties an authentication token to the device that obtained it. A stolen token cannot be replayed from an attacker's infrastructure. Conditional access policies add risk-based checks at session reuse, not just at sign-in. Together, they reduce the value of a stolen OAuth token of the kind APT28 harvested.

Identity threat detection and credential compromise detection

Detection of identity-based attacks depends on observing what authenticated identities do, not just whether they authenticated. Behavioral monitoring, anomalous-session detection, and analysis of token activity surface compromise even when credentials and MFA were not defeated.

Cisco Duo's identity threat detection and response capabilities operate at this layer. They pair with identity security posture management to surface the configuration weaknesses attackers target.

Identity security as a programmatic discipline

None of these controls work in isolation. They sit inside an identity security program that connects authentication, posture management, detection, and response.

What this means for identity leaders

For a Director of Identity reading this brief, the recent incidents translate into four practical actions.

  • Treat the authentication layer as an attack surface, not a control surface. Authentication is no longer just something the identity team configures. It is something attackers actively target. Inventory where authentication tokens live, how long they last, and who can use them.

  • Move toward phishing-resistant authentication. Deprecate SMS and push-only MFA on a defined timeline. Each of the recent incidents demonstrates the limits of authentication factors that can be intercepted, replayed, or socially engineered.

  • Invest in identity-specific detection. Endpoint detection and network detection do not see identity misuse. Detection of session anomalies, token replay, and unusual authentication patterns requires identity-layer telemetry.

  • Treat identity infrastructure breaches as catalysts for downstream attacks. A breach like the ANTS disclosure does not end with the disclosed agency. The exposed data feeds account takeover, credential stuffing, and impersonation across unrelated services.

What to expect from this series

This is the first in a series of recurring monthly briefs. Each edition examines the identity-based attacks shaping the threat environment that month, the structural weaknesses they exploit, and the defenses that hold up against them. Attackers are adapting quickly. I will track how that adaptation unfolds and what identity teams need to know.

Visit the Duo blog to follow the identity threat intelligence series and get each monthly edition as it publishes.