惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google DeepMind News
Google DeepMind News
B
Blog RSS Feed
Apple Machine Learning Research
Apple Machine Learning Research
D
Darknet – Hacking Tools, Hacker News & Cyber Security
V2EX - 技术
V2EX - 技术
Security Archives - TechRepublic
Security Archives - TechRepublic
Cisco Talos Blog
Cisco Talos Blog
T
Tor Project blog
博客园 - 司徒正美
T
The Blog of Author Tim Ferriss
J
Java Code Geeks
宝玉的分享
宝玉的分享
小众软件
小众软件
博客园_首页
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Project Zero
Project Zero
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Spread Privacy
Spread Privacy
I
InfoQ
博客园 - 叶小钗
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
罗磊的独立博客
M
MIT News - Artificial intelligence
爱范儿
爱范儿
The Cloudflare Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
T
Tenable Blog
S
Securelist
N
News and Events Feed by Topic
Simon Willison's Weblog
Simon Willison's Weblog
Webroot Blog
Webroot Blog
The Hacker News
The Hacker News
O
OpenAI News
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Palo Alto Networks Blog
C
CERT Recently Published Vulnerability Notes
PCI Perspectives
PCI Perspectives
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
T
Threat Research - Cisco Blogs
L
LINUX DO - 热门话题
I
Intezer
Scott Helme
Scott Helme
Recent Commits to openclaw:main
Recent Commits to openclaw:main
C
Cybersecurity and Infrastructure Security Agency CISA
Google Online Security Blog
Google Online Security Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
S
Security Affairs
AI
AI
AWS News Blog
AWS News Blog
Security Latest
Security Latest

The Duo Blog

Identity orchestration & cloud-native IAM: Time to rethink | Cisco Duo Active Directory security: how to stop modern threats | Cisco Duo Duo + PlainID: Dynamic Authorization Meets Enterprise Identity | Cisco Duo Continuous identity security explained | Cisco Duo Salesforce The modern MFA toolkit: push, biometrics, and security keys | Cisco Duo Cisco Duo Identity Summit Preview | Cisco Duo Duo Brings Identity and Authorization Across AI Agent Gateways | Cisco Duo Passwordless for Microsoft 365 starts with federation Custom Admin Roles: Granular control for every Duo admin How Duo Directory automates user lifecycle management Cisco Systems Named a Customers’ Choice in Gartner Peer Insights™ 2026 Voice of the Customer for Access Management Identity provider resilience: backup and split IdP approaches | Cisco Duo Agentic AI Security: Three Threats Your Team Should Know | Cisco Duo Secure client access at scale with Duo and Meraki | Cisco Duo IdP Concentration Risk: Why Single-IdP Dependency Puts You at Risk | Cisco Duo Endpoint Management as an Attack Vector: Lessons from Stryker | Cisco Duo Passwordless authentication without cookies: Duo Push updates Introducing Duo Agentic Identity Solving the double prompt: Better UX with AMR in Duo SSO Simplify compliance with MFA, device trust, and policies Cisco Systems Named a Customers’ Choice in Gartner® Peer Insights™ 2026 Voice of the Customer for User Authentication Why identity-led security matters for MSPs right now The Hitchhiker’s Guide to Shibboleth Launching Active Directory Defense: Strengthen On-Prem AD Security | Duo Security Industry specific IAM for MSPs Duo delivers: 99.99% uptime SLA for every customer
Token theft, vendor abuse, and the new identity threat surface
Tessa Collinge · 2026-05-27 · via The Duo Blog

Industry News

Identity-based attacks: How attackers bypassed MFA four times in one month

Headshot of Tessa Collinge

7 minute read

This is the first edition of a new monthly identity threat brief for the Cisco Duo blog. Each month, I examine the identity-based attacks shaping the current threat environment, the structural weaknesses they exploit, and the defenses that hold up against them.

Identity-based attacks target authentication systems, credentials, and identity infrastructure rather than application code or encryption. In recent weeks, four incidents made the pattern clear: attackers stole authentication tokens from compromised routers, breached a national identity agency, abused a trusted vendor's notification system to deliver phishing, and compromised messaging-app accounts to read encrypted communications.

None of these attacks broke cryptography. None defeated multi-factor authentication (MFA) head-on. Each one went around the authentication layer instead of through it. These incidents are a clear opening case for this series: identity is now the primary attack surface, and the authentication layer is where attackers concentrate effort.

What changed recently

Across the four incidents, the pattern is consistent. Attackers did not try to defeat the strong cryptographic controls protecting modern systems. They targeted the trust relationships, session artifacts, and infrastructure that surround authentication.

Stolen tokens granted access without credentials. A breached government identity system exposed citizen data at scale. Legitimate vendor infrastructure delivered phishing that passed every standard email authentication check. Compromised endpoints gave attackers plaintext access to encrypted conversations.

The strategic implication for identity teams is direct: controls designed to verify credentials cannot stop attackers who already hold authenticated sessions or who never needed credentials in the first place. The identity attack surface now extends well beyond the login prompt.

The four incidents at a glance

The pattern: attackers go around authentication, not through it

Each incident exploits a different surface, but the underlying logic is the same.

The router campaign stole tokens after MFA succeeded

APT28 did not phish credentials or defeat MFA. The group exploited known vulnerabilities in end-of-life Mikrotik and TP-Link SOHO routers, modified DNS settings to point to attacker-controlled servers, and intercepted OAuth tokens after users had already authenticated successfully.

Because OAuth tokens are issued after MFA verification, the stolen tokens granted fully authenticated sessions. No further credentials or one-time codes were required. Krebs on Security reported the campaign and noted the technique is highly effective at evading malware-focused detection.

This is an MFA bypass in the most practical sense: MFA worked exactly as designed, and the attacker waited for the token it produced.

The ANTS breach exposed identity data at the source

The compromised ANTS data included login credentials and the personal information used to verify identity in administrative procedures. The Record reported the breach as the latest in a series targeting French government identity infrastructure, including a February 2026 breach of France's National Bank Accounts File that exposed information on roughly 1.2 million accounts.

Stolen identity data of this kind feeds downstream attacks: account takeover, fraudulent document applications, and credential reuse against unrelated services.

The Apple notification abuse weaponized legitimate trust

BleepingComputer reported that attackers embedded fraudulent transaction notices and callback phone numbers inside genuine Apple account-change emails. Because the messages originated from Apple's verified sending infrastructure, they passed every email authentication check designed to detect spoofing.

The attack does not exploit a technical vulnerability. It exploits the gap between sender verification and content trust.

The messaging-app compromises bypassed encryption at the endpoint

The CISA and FBI joint advisory stated explicitly: attackers did not break the encryption of the messaging platforms. They compromised individual user accounts through credential phishing, session token theft, SIM swapping, and exploitation of weak authentication.

Once inside an account, attackers had plaintext access to historical messages, real-time conversations, and contact lists they could use to expand the attack.

Why authentication-layer attacks evade traditional controls

MFA, SPF, DKIM, DMARC, and end-to-end encryption are strong controls. They are also narrow controls. Each verifies one specific thing: that a user holds a second factor, that an email originated from an authorized sender, or that a message was encrypted in transit.

None of them verify that the session in use is legitimate, or detect when a trusted platform delivers malicious content. None of them protect a credential database or a token store. The four recent incidents land at exactly these gaps.

What stops authentication-layer attacks

The structural defense against this pattern is to make stolen credentials and stolen tokens harder to use, and to detect identity misuse when it occurs.

Phishing-resistant MFA

Phishing-resistant MFA uses cryptographic protocols such as FIDO2 (Fast Identity Online 2) and WebAuthn that bind authentication to the specific origin a user is signing into. Unlike one-time codes, push notifications, or SMS, phishing-resistant MFA cannot be replayed, intercepted on a fake site, or approved by a confused user.

It addresses the structural weakness behind credential phishing and many forms of session hijacking. For identity teams reviewing their authentication stack, phishing-resistant MFA is the highest-leverage control available today.

Token binding and conditional access

Token binding ties an authentication token to the device that obtained it. A stolen token cannot be replayed from an attacker's infrastructure. Conditional access policies add risk-based checks at session reuse, not just at sign-in. Together, they reduce the value of a stolen OAuth token of the kind APT28 harvested.

Identity threat detection and credential compromise detection

Detection of identity-based attacks depends on observing what authenticated identities do, not just whether they authenticated. Behavioral monitoring, anomalous-session detection, and analysis of token activity surface compromise even when credentials and MFA were not defeated.

Cisco Duo's identity threat detection and response capabilities operate at this layer. They pair with identity security posture management to surface the configuration weaknesses attackers target.

Identity security as a programmatic discipline

None of these controls work in isolation. They sit inside an identity security program that connects authentication, posture management, detection, and response.

What this means for identity leaders

For a Director of Identity reading this brief, the recent incidents translate into four practical actions.

  • Treat the authentication layer as an attack surface, not a control surface. Authentication is no longer just something the identity team configures. It is something attackers actively target. Inventory where authentication tokens live, how long they last, and who can use them.

  • Move toward phishing-resistant authentication. Deprecate SMS and push-only MFA on a defined timeline. Each of the recent incidents demonstrates the limits of authentication factors that can be intercepted, replayed, or socially engineered.

  • Invest in identity-specific detection. Endpoint detection and network detection do not see identity misuse. Detection of session anomalies, token replay, and unusual authentication patterns requires identity-layer telemetry.

  • Treat identity infrastructure breaches as catalysts for downstream attacks. A breach like the ANTS disclosure does not end with the disclosed agency. The exposed data feeds account takeover, credential stuffing, and impersonation across unrelated services.

What to expect from this series

This is the first in a series of recurring monthly briefs. Each edition examines the identity-based attacks shaping the threat environment that month, the structural weaknesses they exploit, and the defenses that hold up against them. Attackers are adapting quickly. I will track how that adaptation unfolds and what identity teams need to know.

Visit the Duo blog to follow the identity threat intelligence series and get each monthly edition as it publishes.