Modern Identity Attack Chains

KeenSafe Research | Threat Research | Identity Operations Series

---

Overview

Across the validated attack chains KeenSafe Research has analyzed through the current reporting window, identity-driven entry vectors initiate 78 percent of all chains reaching enterprise crown jewels. Behind that aggregate statistic lies a structural shift in how adversaries operate. The center of gravity of modern enterprise compromise has moved decisively to the identity layer — to credentials, sessions, consents, federated trusts, and the machine identities that increasingly outnumber human ones.

This research article documents the composition of modern identity attack chains. It analyzes the recurring structure adversaries assemble across initial access, discovery, credential acquisition, lateral movement, privilege escalation, and terminal action. It maps each stage to MITRE ATT&CK tactics and techniques. It documents tradecraft observed in current operations and translates the technical findings into enterprise implications.

The intended audience includes detection engineers, threat hunters, security architects, and senior security leaders responsible for identity governance. The article assumes familiarity with Active Directory concepts, modern cloud identity providers (Entra ID, Okta), and the MITRE ATT&CK framework.

---

1. The Anatomy of a Modern Identity Chain

Modern identity attack chains exhibit consistent structural composition. Across the corpus, the dominant chain shape comprises five operational stages.

Stage 1 — Foothold via Identity

The chain begins with adversary acquisition of authenticated context as an enterprise identity. The dominant techniques observed include:

• T1566.002 (Spearphishing Link) combined with T1557 (Adversary-in-the-Middle) producing post-MFA session token capture
• T1078.004 (Valid Accounts: Cloud Accounts) through credentials sourced from infostealer logs or third-party breach reuse
• T1528 (Steal Application Access Token) through OAuth consent phishing
• T1110.003 (Password Spraying) against tenants with weak password policy subsets
• T1556.006 (Modify Authentication Process: Multi-Factor Authentication) through helpdesk social engineering to register adversary-controlled MFA factors

Critically, foothold via identity rarely involves direct authentication failures. The user typically experiences successful authentication; the system records a legitimate session; defensive telemetry records the foothold only as anomaly signals that require interpretation.

Stage 2 — Identity Reconnaissance

Once authenticated, the adversary performs identity-layer reconnaissance:

• T1087.004 (Account Discovery: Cloud Account) enumeration of users, groups, and roles
• T1069.003 (Permission Groups Discovery: Cloud Groups) enumeration of group memberships and permission inheritance
• T1518 (Software Discovery) enumeration of applications and integrations
• T1526 (Cloud Service Discovery) enumeration of resources and services accessible to the identity

The enumeration overwhelmingly uses legitimate APIs. Microsoft Graph, AWS IAM APIs, and Okta APIs are queried with the compromised identity's permissions. Detection of reconnaissance is one of the most consistent weak points across the corpus — empirical detection efficacy at this stage averages 31 percent.

Stage 3 — Credential or Privilege Acquisition

The adversary leverages discovered context to acquire additional credentials or privilege:

• T1552.001 (Credentials in Files) discovery of embedded credentials in collaboration platforms, repositories, or operational documentation
• T1555.005 (Password Managers) retrieval from accessible password management or secrets stores
• T1098.001 (Account Manipulation: Additional Cloud Credentials) addition of adversary-controlled credentials to existing accounts where permissions permit
• T1098.003 (Add Office 365 Global Administrator Role) privilege escalation through role manipulation
• T1098.002 (Additional Email Delegate Permissions) mailbox delegation for persistence and discovery
• T1003 (OS Credential Dumping) in scenarios crossing into traditional endpoint compromise

Stage 4 — Lateral Movement and Domain Traversal

Acquired credentials and privileges enable lateral progression:

• T1550.001 (Use Alternate Authentication Material: Application Access Token) and T1550.004 (Web Session Cookie) for token and cookie replay
• T1021.002 (SMB/Windows Admin Shares) for traditional Windows lateral movement where on-prem AD is involved
• T1199 (Trusted Relationship) for federation and consent-mediated traversal
• T1078 (Valid Accounts) family for continued use of acquired identities

Cross-domain progression is increasingly common. 62 percent of validated chains traverse two or more of on-premises, cloud, SaaS, and CI/CD surfaces during the lateral movement phase.

Stage 5 — Terminal Action

The chain reaches operational objective:

• T1213 (Data from Information Repositories) for data-focused operations
• T1486 (Data Encrypted for Impact) for ransomware-focused operations
• T1098.001 for persistent access establishment
• T1485 (Data Destruction) for destructive operations

---

2. Recurring TTP Chains Observed in 2026

Four TTP chains recur with sufficient frequency to constitute observable patterns.

Chain Pattern A: AiTM → OAuth → Federation → Data

The most frequently observed chain pattern in the corpus.

This chain pattern is characteristic of operations targeting customer data, intellectual property, and regulated information. Its persistence reflects the maturity of AiTM phishing kits, the prevalence of OAuth consent grants, and the operational complexity of cross-tenant federation policies.

Chain Pattern B: Credential Exposure → Cloud Identity → Lateral → Production

Characteristic of operations exploiting service principal exposure. Initial access frequently originates with an inadvertent commit, a SaaS-hosted documentation exposure, or a third-party leak.

Chain Pattern C: Phished User → On-Prem Pivot → Domain Compromise

Characteristic of operations against organizations with substantial on-prem AD presence. Persists in environments where Kerberoasting-resistant service account hygiene has not been institutionalized.

Chain Pattern D: Help Desk Social Engineering → MFA Manipulation → Persistent Access

Characteristic of operations where help desk identity verification practices are weak. Operations have grown materially over the reporting window as adversaries have industrialized help desk impersonation through AI-assisted context fabrication.

---

3. Operational Tradecraft Observations

MFA Bypass Has Become Routine

Across the chains analyzed, MFA was bypassed in 64 percent of cases where MFA was nominally enforced. The dominant bypass mechanisms include:

• AiTM session token capture (T1557, T1539)
• Help desk-mediated MFA factor manipulation (T1556.006)
• Session token theft from compromised endpoints (T1539)
• Exploitation of MFA exception conditions in conditional access policies
• Legacy authentication protocol gaps

MFA deployment has moved from differentiating control to baseline expectation. MFA bypass mitigation — particularly through session binding, device posture enforcement, and post-MFA behavioral validation — is the more meaningful current defensive frontier.

OAuth Has Become Persistence

OAuth consent grants are increasingly used as a primary persistence mechanism. The properties that make them attractive to adversaries include:

• Persistence survives password rotation
• Persistence survives MFA enforcement (the consent is the authentication)
• Permissions can match plausible business uses, evading reactive review
• Consent grants are inventoried inconsistently in most enterprises

Living Off the Cloud APIs

Modern identity chains use legitimate cloud APIs almost exclusively. Microsoft Graph, AWS IAM APIs, Entra ID APIs, and SaaS platform APIs are the primary tooling. Detection rules tuned against traditional adversary tooling fingerprints capture little of this activity.

Cross-Domain by Default

The majority of chains traverse cross-domain boundaries. Single-domain telemetry — within Entra ID, within AWS, within a specific SaaS — captures the chain only in fragments. Effective detection requires correlation across the boundaries adversaries traverse.

---

4. Enterprise Implications

Detection Engineering Reprioritization

The dominant detection gaps observed across the corpus concentrate at specific chain stages:

• Identity reconnaissance (T1087, T1069 family): 31 percent average detection efficacy
• Account manipulation (T1098 family): 38 percent
• OAuth consent abuse (T1528): 24 percent
• Token replay (T1550 family): 42 percent

Detection investment in these stages produces high marginal returns. Programs that have prioritized these categories report substantial improvements in chain interruption rates.

Identity Governance as the Highest-Leverage Discipline

Across the corpus, identity governance maturity is the single largest predictor of chain density at crown jewels. Mature programs — those with disciplined practice across permission rationalization, machine identity lifecycle, OAuth consent governance, federation policy review, and conditional access management — exhibit chain densities in single digits. Lagging programs frequently exceed forty.

Cross-Domain Validation as Operational Necessity

Single-domain validation tools systematically miss the dominant chain class. Cloud security posture management within a tenant, identity threat detection within an identity provider, and SaaS posture management within a platform each capture chain fragments; none reconstruct the chains adversaries assemble.

Continuous Re-Validation as Architectural Requirement

The cadence of environmental change in modern enterprises exceeds the cadence of periodic validation. Continuous validation — event-driven re-evaluation as conditions change — is the only operating model that maintains current chain visibility.

---

5. Strategic Insights

Insight 1: The unit of risk is the chain, not the vulnerability. Adversaries operate on chains. Defensive programs that continue to measure success in vulnerability remediation systematically optimize against a model that no longer represents the dominant breach pattern.

Insight 2: Identity governance maturity is the dominant defensibility variable. Across the corpus, the gap between mature and lagging identity governance is larger than any other defensive variable in predicting chain density.

Insight 3: Detection efficacy is materially lower than detection coverage suggests. Theoretical technique coverage and empirical detection efficacy diverge by 24 percentage points on average. Programs that have not empirically measured efficacy substantially overestimate their detection posture.

Insight 4: Cross-domain visibility is becoming a regulatory expectation. Frameworks evolving toward continuous control validation increasingly expect cross-domain evidence. Programs operating with fragmented single-domain validation will face material disadvantages.

Insight 5: Machine identity governance is the laggard discipline. Machine identities outnumber human identities and exhibit weaker governance discipline. The asymmetry is structural and is the source of disproportionate chain participation.

Insight 6: AiTM bypass is now baseline, not advanced. MFA deployment is necessary but no longer sufficient. The defensive frontier has moved to session binding, post-MFA behavioral analysis, and conditional access discipline.

Insight 7: OAuth persistence outlives traditional defensive cycles. Credential rotation, MFA enforcement, and account remediation do not address OAuth-based persistence. Consent inventory and governance are essential.

---

Conclusion

Modern identity attack chains are the operational core of contemporary enterprise compromise. The chains are identity-driven, multi-stage, cross-domain, and predominantly executed with legitimate APIs against the controls enterprises have invested most heavily in. Their dominance reflects the structural shift in enterprise infrastructure — identity has become the trust enforcement layer, and adversaries have followed.

Defensive programs aligned with this reality measure their effectiveness in chain state rather than finding counts, invest detection capacity at the stages where chains are most interruptible, mature identity governance across both human and machine surfaces, and validate continuously across cross-domain boundaries. The programs that do not align find their defensive investments systematically diverging from where adversaries actually operate.

KeenSafe Research will continue to publish updated intelligence on identity attack chain evolution. Specific technique deep-dives — AiTM bypass, OAuth abuse, Kerberoasting in hybrid environments, service account abuse, lateral movement patterns — are the subject of companion research in this series.

---

KeenSafe Research is the threat intelligence and offensive security research arm of KeenSafe, an AI-powered attack path validation platform for continuous offensive security validation across hybrid enterprise infrastructure.