There's a class of attacks I see in incident reports again and again, TBs of data leaving the network but not a single security tool raised a red flag.
No flashy zero-days. No nation-state tooling. No malware that triggers
antivirus.
Just someone who logged in.
That's it.
Not all breaches starts with dramatic zero days, ransomwares or any alert popping up saying Data Hacked!!!
The threat I am talking about is Credential Abuse : using valid credentials to walk straight in like invited ones!
Why This Matters More than any Vuln
We focus more on CVEs, patch cycles, and EDR signatures but attackers skip those coz why stress over that if you can login directly!
Your firewall won't care, EDR won't care and the SIEM will barely notice it even SOC Analyst will see it as normal user logging in.
From the defender's side, it looks legitimate.
From the attacker's side, it's perfect camouflage.
In most enterprise breaches, the initial foothold was not malware.
How Credential Abuse Works (Under the Hood)
This is not guessing passwords blindly. It's much smarter.
1) Credential Harvesting
- Phishing kits (evilginx-style reverse proxies)
- Infostealers
- Data breaches from unrelated websites
- Keylogging malware
- Browser password dumps
- OS cred dumping
- Credentials from Password stores
- unhashed or plain text creds passing over network
2) Credential Validation (Password Spraying)
python3 o365spray.py --domain company.com --userlist users.txt --password 'Winter@123'
3) Living Off the Land After Login
- PowerShell
- RDP
- SMB
- Azure portal
- AWS console
No malware required.
Real-Life Case: The Uber Breach (2022)
A contractor working with Uber had their password stolen. Not from Uber. From their own personal machine earlier, thanks to an infostealer. Those logs were purchased by a hacker.
He attempted login on Uber's VPN but
MFA pops up!
Instead of bypassing it or using any exploit the attacker simply kept spamming MFA Prompts and the contractor kept denying it but being tired he clicked Approve to make it stop and done was the play!
Instant Access
Where Most Organizations Mess This Up
I’ve seen this pattern so many times it’s almost predictable.
- “We have MFA, so we’re fine.”
- Nobody looks at impossible travel if the login worked
- Password spray attempts get ignored because no one got locked out
- A user adds a new MFA method and no alert is generated
- Mailbox rules get created and nobody ever checks them
All of this comes from one dangerous assumption:
If the login is successful, it must be the real user.
That’s exactly what attackers rely on.
What You (or Your SOC) Should Actually Watch For
Pay attention to things like:
- A successful login from a country the user has never been to
- A new MFA device getting added to an existing account
- Inbox rules being created, especially ones that hide or forward emails
- Large downloads from OneDrive or SharePoint
- Users granting permissions to random OAuth apps inside Microsoft 365
If You Think This Already Happened to You
If you faced something like this:
- You got MFA prompts you didn’t request
- Your mailbox had rules you don’t remember creating
- Security emails were marked as read or moved to folders
- Colleagues said you sent emails you don’t recall writing
- Login history shows locations you’ve never been to
- Your account suddenly asked you to re-authenticate everywhere
- Files in OneDrive or SharePoint show unusual download activity
- An unfamiliar app shows up in your Microsoft 365 app permissions
Then Do this
- Check and delete all mailbox rules
- Review MFA methods and remove anything you don’t recognize
- Force sign-out from all sessions
- Revoke OAuth app permissions you didn’t approve
- Inform your IT/SOC team with the timeline of what you noticed
- Ask for sign-in logs to be reviewed for the past 30–60 days
So stay safe, stay secure.
Thank You for reading!
References
Top comments (0)