<!-- curated:true -->
# [HIGH] No Exploit Needed: How Attackers Walk Through the Front Door via Identity-Based Attacks

**Source:** The Hacker News
**Published:** 2026-04-21
**Article:** https://thehackernews.com/2026/04/no-exploit-needed-how-attackers-walk.html
**Curated:** Analyst-reviewed 2026-04-28

## Threat profile

A general-trend article making a point your SOC already knows but rarely operationalises: **the most reliable initial access in 2026 isn't a 0-day, it's a valid credential.** The attack flow is unchanged for years — credential stuffing, infostealer logs, phishing, MFA fatigue, session-token theft — and the defenders are *still* under-investing in identity-side detection relative to endpoint detection.

Why this matters as a curated briefing rather than skipped: the article is opinion-piece-shaped, but it surfaces a hunt-and-tune backlog every SOC should run. We've upgraded severity to **HIGH** because identity-based intrusion is the **single most prevalent root cause** in 2026 IR engagements (Microsoft, Mandiant, CrowdStrike all agree on this).

The actionable detections aren't tied to one CVE — they're behavioural identity signals that defend against the entire class.

## Indicators of Compromise

- No CVEs / hashes — this is a TTP-and-class story, not a single-incident story.
- Telemetry sources that matter: identity provider logs (Entra/Azure AD, Okta, Ping), VPN auth logs, SaaS-app sign-in logs, password manager audit logs, email gateway, CASB.

## MITRE ATT&CK (analyst-validated)

- **T1078** — Valid Accounts (the canonical technique)
- **T1110.003** — Brute Force: Password Spraying
- **T1110.004** — Brute Force: Credential Stuffing
- **T1539** — Steal Web Session Cookie (post-infostealer)
- **T1556.006** — Modify Authentication Process: Multi-Factor Authentication (MFA fatigue / device-add)
- **T1606.001** — Forge Web Credentials: Web Cookies (token theft)
- **T1621** — Multi-Factor Authentication Request Generation (MFA bombing)

## Recommended SOC actions (priority-ordered)

1. **Audit your impossible-travel rule.** Most are tuned at country level only — too coarse. Tighten to `dcount(country) > 1 in 60min` and review fidelity.
2. **Hunt password-spray attempts.** A single source attempting >5 distinct usernames in <60 min with same/few IPs.
3. **Hunt for new-device-add events** in Entra/Azure AD — this is the MFA-bypass step. Most orgs have these in logs but no detection rule.
4. **Pull last 30 days of risky sign-ins**, group by country/ASN, look for sustained anomalies.
5. **Force-reset credentials for accounts in known infostealer dumps.** Subscribe to a paid feed (Recorded Future, IntelX, KELA) or a free one (HaveIBeenPwned for breach material).
6. **Alert on "consent grant" / new OAuth app**, particularly with `Mail.ReadWrite` / `Files.ReadWrite.All` / `Directory.AccessAsUser.All` scopes.
7. **Token-replay detection**: same refresh token used from two ASNs within 24h.

## Splunk SPL — password spray (one source, many usernames, mostly fail)

```spl
| tstats `summariesonly` count
    from datamodel=Authentication.Authentication
    where Authentication.action="failure"
    by Authentication.src, Authentication.user, _time span=10m
| `drop_dm_object_name(Authentication)`
| stats dc(user) AS distinct_users, count AS attempts, values(user) AS targeted_users by src, _time
| where distinct_users >= 5 AND attempts > distinct_users * 1.5
| sort - distinct_users
```

## Splunk SPL — impossible travel (geo + ASN aware)

```spl
| tstats `summariesonly` count
    from datamodel=Authentication.Authentication
    where Authentication.action="success"
    by Authentication.user, Authentication.src, _time span=1h
| `drop_dm_object_name(Authentication)`
| iplocation src
| stats dc(Country) AS countries, dc(City) AS cities, values(Country) AS country_list,
        values(src) AS src_list, min(_time) AS firstTime, max(_time) AS lastTime
        by user, _time
| eval window_minutes = (lastTime - firstTime) / 60
| where countries > 1 AND window_minutes < 240
```

## Splunk SPL — successful login after >5 failures

```spl
| tstats `summariesonly` count
    from datamodel=Authentication.Authentication
    by Authentication.user, Authentication.src, Authentication.action, _time span=5m
| `drop_dm_object_name(Authentication)`
| eventstats sum(eval(if(action="failure",count,0))) AS failures,
            sum(eval(if(action="success",count,0))) AS successes by user, _time
| where failures > 5 AND successes >= 1
| sort - _time
```

## Defender KQL — password spray on Entra ID

```kql
AADSignInEventsBeta
| where Timestamp > ago(7d)
| where ErrorCode in (50053, 50057, 50126, 50058)  // bad pwd, account locked, invalid creds, no session
| summarize attempts = count(),
            distinctUsers = dcount(AccountUpn),
            users = make_set(AccountUpn, 30)
            by IPAddress, bin(Timestamp, 30m)
| where distinctUsers >= 10
| order by distinctUsers desc
```

## Defender KQL — MFA fatigue / device-add anomaly

```kql
AADSignInEventsBeta
| where Timestamp > ago(30d)
| where AuthenticationRequirement == "multiFactorAuthentication"
| summarize mfaPrompts = count(), uniqueIPs = dcount(IPAddress)
            by AccountUpn, bin(Timestamp, 1h)
| where mfaPrompts > 8
| order by mfaPrompts desc
```

## Defender KQL — token replay across ASNs

```kql
AADSignInEventsBeta
| where Timestamp > ago(7d)
| where IsInteractive == false
| summarize asns = make_set(NetworkLocationDetails, 50),
            countries = make_set(Country, 50),
            sessions = count()
            by AccountUpn, SessionId
| where array_length(asns) > 1
| order by sessions desc
```

## Defender KQL — new OAuth consent with high-privilege scopes

```kql
CloudAppEvents
| where Timestamp > ago(30d)
| where ActionType == "Consent to application."
| extend AppName = tostring(RawEventData.ModifiedProperties[?Name=="ConsentAction.Permissions"].NewValue)
| where AppName has_any ("Mail.ReadWrite","Files.ReadWrite.All","Directory.AccessAsUser.All",
                          "Sites.FullControl.All","User.ReadWrite.All")
| project Timestamp, AccountObjectId, AccountDisplayName, AppName, IPAddress, RawEventData
| order by Timestamp desc
```

## Why this matters for your SOC

Detection-engineering effort split is a useful self-test: count your *endpoint detection rules* vs your *identity detection rules*. If endpoint outnumbers identity by more than 5:1, your detection investment is misaligned with the actual threat landscape. The detections above are bread-and-butter — none are novel, all are high-fidelity, and most SOCs have *some but not all* of them. Run a self-audit against this list this week. The article's title is right: most adversaries don't need an exploit. They need a working set of credentials and a tolerant detection environment, and we control the second one.