Credential Theft Techniques Targeting Microsoft Environments
Attackers are increasingly leveraging advanced credential theft techniques to compromise Microsoft-based environments, with a focus on identity-first intrusions and abuse of authentication protocols. Kerberoasting attacks have resurged, exploiting legacy RC4 encryption in Kerberos to crack service account passwords, as seen in the Ascension Health ransomware incident. These attacks are facilitated by weak password policies and the continued use of outdated encryption, allowing threat actors to obtain domain administrator credentials and move laterally within networks. The prevalence of credential-based intrusions is underscored by threat intelligence reports indicating that identity attacks are now the leading entry point for breaches.
Simultaneously, authentication coercion attacks are evolving, enabling adversaries to force Windows systems to authenticate to attacker-controlled infrastructure without user interaction. Techniques such as exploiting rarely monitored RPC interfaces and tools like PetitPotam (CVE-2021-36942) have been observed in real-world incidents, targeting critical assets like Domain Controllers. Additionally, threat actors are abusing OAuth consent, device code flow, and service principal credential manipulation to maintain persistent, stealthy access to cloud and SaaS platforms, often pivoting from on-premises exploits to Microsoft 365 environments. Organizations are advised to implement robust monitoring, enforce strong authentication policies, and phase out legacy protocols to mitigate these threats.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
AlphaHunt publishes analysis on 'Typhoon by Consent' activity
AlphaHunt published reporting on activity described as 'Typhoon by Consent: Quiet, Durable, Everywhere,' indicating continued public analysis of the Typhoon threat cluster and its persistence methods.
BlackFog documents resurgence of Kerberoasting in 2024–2025
BlackFog published an analysis stating that Kerberoasting had resurged across 2024–2025 due to legacy RC4 encryption, weak service account passwords, and overlooked high-privilege service accounts in Microsoft Active Directory environments.
Researchers highlight continued evolution of authentication coercion attacks
Palo Alto Networks Unit 42 published research describing how authentication coercion techniques continue to evolve, indicating ongoing attacker innovation around coercing systems into authenticating to adversary-controlled endpoints.
IBM reports widespread credential abuse in 2024 intrusions
IBM’s 2025 X-Force Threat Intelligence Index reported that 30% of intrusions in 2024 involved stolen or abused credentials, underscoring the scale of credential-based attack techniques such as Kerberoasting.
Ascension Health ransomware breach involves Kerberoasting technique
In May 2024, attackers in the Ascension Health ransomware incident reportedly exploited RC4-encrypted Kerberos service tickets to compromise privileged accounts, illustrating the real-world impact of Kerberoasting in Active Directory environments.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
You Thought It Was Over? Authentication Coercion Keeps Evolving
unit42.paloaltonetworks.com
Open sourceKerberoasting Attack Explained: Example And Prevention Guide
blackfog.com
Open sourceTyphoon by Consent: Quiet, Durable, Everywhere
blog.alphahunt.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Credential Theft and Identity-Based Intrusions Surge Across Enterprises
**Credential compromise** and identity abuse are increasing as attackers rely more on stolen logins, session artifacts, and phishing rather than noisy exploitation alone. Recorded Future reported a sharp rise in exposed credentials during 2025, including nearly **2 billion** credentials indexed from malware combo lists, with the second half of the year up **50%** over the first and Q4 up **90%** over Q1. The trend is being driven by the industrialization of **infostealer malware**, malware-as-a-service ecosystems, and AI-enabled phishing and social engineering, while weak identity governance continues to expand the attack surface. A separate survey of UK organizations found **77%** fail to promptly disable former employees' accounts, **34%** grant overly broad access, and many still use manual processes such as spreadsheets for account validation, creating persistent opportunities for unauthorized access. A targeted phishing attempt against **Outpost24** illustrates how these identity-focused attacks are being operationalized against even security vendors. Attackers used a convincing fake JP Morgan email, valid **DKIM** authentication via Amazon SES infrastructure, and a **seven-stage redirect chain** leveraging trusted brands including Cisco to steer a C-suite executive toward a Microsoft Office credential-harvesting page while evading email defenses. The broader threat environment shows the same shift toward access abuse and stealthier post-compromise tradecraft: Google Threat Intelligence Group found ransomware actors increasingly favor native Windows tools over **Cobalt Strike**, with data theft present in **77%** of incidents and exploitation of VPNs and firewalls still common for initial access. Together, the reporting shows attackers are increasingly **logging in rather than breaking in**, then using legitimate access and built-in tools to deepen compromise and extort victims.
Apr 24, 2026
Recent Surge in Infostealer and Credential Theft Tactics
Threat actors have significantly escalated the use of information-stealing malware and credential theft techniques, leveraging new methods to bypass traditional security controls and exploit human vulnerabilities. Flashpoint reports an 800% increase in infostealer-driven credential theft in 2025, with over 1.8 billion accounts compromised globally. Attackers are neutralizing Windows' Mark of the Web (MotW) protections using drag-and-drop lures, exploiting vulnerabilities, and targeting alternative software to evade detection. The rise of session token theft is also enabling attackers to bypass multi-factor authentication (MFA), as tokens stored in browsers are increasingly targeted and sold on underground markets, often escaping detection by network-focused security tools. The evolving threat landscape is further complicated by the proliferation of infostealer malware, which has become a primary entry point for enterprise breaches. Security experts emphasize the need for organizations to look beyond malware signatures and focus on deceptive initial access vectors, such as malicious scripts, third-party supply chain risks, and user manipulation. Effective defense now requires monitoring browser behavior, treating client-side security as a core responsibility, and understanding the full identity attack surface to counteract these sophisticated evasion tactics.
Mar 21, 2026
Microsoft Reports Surge in Identity-Based Attacks Driven by Infostealers
Microsoft has reported a significant increase in identity-based cyberattacks, with a 32% rise in such incidents during the first half of 2025. The company’s annual threat assessment highlights a shift in attacker tactics, with hackers increasingly using stolen credentials obtained through infostealers or from large-scale data breaches to gain initial access to systems. Malware families such as Lumma Stealer, RedLine, Vidar, Atomic Stealer, and Raccoon Stealer, traditionally used after initial compromise, are now being deployed as first-stage payloads, making credential theft a foundational component of modern cybercrime campaigns. This evolution in attack methodology has led to greater specialization within the cybercrime ecosystem, with distinct roles for initial access brokers, credential sellers, and ransomware operators who leverage stolen credentials for extortion. Microsoft also noted its collaboration with federal authorities to disrupt infostealer infrastructure, such as the Lumma Stealer network, though threat actors have demonstrated resilience by quickly reestablishing operations. The report underscores the growing threat posed by identity compromise and the need for organizations to strengthen credential management and detection capabilities.
Mar 21, 2026