Identity-based attacks are cyberattacks that exploit compromised credentials, stolen tokens, or abused access privileges to infiltrate systems without triggering traditional security controls. Because attackers authenticate with valid credentials, perimeter tools, endpoint detection, and rule-based SIEMs often record the intrusion as a successful login.
Key takeaways
- Identity-based attacks exploit valid credentials—not technical vulnerabilities—making them invisible to perimeter tools, EDR, and rule-based SIEMs
- The seven most common types range from credential stuffing and password spraying to MFA bypass, phishing, pass-the-hash, privilege escalation, and lateral movement
- These attacks chain together: initial credential compromise leads to MFA bypass, cloud access, lateral movement, and exfiltration in a predictable progression
- Traditional security tools miss identity attacks because none maintain per-identity behavioral baselines—they see authentication success, not behavioral anomaly
- ITDR detects these attacks by comparing current behavior against historical norms per account, surfacing deviations that logs alone can’t reveal
Identity-based attacks target credentials, access tokens, and authentication systems. Here are the seven most common types—how they work, how they chain together, and why they evade the tools most organizations already have in place. For the broader context on why identity has become the primary attack surface, see why identity security suddenly matters. For a deep dive on MFA bypass specifically, see how to detect MFA bypass attacks.
What are the most common types of identity-based attacks?
Identity-based attacks vary in technique, but they share a common characteristic: they exploit authentication systems rather than technical vulnerabilities. Patching doesn’t stop them. Firewalls don’t see them. The seven most common types:
- Credential stuffing: Attackers use large datasets of username and password combinations (sourced from prior breaches) to attempt authentication at scale across enterprise applications. Success rate is low per attempt, but volume compensates.
- Password spraying: A single commonly used password is tried against many accounts simultaneously. Unlike credential stuffing, spraying avoids account lockouts by staying below per-account attempt thresholds.
- MFA bypass: Multifactor authentication (MFA) is circumvented through push notification fatigue, AiTM phishing, SIM swapping, or session hijacking.
- Phishing and spear phishing: Targeted deception campaigns that harvest credentials directly from users. Spear-phishing targets specific individuals—executives, finance staff, IT admins—with personalized lures.
- Pass-the-hash/pass-the-ticket: Attackers capture hashed credentials or Kerberos tickets from memory on a compromised endpoint and use them to authenticate to other systems without needing the plaintext password. Particularly effective in Active Directory environments.
- Privilege escalation: After gaining initial access with a low-privilege account, attackers exploit misconfigurations, over-permissioned roles, or IAM policy gaps to elevate their access. Common in cloud environments with sprawling IAM permissions.
- Lateral movement via identity: Using stolen credentials, tokens, or session cookies, attackers pivot horizontally across the environment—moving from a compromised SaaS account toward cloud infrastructure, or from a workstation to a domain controller.
How do identity attacks unfold? A real-world anatomy
Understanding attack types in isolation understates how identity attacks actually work—they chain together. A typical identity-based breach follows a predictable progression:
Stage 1: Initial access via credential compromise
An attacker acquires valid credentials through phishing, credential stuffing from a prior breach dataset, or purchase on a secret web marketplace. They have a username and password for a real account.
Stage 2: MFA bypass or token theft
If MFA is enabled, the attacker either bombards the user with push approval requests (MFA fatigue) until they accept, or uses AiTM phishing infrastructure to capture the session token after a legitimate MFA event—making the MFA check irrelevant.
Stage 3: Cloud or SaaS access
With a valid session, the attacker accesses cloud-hosted applications: email, file storage, HR systems, or cloud management consoles. At this stage, all activity produces valid-looking authentication logs.
Stage 4: Lateral movement
The attacker uses the initial access to pivot—discovering other accounts, escalating privileges, or moving from a SaaS environment toward cloud infrastructure. Service accounts and API keys are common pivot points.
Stage 5: Exfiltration or persistence
Data is exfiltrated, ransomware is staged, or the attacker establishes persistent access through new accounts, backdoor OAuth applications, or modified MFA configurations—ensuring they can return even if the original credential is reset.
Why do traditional security tools miss identity attacks?
This is the core problem identity-based attacks exploit: every major security control category has a structural blind spot at the identity layer.
| Tool | What it monitors | What it misses |
|---|---|---|
|
Firewall/network security |
Network traffic, ports, protocols | Authenticated sessions over legitimate ports (HTTPS, API traffic) |
|
EDR |
Endpoint process activity, file system, memory | Cloud-only attacks with no endpoint footprint |
|
SIEM |
Log correlation across the environment | Behavioral baselines per identity—SIEM sees auth success, not behavioral anomaly |
|
IAM/IDP |
Access policy compliance, provisioning | Runtime abuse of valid, policy-compliance credentials |
When an attacker logs in with a valid credential from a slightly unusual IP at 2am on a Saturday, the firewall sees HTTPS traffic. EDR has nothing to report if the attack is cloud-only. The SIEM logs an authentication success event. The IAM system confirms the account is in policy. Only a tool with behavioral baselines specific to that identity—ITDR—can surface that this access pattern is anomalous for this account.
For a deeper look at how ITDR addresses the gaps in existing tools, see ITDR vs. SIEM: what’s the difference?
How does ITDR detect identity-based attacks?
ITDR detects identity-based attacks by establishing behavioral baselines per identity and flagging deviations that correlate with known attack patterns. The detection signals vary by attack type, but the underlying approach is consistent: compare current behavior against historical norms for this account, in this environment, at this time.
Key ITDR detection signals:
- Impossible travel: Authentication from two geographically distant locations within an impossible timeframe
- New device or ASN enrollment: First-time authentication from an unrecognized device or network block
- Anomalous access scope: An account accessing resources it has never accessed before, particularly high-sensitivity systems
- Off-hours authentication: Login activity outside the account’s established patterns, particularly when followed by privilege use
- MFA anomalies: Multiple MFA push rejections followed by an approval; MFA method changes; new authenticator enrollment
- Service account deviation: API calls from service accounts at unusual times, volumes, or to unexpected endpoints
- Rapid privilege changes: Role assignments or group membership changes outside normal change management windows
Expel’s identity threat detection operates 24×7 across cloud IAM, SaaS, and on-premises directory telemetry—catching these signals in real time and escalating confirmed identity attacks for analyst-led response.
Expel’s take
The most revealing data point from Expel’s 2026 Annual Threat Report on identity attacks isn’t how many succeeded—it’s how many were stopped: 52.3% of identity incidents we investigated were cases where credentials were stolen but existing controls (conditional access policies, device compliance requirements) blocked the access attempt. That means attackers are acquiring valid credentials at scale and testing them constantly. The organizations that stopped those attempts weren’t more secure because they detected the attack—they were more secure because conditional access made the stolen credential insufficient on its own. Detection catches what those controls miss.
Frequently asked questions
What are identity-based attacks?
Identity-based attacks exploit compromised credentials, stolen session tokens, or abused access privileges to infiltrate systems while appearing as legitimate users. Because they authenticate with valid credentials, they bypass perimeter controls, endpoint detection, and rule-based monitoring tools.
What are the most common types of identity-based attacks?
The seven most common types are: credential stuffing, password spraying, MFA bypass (including push bombing and AiTM phishing), phishing and spear phishing, pass-the-hash or pass-the-ticket attacks, privilege escalation, and lateral movement via stolen identity credentials or tokens.
Why do traditional tools miss identity-based attacks?
Firewalls monitor network traffic; EDR monitors endpoint processes; SIEM correlates logs. None establish per-identity behavioral baselines. When an attacker uses valid credentials, all three tools see expected, policy-compliant activity. Only a tool with behavioral baselines per identity—like ITDR—can detect the anomaly.
How does ITDR detect identity attacks?
ITDR establishes behavioral baselines per account and flags deviations correlated with attack patterns: impossible travel, new device enrollment, off-hours access, MFA anomalies, anomalous API activity, rapid privilege changes, and access to resources the account has never previously touched.