Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

Stop a Breach: 1800 203 6701

Solution

Compliance
Security
Privacy
SISA One Platform
Why SISA
SISA Institute
Resources
Company
India
All Menu

SOLUTION

COMPLIANCE

Payment Security
PCI DSS Compliance
PCI PIN
PCI 3D Secure (3DS)
PCI P2PE Compliance
PCI S3
PCI S-SLC
PCI MPoC
SWIFT
Strategy & Risk
HIPAA
ISO Management System Services
NIST
SOC Compliance
HITRUST Certification
Information Security Risk Assessment
CSA STAR Assessment & Certification
Crisis Management Exercise
Indian Regulatory Cybersecurity Audit & Assurance Services
Unified Audits
Managed Compliance

SOLUTION

SECURITY

ProACT Agentic SOC
Digital Forensics & IR (DFIR)
Payment Forensics Investigation
Internal Forensic Investigation
Acquirer Led Investigation
Ransomware Incident Response
Breach and Attack Simulation
Compromise Assessment
Cloud Forensics
DFIR Retainer Services
Digital Threat Report
Forensic Resilience Assurance
PRISM
Prism Observe
Prism Discovery
Prism Secure
Prism Strike
Security Testing
Application Security Testing
Web Application Penetration Testing
API Security Testing
Mobile Application Security Testing (Android & iOS)
Secure Code Review (Manual + Automated)
Threat Modeling & Architecture Review
Thick Client Application Penetration Testing
Cloud & Container Security
Cloud Security Assessments (AWS, Azure, GCP)
Active Directory Pen Testing (On Prim, Cloud)
Kubernetes Security Testing
Container Image & Runtime Security
Cloud Architecture & IAM Review
Infrastructure & Network Security
Network Vulnerability Assessment (Internal & External)
Network Penetration Testing (Internal & External)
Server Configuration Review (Windows, Linux, Unix)
Firewall & Network Device Configuration Review
Wireless Security Testing
PCI ASV Scanning
Adversary-Led Ransomware Simulation
Post-Compromise Attack Path Mapping
Privilege Escalation & Defense Evasion
Lateral Movement & Asset Discovery
Ransomware Execution Simulation
Detection, Response & Recovery Validation
IoT Security Testing
Red Teaming
Red Team Engagements
Adversary Simulation & Threat Emulation
Assumed Breach Assessments
Social Engineering & Phishing
Purple Team Exercises
Quantum Security

SOLUTION

PRIVACY

Data Protection and Governance
Data Discovery and Classification Tool
Data Discovery Tool
Data Classification Tool
Data Privacy Consulting Services
DPDPA (India) Compliance Consulting
GDPR

SISA INSTITUTE

Training & Workshops
Payment Data Security Programs
CPISI
CPISI - Hybrid
CPISI - Advanced
CPISI - D
Quantum Security
AI Security
Get Certified
Application
Certifications
Advisory Groups
Certification Policies
Certification Support
Workshop Calendar
Training and Certification Store

RESOURCES

Case Studies
White Papers
Media Coverage
Blogs
Executive Perspective
News Room
Weekly Threat Watch
Monthly Threat Brief
Infographics
Webinars
Infosec Reports

COMPANY

About Us
Our Leadership
Careers
Corporate Social Responsibility
Elevating Communities
Stewarding Our Planet
Diversity & Inclusion

Solution

Compliance
Security
Privacy
India
All Menu

SOLUTION

COMPLIANCE

Payment Security
PCI DSS Compliance
PCI PIN
PCI 3D Secure (3DS)
PCI P2PE Compliance
PCI S3
PCI S-SLC
PCI MPoC
SWIFT
Strategy & Risk
HIPAA
ISO Management System Services
NIST
SOC Compliance
HITRUST Certification
Information Security Risk Assessment
CSA STAR Assessment & Certification
Crisis Management Exercise
Indian Regulatory Cybersecurity Audit & Assurance Services
Unified Audits
Managed Compliance

SOLUTION

SECURITY

ProACT Agentic SOC
Digital Forensics & IR (DFIR)
Payment Forensics Investigation
Internal Forensic Investigation
Acquirer Led Investigation
Ransomware Incident Response
Breach and Attack Simulation
Compromise Assessment
Cloud Forensics
DFIR Retainer Services
Digital Threat Report
Forensic Resilience Assurance
PRISM
Prism Observe
Prism Discovery
Prism Secure
Prism Strike
Security Testing
Application Security Testing
Web Application Penetration Testing
API Security Testing
Mobile Application Security Testing (Android & iOS)
Secure Code Review (Manual + Automated)
Threat Modeling & Architecture Review
Thick Client Application Penetration Testing
Cloud & Container Security
Cloud Security Assessments (AWS, Azure, GCP)
Active Directory Pen Testing (On Prim, Cloud)
Kubernetes Security Testing
Container Image & Runtime Security
Cloud Architecture & IAM Review
Infrastructure & Network Security
Network Vulnerability Assessment (Internal & External)
Network Penetration Testing (Internal & External)
Server Configuration Review (Windows, Linux, Unix)
Firewall & Network Device Configuration Review
Wireless Security Testing
PCI ASV Scanning
Adversary-Led Ransomware Simulation
Post-Compromise Attack Path Mapping
Privilege Escalation & Defense Evasion
Lateral Movement & Asset Discovery
Ransomware Execution Simulation
Detection, Response & Recovery Validation
IoT Security Testing
Red Teaming
Red Team Engagements
Adversary Simulation & Threat Emulation
Assumed Breach Assessments
Social Engineering & Phishing
Purple Team Exercises
Quantum Security

SOLUTION

PRIVACY

Data Protection and Governance
Data Discovery and Classification Tool
Data Discovery Tool
Data Classification Tool
Data Privacy Consulting Services
DPDPA (India) Compliance Consulting
GDPR
Compliance
Security
Privacy
All Menu

SOLUTION

COMPLIANCE

Payment Security
PCI DSS Compliance
PCI PIN
PCI 3D Secure (3DS)
PCI P2PE Compliance
PCI S3
PCI S-SLC
PCI MPoC
SWIFT
Strategy & Risk
HIPAA
ISO Management System Services
NIST
SOC Compliance
HITRUST Certification
Information Security Risk Assessment
CSA STAR Assessment & Certification
Crisis Management Exercise
Indian Regulatory Cybersecurity Audit & Assurance Services
Managed Compliance
Unified Audits

SOLUTION

SECURITY

Security Testing
Application Security Testing
Web Application Penetration Testing
API Security Testing
Mobile Application Security Testing (Android & iOS)
Secure Code Review (Manual + Automated)
Threat Modeling & Architecture Review
Thick Client Application Penetration Testing
Cloud & Container Security
Cloud Security Assessments (AWS, Azure, GCP)
Active Directory Pen Testing (On Prim, Cloud)
Kubernetes Security Testing
Container Image & Runtime Security
Cloud Architecture & IAM Review
Infrastructure & Network Security
Network Vulnerability Assessment (Internal & External)
Network Penetration Testing (Internal & External)
Server Configuration Review (Windows, Linux, Unix)
Firewall & Network Device Configuration Review
Wireless Security Testing
PCI ASV Scanning
Adversary-Led Ransomware Simulation
Post-Compromise Attack Path Mapping
Privilege Escalation & Defense Evasion
Lateral Movement & Asset Discovery
Ransomware Execution Simulation
Detection, Response & Recovery Validation
IoT Security Testing
Red Teaming
Red Team Engagements
Adversary Simulation & Threat Emulation
Assumed Breach Assessments
Social Engineering & Phishing
Purple Team Exercises
Digital Forensics & IR (DFIR)
Payment Forensics Investigation
Internal Forensic Investigation
Acquirer Led Investigation
Ransomware Incident Response
Breach and Attack Simulation
Compromise Assessment
Cloud Forensics
DFIR Retainer Services
Digital Threat Report
Forensic Resilience Assurance
ProACT Agentic SOC
Quantum Security
PRISM
Prism Observe
Prism Discovery
Prism Secure
Prism Strike

SOLUTION

PRIVACY

Data Protection and Governance
Data Discovery and Classification Tool
Data Discovery Tool
Data Classification Tool
Data Privacy Consulting Services
DPDPA (India) Compliance Consulting
GDPR

Page Name

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Blog
May 22, 2026
2
MIN READ
Inside Modern Credential Attacks: Findings from SISA’s Red Team Engagements
Venkatesh
Venkatesh
Cybersecurity Engineer
cybersecurity

Share this post

TABLE OF CONTENT

TABLE OF CONTENT

Introduction: The Credential Attack Lifecycle Has Evolved

Credential attacks have quietly become one of the most effective initial access techniques used against enterprises today. Not because attackers are exceptionally sophisticated, but because organizations continue to underestimate how exposed their credentials already are. Traditional credential attacks once relied heavily on brute force attempts and noisy password guessing. Today’s credential operations combine dark web intelligence gathering, credential stuffing, password spraying, session hijacking, MFA fatigue attacks and reverse-proxy phishing among others.  

Across multiple Red Teaming engagements that SISA conducted between late 2024 and early 2026, one pattern consistently emerged: Attackers did not exploit vulnerabilities first. They authenticated first.

These findings reveal a larger reality many organizations still fail to address: The identity perimeter has already expanded beyond the enterprise.

What SISA’s Red Team Found During Credential Attack Simulations

1. MFA Was Missing on Business-Critical Applications

One of the most consistent findings across engagements was the absence of MFA enforcement on critical externally exposed systems that included VPN portals, HRMS applications, helpdesk platforms, productivity tools and ERP systems. In several cases, weak password hygiene compounded the problem. One employee password identified during testing was simply the company name followed by the current year.

Defensive priorities

  • Enforce phishing-resistant MFA such as FIDO2 or passkeys across all externally accessible systems  
  • Implement conditional access policies tied to managed devices and trusted geolocations  
  • Detect anomalous login behavior based on user history  
  • Introduce smart lockout and progressive authentication throttling

2. Password Spraying Continues to Work at Scale

SISA’s Red Team observed organizations using highly predictable password conventions such as CompanyName@2025, CityName@2025 and/or OrganizationName123. Using Kerbrute and custom automation scripts against ADFS, LDAP, and greytHR endpoints, SISA’s Red Team compromised 350+ domain accounts in one engagement, including 2 Domain Admin accounts and 1,531 accounts in another environment. In multiple cases, no lockout policy triggered despite repeated authentication attempts.

Defensive priorities

  • Block organization-specific password patterns using Azure AD Password Protection or equivalent controls  
  • Implement smart lockout thresholds across all authentication services  
  • Detect distributed failed logins across multiple usernames from a single source IP  
  • Continuously monitor dark web breach sources for exposed organizational credentials

3. Reverse-Proxy Phishing Is Rendering Traditional MFA Insufficient

One of the most concerning findings across recent engagements involved reverse-proxy phishing frameworks such as Evilginx. Attackers deployed phishing infrastructure that transparently proxied legitimate O365 and Mattermost authentication sessions. Victims authenticated successfully, including MFA validation. However, the attacker captured credentials, session cookies and authentication tokens, enabling full session hijacking without needing to re-trigger MFA. In one engagement, SISA’s assessment revealed attackers maintained access for more than 20 days while remaining undetected, that allowed them to access sensitive information such as credit card data, IBAN records, VPN SOP documentation and backup authentication codes.  

Defensive priorities

  • Adopt phishing-resistant MFA using hardware-bound authentication  
  • Enforce conditional access tied to compliant devices  
  • Detect token reuse from unexpected locations or IPs  
  • Reduce session lifetime persistence  
  • Implement anomaly-based session revocation

4. GitHub and Source Code Repositories Continue to Leak Secrets

Credential exposure is no longer limited to users. Developers increasingly expose secrets directly through source code repositories, CI/CD pipelines, and application responses. These leaks provide direct access into cloud environments without requiring endpoint compromise or credential theft. Across multiple engagements, SISA uncovered exposed secrets in public repositories including AWS IAM keys, SMTP credentials, database connection strings, JWT signing secrets, MongoDB and PostgreSQL credentials and embedded API tokens. In one case, an active AWS key was exposed directly inside an HTTP response.  

Defensive priorities

  • Implement automated secret scanning in CI/CD pipelines  
  • Use pre-commit hooks to block credential exposure before code pushes  
  • Centralize secret management through vaulting platforms  
  • Conduct continuous GitHub and OSINT monitoring for exposed assets

SOC Playbook: Credential Attack Detection & Response

Credential attacks often appear as legitimate user activity in the early stages, making them difficult to detect through traditional perimeter-focused monitoring alone. The key is identifying subtle identity and authentication anomalies before attackers establish persistence or move laterally across applications and cloud environments.

Based on patterns observed during SISA’s Red Team engagements, security teams should prioritize detection and response actions around credential misuse, session abuse, and abnormal authentication behavior.

Detection Priorities

Security teams should continuously monitor for:

  1. Successful logins from countries or IPs not associated with a user’s historical behavior  
  1. Distributed failed logins across multiple accounts from a single source  
  1. Kerberos enumeration activity and abnormal AS-REQ patterns  
  1. AWS CloudTrail events originating from unexpected regions  
  1. Unauthorized mailbox forwarding rule creation  

Response Priorities

When credential compromise is suspected:

  1. Immediately revoke active sessions and force MFA re-enrollment  
  1. Initiate dark web credential check for compromised domain and rotate all matching passwords
  1. Preserve forensic evidence before resetting export sign-in logs and mail access history
  1. Block source IP, notify user, and review activity logs for the previous 30 days
  1. Investigate mailbox access history and forwarding rules  
  1. For GitHub leaks, immediately rotate all exposed keys/tokens and check git history for deleted secrets

Final Perspective

Credential attacks are no longer low-sophistication threats. They are operationally mature, highly scalable, and increasingly difficult to distinguish from legitimate user activity. The findings from SISA’s Red Teaming engagements reinforce a critical reality: Organizations still defend infrastructure as if the perimeter is the network, but attackers now target identities, sessions, SaaS ecosystems, APIs, and exposed secrets instead.  

This changes how enterprises must think about security operations. Organizations must move toward continuous identity exposure management that combines dark web monitoring, behavioural authentication analytics, phishing-resistant identity systems, session integrity monitoring and proactive threat hunting. Because in modern enterprise environments, identity has become the new perimeter.

SHARE THIS POST

Red Teaming
RedAlert
AI Security
AI Governance