AV-01 · Phishing and credential theft

Email phishing, credential harvesting, MFA fatigue, and session theft remain common entry paths into networks because they target people and identity workflows, not just software flaws.

$ action: Use MFA, phishing-resistant sign-in where possible, conditional access, and fast account lock / reset playbooks.

1. Why This Attack Vector Persists

Phishing and credential theft remain effective because they target the identity layer of security. Even in well-patched environments, users still need to authenticate, approve prompts, click links, and recover accounts. Attackers take advantage of that normal behavior.

This category includes more than classic phishing emails. It also includes credential harvesting pages, MFA fatigue attacks, token/session theft, and social engineering designed to push users into approving malicious access.

Defenders should treat identity workflows as critical infrastructure. A strong firewall or endpoint tool does not fully protect an organization if identity controls, user awareness, and account recovery workflows are weak.

2. What Defenders Should Monitor

Look for unusual authentication patterns: impossible travel, repeated failed sign-ins followed by success, new device sign-ins, abnormal MFA prompt volumes, unusual IP ranges, and suspicious session creation or token reuse.

Email and web telemetry also matter. Track suspicious login pages, redirects to lookalike domains, and user reports of prompts they did not initiate. Fast user reporting often gives defenders the earliest signal.

Correlate identity provider logs, email security logs, VPN/SSO logs, and endpoint/browser telemetry. A single signal may be ambiguous, but combined evidence often reveals a clear credential theft attempt.

3. Defensive Response and Prevention

Prioritize phishing-resistant authentication where possible (for example, strong MFA methods resistant to push fatigue and phishing). Add conditional access controls that evaluate device posture, location, and risk signals before granting access.

Build fast account lock, session revocation, password reset, and user communication playbooks. Speed matters: a credential theft event often becomes a larger incident only because defenders respond too slowly.

Teach users what real prompts, login pages, and recovery flows look like. Security awareness is stronger when it is tied to real systems and workflows people actually use every day.

detection-signals

$Unusual sign-in attempts followed by a successful login from a new IP, ASN, or geography.
$Repeated MFA prompts or rapid MFA denials/approvals (MFA fatigue pattern).
$New device registration or session creation shortly after suspicious email clicks.
$Login to high-value apps from unmanaged devices or unusual user agents.
$User reports of prompts they did not initiate or lookalike login pages.

telemetry-sources

$Identity provider / SSO sign-in logs (success/failure, MFA events, device trust, risk scoring).
$Email security gateway logs and user-reported phishing messages.
$Web proxy / DNS logs for lookalike domains and suspicious redirects.
$Endpoint/browser telemetry for suspicious sign-in pages and token/session artifacts.
$VPN / remote access logs to correlate post-authentication behavior.

recommended-tools-and-guides

open /learning/linux-windows-logging-basics-for-defenders Learn host and auth logging basics before triaging identity events. open /learning/alert-triage-false-positives-detection-tuning Build a repeatable triage process for suspicious sign-in alerts. open Wireshark / TShark Validate suspicious network flows during post-phish activity or callback traffic. open Wazuh Centralize host/security telemetry and correlate authentication-related events. open Sigma Write and tune portable detections for suspicious auth behavior.

lab-safe-detection-workflows

These commands are for learning, validation, and defensive triage in your own lab or authorized environment. Adapt to your tooling and log locations.

Quick DNS / URL triage (lab or approved proxy logs)

grep -i "login\|signin\|mfa" /var/log/proxy/access.log | tail -n 50 || true
tshark -r sample-phish.pcap -Y dns -T fields -e frame.time -e ip.src -e dns.qry.name
tshark -r sample-phish.pcap -Y http.request -T fields -e ip.src -e http.host -e http.request.uri

$ why: Use packet/proxy evidence to validate where a user was sent and which domains or hosts were contacted.

Authentication log review workflow (generic Linux/forwarded logs)

journalctl --since "-2h" | grep -Ei "auth|login|mfa|sso|token" | tail -n 100
grep -Ei "failed|success|mfa|token" /var/log/auth.log | tail -n 80 || true
printf "user,time,ip,event,confidence,next_action\n" > auth-triage.csv

$ why: Build a short evidence table before escalating so your conclusions are tied to timestamps and sources.

triage-questions

?Was the suspicious login preceded by phishing email delivery, a link click, or a browser redirect?
?Did the user report unexpected MFA prompts or approve a prompt they did not initiate?
?Was a new session/token created from an unusual device, IP, or user agent?
?What high-value apps or admin paths were accessed after the suspicious sign-in?
?Have sessions been revoked and accounts reset/locked where needed?

defender-actions.checklist

$Enable phishing-resistant MFA where supported.
$Deploy conditional access policies for risky sign-ins and unmanaged devices.
$Monitor MFA fatigue patterns and unusual push approval bursts.
$Prepare an account lock / reset / session revocation playbook and practice it.
$Train users to report suspicious login prompts and credential pages quickly.

study-workflow

Learn what normal behavior looks like for this area (auth, exposure, config, or internal traffic).
Identify the logs and telemetry that should show the behavior.
Practice one safe validation in a lab or authorized environment.
Write a short playbook for detection, triage, and response.
Review the related tool guides under /learning/tools.

<- threats index Back to threat overview list -> next threat AV-02 · Exposed services and remote access weaknesses