Most organizations secure the perimeter and assume the inside is safe. Attackers learned years ago that identity is the inside. These are the techniques active in production environments right now, verified against current threat intelligence.
SIG-001
Password Spray
Low-and-slow authentication attempts across many accounts using common passwords. Designed to stay under lockout thresholds. Particularly effective against legacy auth protocols like SMTP, IMAP, and POP3 that cannot enforce MFA and bypass Conditional Access entirely. Blocking legacy authentication in Entra ID is one of the highest single-value controls available.
High Frequency
SIG-002
Adversary-in-the-Middle
Reverse proxy kits sit between the victim and the real login page, capturing session tokens after MFA completes. Bypasses MFA entirely — the user authenticates legitimately and the attacker receives the post-auth session. Active kits in 2025/2026 include Evilginx, Tycoon 2FA, EvilProxy, Sneaky 2FA, and Mamba 2FA. AiTM attacks surged 46% in 2025 as Phishing-as-a-Service industrialized the technique. Phishing-resistant MFA (FIDO2/passkeys) is the only control that fully mitigates this.
MFA Bypass
SIG-003
Consent Phishing
Malicious OAuth applications request delegated permissions from a legitimate user. The user authenticates with MFA successfully and clicks Accept — handing the attacker access to mail, files, and calendars via delegated token. Access persists after password resets. Token-based access survives credential rotation. Revoking the consent grant on the app registration is required for full remediation.
OAuth Abuse
SIG-004
Token Theft and Replay
Refresh and access tokens stolen from compromised endpoints or memory via tools like Mimikatz or TokenSmith. Replayed from attacker infrastructure against Microsoft Graph and other cloud APIs. Conditional Access evaluates at token issuance, not per-request — a token that satisfied CA policy on a compliant device can be replayed from any machine until it expires or is revoked via CAE. CAE revocation requires a critical event trigger and a CAE-capable client.
Post-Auth
SIG-005
Device Code Flow Abuse
Attacker generates a device code, social engineers victim into entering it at microsoft.com/devicelogin, and receives the resulting access and refresh tokens. The victim authenticates legitimately — the attacker gets the token. Used at scale by Storm-2372 (Russia-nexus APT) throughout 2025 against governments, NGOs, and critical infrastructure. PhaaS kit EvilTokens (2026) automated and scaled the technique further. Tokens remain valid even after password resets. Block via Conditional Access authentication flow policies.
Active Campaign
SIG-006
Privilege Escalation via Roles and Permissions
Lateral movement through misconfigured Entra ID role assignments and high-privilege API permissions. Application Administrator can add credentials to any app registration including those with RoleManagement.ReadWrite.All. AppRoleAssignment.ReadWrite.All combined with Application.ReadWrite.All is a tenant takeover primitive — it can grant any principal Global Administrator without touching the role assignment directly. PIM activation abuse and stale privileged accounts compound the exposure.
Privilege Escalation
SIG-007
Kerberoasting
Any authenticated domain user can request a Kerberos TGS ticket for any Service Principal Name (SPN). The ticket is encrypted with the service account's password hash. The attacker takes it offline and cracks it — no interaction with the target service, minimal log noise. RC4 encryption makes cracking significantly faster than AES. Most service accounts have non-expiring passwords set years ago. Used in the 2024 Ascension Health breach, leading to U.S. Senator Ron Wyden pressing the FTC to investigate Microsoft's RC4 defaults in September 2025. In hybrid environments, a cracked service account is typically the first step toward cloud pivot.
Credential Access
SIG-008
Pass-the-Hash
NTLM authentication in Windows does not require the plaintext password — only the hash. An attacker with local admin on a compromised machine extracts NTLM hashes from LSASS memory using tools like Mimikatz, then authenticates laterally to other systems using the hash directly, without cracking it. The hash is valid until the account password changes. In hybrid environments, Pass-the-Hash against on-prem systems is typically a stepping stone toward harvesting credentials that have access to cloud resources. LAPS randomizes local admin passwords per machine — its absence makes PtH trivial at scale.
Lateral Movement
SIG-009
Pass-the-PRT
The cloud equivalent of Pass-the-Hash. A Primary Refresh Token (PRT) is issued to Entra-joined or hybrid-joined Windows devices and provides SSO to Azure and Microsoft 365 without re-authentication. Stored in LSASS, it can be extracted using tools like Mimikatz with the cloudapkd module. An attacker with a valid PRT and session key can forge PRT cookies and access cloud resources — bypassing Conditional Access MFA requirements because the PRT already satisfied them. A PRT is valid for 14 days. Storm-2372 extended this further by using device code flow tokens to register attacker-controlled devices and obtain PRTs for long-term cloud persistence.
Cloud Pivot
SIG-010
AD Connect Abuse
Microsoft Entra Connect (formerly AD Connect) synchronizes on-premises Active Directory to Entra ID. The sync account requires highly privileged access to both environments. IBM X-Force IR engagements throughout 2025 confirmed attackers gained on-premises access and pivoted directly into cloud infrastructure by exploiting AD Connect misconfigurations — enabling privilege escalation within Entra ID and access to cloud assets. Compromise of the AD Connect server or its service account effectively bridges the on-prem and cloud trust boundary. Tier-0 asset. Treat accordingly.
Hybrid Pivot
SIG-011
Cloud Enumeration via AzureHound
AzureHound is the BloodHound equivalent for Entra ID — it maps identities, role assignments, group memberships, app role assignments, and privilege relationships across the tenant. State actors including Storm-0501, Void Blizzard, and Curious Serpens have used AzureHound in post-compromise discovery phases targeting Azure tenants through August 2025. The output feeds directly into lateral movement and privilege escalation planning. In cloud-only environments it replaces the on-prem BloodHound workflow entirely. Every RBAC misconfiguration and over-privileged assignment becomes a node in the attack graph.
Discovery
SIG-012
Federated Identity Credential Persistence
Workload identity federation allows external OIDC tokens to be exchanged for Azure tokens. An attacker who can add a federated identity credential to a managed identity or service principal creates a secretless authentication path from infrastructure they control — no client secret to rotate, no certificate to audit, no expiry to track. Used increasingly in supply chain attacks and post-compromise persistence. Adding the credential and then removing it covers the track in audit logs. Survives client secret rotation, certificate audits, and password resets entirely. Invisible to secret scanning tools.
Persistence
The human
attack surface.
Technical controls mean nothing if your helpdesk resets MFA on a phone call. Attackers know this. They spend more time researching your people than your firewall rules.