Anatomy of an Identity Breach: The 7 Steps Attackers Repeat (With Real Examples)
Feb 9, 2026
|
Linx Team
TL;DR
Attackers typically follow seven steps to carry out an identity attack, and there are ways to protect yourself at each stage of the kill chain.
Always check if your credentials have appeared in data leaks and change them, implement phishing-resistant MFA, take advantage of JIT for admin accounts, and use the principle of least privilege.
Preventing attacks is just one piece of the puzzle; you should also take measures that limit the blast radius, ensure you can detect issues if they pass your prevention mechanisms, and leverage automated workflows that respond to issues.
Why Do Attackers Prefer Identity-Based Attacks?
Identity is now the fastest route to critical systems: Humans, non-human identities (like service accounts, workloads, and API keys), SaaS apps, cloud control planes, and AI agents all operate through permissions and tokens that can give attackers a dangerous foothold.
Raising the stakes, identity attacks are more likely to succeed than other attacks, and they’re also harder to detect. When a threat actor uses one of your credentials, they blend in with legitimate traffic, and most security tools miss the subtle signs that point to a compromise.
While it’s impossible to build perfect prevention against all of these attacks, you can implement ironclad defenses. The key is to take a layered approach. With defense–in-depth strategies in place, when one layer is compromised, another layer will block the attack, whether it stems from phishing, credential stuffing, token harvesting, or another identity attack vector.
In this article, we’ll explore the practical steps attackers take to compromise identities and provide hands-on advice for thwarting them at each stage of the identity kill chain.
What are the 7 Steps Attackers Use for Identity Breach?
Attackers typically follow these steps to carry out an identity attack:
Initial access
MFA or “friction” bypass
Privilege gain
Lateral movement via identity
Persistence
Taking action on objectives (data access, fraud, ransomware enablement)
Evasion and reentry
Each step links together, enabling the next step in the chain. As a result, a minor compromise can lead to widespread breaches because of privilege escalation, lateral movement, and persistent actions.
Let’s take a look at each step in detail.
Step 1: Initial Access (Credentials or Foothold)
An attacker can obtain access to credentials through phishing campaigns, reused passwords, accidentally exposed secrets in VCS systems or CI/CD pipelines, or by purchasing compromised accounts on the dark web.
Reused passwords are especially problematic. Despite security training programs, many employees continue to use the same passwords across personal and professional accounts. This practice creates a domino effect: Compromised access to one service compromises access to many others.
What’s a Real-World Example?
In 2021, attackers gained access to Colonial Pipeline’s systems by using a compromised password for a VPN account that didn’t have MFA enabled. This account actually belonged to a former employee, but it was never disabled after their termination. The threat actors used this foothold for a ransomware attack against the company, which provides fuel for about half of the East Coast. System outages cascaded into fuel shortages, and a state of emergency was declared in 17 states and Washington, D.C. Restoring operations took a $4.4 million ransom payment.
How Can Organizations Keep Systems Safe?
Prevent: Identify and disable all inactive accounts, as they can also pose security risks if compromised. Ensure MFA is enabled for all your users.
Limit the Blast Radius: Reduce the number of externally accessible services, and require additional passwords and MFA for anything important.
Detect: Monitor for unusual activity, like authentication attempts from unfamiliar locations or devices or numerous failed login attempts that signal credential stuffing.
Respond: Leverage automated workflows to immediately disable compromised accounts.
Step 2: MFA or “Friction” Bypass
MFA is just the first line of defense, and it’s not a silver bullet. When attackers encounter MFA, they can employ tactics to get around it. For example, fatigue attacks involve sending a flood of MFA approval requests to your users until they accept.
Social engineering isn’t the only risk, though. Phone-based MFA is vulnerable to SIM swap attacks, which could allow attackers to intercept your SMS codes.
What’s a Real-World Example?
In 2022, Uber experienced a data breach that began when a hacker purchased an employee’s credentials on the dark web. After encountering MFA, the attacker impersonated a security employee, initiated a fatigue attack, and asked the compromised user to accept the MFA requests he sent. Once the fatigue attack proved successful, the attacker gained access to Uber’s VPN; from there, he moved laterally, ultimately gaining full admin privileges.
How Can Organizations Keep Systems Safe?
Prevent: Use strong MFA mechanisms (Authenticator Apps, Hardware keys or Passkeys) for all accounts if possible, otherwise at least for privileged ones. Implement phishing-resistant MFA, and establish strict proof-of-identity requirements for help desk employees.
Limit the Blast Radius: Require multiple approvals for high-privilege account resets; require additional passwords for sensitive services.
Detect: Implement MFA monitoring that automatically denies a flood of requests, and require human approval (with identity verification) before users can add a new authentication device.
Respond: Whenever you detect suspicious MFA activity, temporarily restrict access for your user until verification is complete.
Step 3: Privilege Escalation
Accounts with permanent administrative rights are exactly what malicious actors are looking for. Instead of standing privileges, a better move is to grant temporary admin privileges through a mechanism like just-in-time access.
Another problem to look out for? When secrets hygiene is not implemented consistently, and secrets like API keys are stored in VCS systems or wikis, there are simple opportunities for privilege escalation.
What’s a Real-World Example?
In October 2023, Okta experienced a breach after an attacker compromised a customer support engineer’s account. This account had administrative rights, allowing the attacker to view HTTP Archive (HAR) files containing cookies and session tokens uploaded by customers during support troubleshooting sessions. By stealing session tokens, the attacker was able to impersonate legitimate users across different organizations.
How Can Organizations Keep Systems Safe?
Prevent: Implement just-in-time (JIT) access for administrative accounts.
Limit the Blast Radius: Ensure admin accounts are specific to a single service and don’t have cross-service privileges.
Detect: Implement alerts for role changes or permission modifications.
Respond: Build in automation that responds to a suspicious account by revoking elevated access and reviewing recent actions.
Step 4: Lateral Movement via Identity (SSO, SaaS, Cloud Control Plane)
It goes without saying: When attackers gain elevated privileges, what they’re really gaining is the ability to move laterally through your connected systems. For example, a compromised SSO can unlock access to dozens of applications, and cloud control planes can be easily accessed from anywhere if you have valid tokens.
What’s a Real-World Example?
In 2023, an attacker known as Storm-0558 leveraged forged Microsoft authentication tokens to access enterprise email accounts. The mechanism of attack? Lateral movement from MSA (customer) keys to the Azure AD enterprise system. The breach affected approximately 25 organizations, primarily government agencies, including U.S. State Department email accounts.
How Can Organizations Keep Systems Safe?
Prevent: Avoid creating “super admin” accounts that can access all your systems.
Limit the Blast Radius: Remove unnecessary permissions that might offer access to systems your users don’t actually need access to.
Detect: Implement monitoring for unusual access patterns, especially accounts accessing systems they’ve never accessed before.
Respond: When you detect lateral movement, isolate the compromised identity and review access logs.
Step 5: Persistence (Tokens, OAuth Apps, Service Principals, Backdoor Identities)
As soon as an attacker gains access to your systems, they’ll look for ways to maintain it if the original entry point is detected and blocked. Persistence techniques include the creation of OAuth applications, service principals, and API keys. These mechanisms are highly effective because they are often mistaken for legitimate administrative objects and can even survive password resets.
What’s a Real-World Example?
In 2025, Salesforce warned customers that a group called ShinyHunters was using vishing (voice phishing) to trick help desk staff into resetting MFA on privileged accounts. Once they got a foothold in a Salesforce instance, the attackers created malicious OAuth applications that allowed them to maintain persistent access.
How Can Organizations Keep Systems Safe?
Prevent: Control who can create OAuth applications, and establish lifecycle governance for service principals to ensure they have expiration dates.
Limit the Blast Radius: Restrict the permissions that can be granted to OAuth applications (for example, in AWS, use permission boundaries or service control policies to limit what IAM roles your OAuth apps can assume); ensure your service principals respect the principle of least privilege (PoLP).
Detect: Alert on the creation of new applications that require extensive permissions.
Respond: Maintain an inventory of authorized OAuth apps and service principals, and remove any new apps that are created outside of your process.
Step 6: Action on Objectives (Data Access, Fraud, Ransomware Enablement)
Identity compromise is rarely the final objective for an attacker. Usually, it’s only a stepping stone on the way to accessing data, committing fraud, or enabling ransomware.
What’s a Real-World Example?
In September 2023, MGM Resorts experienced a devastating ransomware attack that led to more than a week of operational problems across 30 resorts, like shutdown slot machines, offline ATMs, and locked-out guests (the downside of digital hotel keys). Attackers gained access by researching employees on LinkedIn, then calling the help desk to request a password reset in their names.
How Can Organizations Keep Systems Safe?
Prevent: Implement PoLP on both the infrastructure and data layer; require additional verifications before a user can perform sensitive actions (e.g., ask users to reauthenticate with MFA or ask them for a manager’s approval).
Limit the Blast Radius: Prevent the creation of “super admins.” If any exist in your systems, downgrade their privileges.
Detect: Alert on mass downloads or unusual queries against sensitive databases.
Respond: Implement automation that can quickly restrict access when suspicious data is detected.
Step 7: Cover, Repeat, Expand (Defense Evasion + Re-Entry)
Powerful attackers try to reduce their visibility as much as possible by altering audit logs and disabling security tools. They also wreak havoc by creating multiple re-entry points. Many times, this goes unnoticed: In the wake of a breach, organizations can get tunnel vision and focus only on the initial entry point.
What’s a Real-World Example?
In 2023, a threat group called LockBit demonstrated impressive defense-evasion techniques, accounting for $91 million in ransomware payments in the U.S. alone. The secret to their success? They played the long game. When they gained access to their victims’ systems, they didn’t deploy ransomware right away; they first covered their tracks and expanded their foothold. Malware deployment and ransom demands came weeks or months later.
How Can Organizations Keep Systems Safe?
Prevent: Implement audit logging, and forward logs to immutable storage.
Limit the Blast Radius: Ensure that no one can disable security monitoring, not even for testing purposes.
Detect: Alert on log-retention policy changes and treat them as high-priority security incidents.
Respond: Implement automation that can quickly revoke access for a compromised identity across all systems.
What Are Best Practices for Reducing Identity Breaches?
Follow this checklist to cut your identity risk:
Start by Gaining Visibility: You can’t protect what you don’t see, so inventory your identity sprawl and identify password-only external access.
Review Admin Privileges: Determine who has admin rights, and analyze if they actually need all those permissions.
Test How Fast You Respond to Issues: Identify how much time it takes to revoke all access for a specific identity. Use this test result as a baseline for improvement.
Deploy Phishing-Resistant MFA: Phishing-resistant MFA needs to be implemented everywhere, as attackers often compromise lower-priority systems first and then move laterally.
Eliminate Exposed Credentials and Leaked Secrets: Scan your code repositories, wikis, and shared documents for exposed credentials. Implement automated scanning in your CI/CD pipelines to prevent secret leaks.
Protect Audit Logs: Audit logs should be stored in immutable storage to ensure they cannot be altered after creation.
Create Alerts: Alert on role changes, app consents, unusual MFA behavior, and federation changes.
Implement JIT Elevation: You don’t need persistent admin permissions. Administrative access should be granted on demand for a specific time period.
Conclusion
Identity breaches are the easiest way in for attackers, and they usually follow a predictable pattern.
To disrupt this pattern, shifting left with stronger prevention is a start, but it’s not enough. You’ll also need to build powerful detection capabilities and automate quick responses to threats. Your motto should be, “Make it harder to get in, harder to escalate, harder to persist, easier to detect, and faster to contain.”
At Linx Security, we help organizations build robust identity security that addresses each stage of the attack chain. Book a demo with one of our engineers to learn more about how we can keep your systems safe from identity breaches.
