Background and context
Cyber intrusions are increasingly starting with valid credentials rather than software exploits. The pattern behind the headline “logging in, not breaking in” is straightforward: attackers steal usernames, passwords, browser cookies, session tokens, and device data, then access services as if they were legitimate users. That approach is often cheaper, quieter, and faster than burning a zero-day or brute-forcing a hardened network edge. Dark Reading highlighted this shift in the second half of 2025, tying it to the growth of infostealer malware and AI-assisted social engineering [Dark Reading].
This trend has been building for years. Government and industry reporting has repeatedly shown that identity systems now sit at the center of many incidents. Microsoft’s Digital Defense Report has described a sustained rise in password attacks and identity-focused intrusion activity, while CISA has warned organizations to move toward phishing-resistant multifactor authentication because passwords and weaker MFA methods are routinely bypassed [Microsoft Digital Defense Report; CISA]. Mandiant and other incident responders have also documented how initial access brokers and ransomware crews increasingly rely on stolen credentials, session cookies, and social engineering rather than direct exploitation alone [Google Cloud Mandiant; CrowdStrike].
The economics explain why. Infostealer malware has become industrialized: operators distribute malware through phishing, fake software, cracked applications, malvertising, and social platforms; logs are harvested automatically; and stolen access is repackaged for sale on underground markets. Instead of buying a bare username and password, criminals can now purchase a bundle that may include browser-stored passwords, authenticated cookies, autofill data, crypto wallet information, and device fingerprints. In many cases, that is enough to step directly into a cloud account, email inbox, or SaaS tenant [Proofpoint; Cisco Talos; Trend Micro].
Technical details
At the center of the problem is infostealer malware. Families such as RedLine, Vidar, Raccoon, Lumma, and similar stealers are designed to extract data from browsers and local applications. They commonly target saved credentials, cookies, session tokens, password manager artifacts, messaging apps, FTP clients, and cryptocurrency wallets. Because modern browsers often act as the user’s identity hub, a compromised endpoint can expose not just passwords but live authenticated sessions [Microsoft; Trend Micro; Palo Alto Unit 42].
That matters because MFA does not always stop session theft. If an attacker steals a valid session cookie or refresh token, they may be able to replay that session without entering the password or second factor again. This is one reason adversary-in-the-middle phishing kits have become so effective. In an AiTM setup, the victim visits a fake site that proxies the real login page. The attacker captures the username, password, MFA code, and resulting session cookie in real time. Once the victim completes login, the attacker can often hijack the authenticated session [Microsoft; Okta; CISA].
There is also a support-process angle. Several high-profile breaches have shown that help desks and identity recovery workflows can be manipulated through social engineering. Attackers impersonate employees, pressure support staff to reset passwords or enroll a new MFA device, and then use that foothold to move laterally. The 2023 MGM incident became a widely cited example of how social engineering against identity processes can have outsized consequences [CISA; public reporting on MGM].
AI is amplifying this environment, though not by replacing attackers with magic automation. Its practical value is more mundane and more dangerous: it helps criminals write cleaner phishing emails, localize lures into multiple languages, summarize public information about targets, generate convincing chat scripts, and in some cases support voice impersonation. That lowers the cost of tailoring attacks and raises the baseline quality of social engineering. Proofpoint and other defenders have warned that AI-assisted phishing is making lures more persuasive, especially against finance, HR, and executive targets [Proofpoint; FBI IC3].
Credential theft also overlaps with vulnerabilities that expose sessions or remote access infrastructure. Citrix Bleed (CVE-2023-4966), for example, became notorious because it allowed session token theft from NetScaler appliances, enabling account hijacking without knowing a user’s password [CISA; Citrix advisories]. Other perimeter flaws, such as PAN-OS GlobalProtect command injection (CVE-2024-3400), show that edge devices remain relevant; but even when exploitation is involved, the end goal is often still identity access and session control rather than smash-and-grab malware deployment [CISA; Palo Alto Networks].
Impact assessment
The impact is broad because credentials are universal. Enterprises using Microsoft 365, Google Workspace, Salesforce, VPN portals, developer platforms, payroll systems, and cloud consoles are all exposed if a user’s endpoint or login flow is compromised. Individuals face account takeover, financial theft, surveillance of email and cloud storage, and fraud tied to saved payment or crypto wallet data. For businesses, the consequences can escalate from mailbox compromise to wire fraud, data theft, regulatory exposure, ransomware, and supply-chain compromise through trusted accounts [FBI IC3; Microsoft; Mandiant].
Some groups face higher risk than others. Executives, finance teams, HR staff, IT administrators, help-desk workers, recruiters, and remote employees are prime targets because their accounts either hold sensitive data or can authorize changes. Managed service providers, law firms, healthcare organizations, retailers, schools, and SaaS firms are especially attractive because one compromised identity can unlock many downstream systems [CrowdStrike; Google Cloud Mandiant].
Severity is high not because every stolen password leads to catastrophe, but because identity compromise blends into normal operations. A valid login from a familiar cloud service is harder to spot than malware beaconing from a known bad IP. Security teams that focus mainly on patching and perimeter alerts can miss the quieter signs: impossible-travel logins, unusual device fingerprints, suspicious OAuth consent grants, inbox forwarding rules, or token reuse from residential proxies [Microsoft; Okta]. That stealth gives attackers time to establish persistence and monetize access.
How to protect yourself
Defending against “log in” attacks requires a mix of identity controls, endpoint security, and process discipline.
Use phishing-resistant MFA. Security keys and passkeys based on FIDO2/WebAuthn are far harder to phish than SMS codes or push notifications. CISA has repeatedly recommended phishing-resistant MFA for organizations that want to reduce account takeover risk [CISA].
Assume passwords alone are not enough. Disable browser password storage where appropriate, enforce unique passwords, and monitor for credential exposure. If an infostealer hits a device, saved browser secrets are often among the first items taken [Microsoft; Trend Micro].
Harden endpoints. Keep operating systems and browsers patched, use reputable endpoint detection tools, restrict local admin rights, and watch for suspicious browser extension activity, script-based downloaders, and malware in user profile directories. Infostealers usually begin on the endpoint, not in the data center [Cisco Talos; Palo Alto Unit 42].
Revoke sessions, not just passwords. During incident response, reset passwords, force logout across services, revoke refresh tokens, and review OAuth app grants. If the attacker has a live session cookie, a password reset by itself may not remove them [Microsoft; Okta].
Lock down help-desk workflows. Require stronger identity verification for password resets and MFA re-enrollment. Train support staff to recognize urgency tactics and impersonation attempts. Several major incidents have turned on weak recovery procedures rather than weak passwords [CISA; FBI IC3].
Use conditional access and device trust. Restrict sensitive apps to managed devices, known locations, and compliant systems where possible. Device posture checks can stop a stolen password from being enough on its own [Microsoft].
Be careful with links, attachments, and “urgent” requests. AI-generated phishing is often polished and context-aware. Verify requests for credential resets, invoices, document shares, or payroll changes through a second channel.
Protect traffic on untrusted networks. Public Wi-Fi and hostile local networks can increase exposure to interception and phishing infrastructure. VPN companies like hide.me offer encrypted tunnels that reduce local network snooping risk, though a VPN does not stop infostealers or token theft on a compromised device. It should be treated as one layer, not a fix-all.
What this means for defenders
The broader lesson is that identity telemetry now matters as much as vulnerability telemetry. Organizations need visibility into session creation, token use, device fingerprints, impossible travel, and risky sign-ins. The old mental model of “keep attackers out of the network” is incomplete when the attacker arrives through a legitimate cloud login. Security teams that can correlate endpoint infection with identity anomalies will be in a far better position to catch these intrusions early [Microsoft; CrowdStrike; Mandiant].
Attackers are following the path of least resistance. Right now, that path often runs through browsers, support desks, and cloud login pages.
