Identity-based attacks: How attackers bypassed MFA four times in one month
This is the first edition of a new monthly identity threat brief for the Cisco Duo blog. Each month, I examine the identity-based attacks shaping the current threat environment, the structural weaknesses they exploit, and the defenses that hold up against them.
Identity-based attacks target authentication systems, credentials, and identity infrastructure rather than application code or encryption. In recent weeks, four incidents made the pattern clear: attackers stole authentication tokens from compromised routers, breached a national identity agency, abused a trusted vendor's notification system to deliver phishing, and compromised messaging-app accounts to read encrypted communications.
None of these attacks broke cryptography. None defeated multi-factor authentication (MFA) head-on. Each one went around the authentication layer instead of through it. These incidents are a clear opening case for this series: identity is now the primary attack surface, and the authentication layer is where attackers concentrate effort.
What changed recently
Across the four incidents, the pattern is consistent. Attackers did not try to defeat the strong cryptographic controls protecting modern systems. They targeted the trust relationships, session artifacts, and infrastructure that surround authentication.
Stolen tokens granted access without credentials. A breached government identity system exposed citizen data at scale. Legitimate vendor infrastructure delivered phishing that passed every standard email authentication check. Compromised endpoints gave attackers plaintext access to encrypted conversations.
The strategic implication for identity teams is direct: controls designed to verify credentials cannot stop attackers who already hold authenticated sessions or who never needed credentials in the first place. The identity attack surface now extends well beyond the login prompt.
The four incidents at a glance
Router DNS hijacking to harvest Microsoft Office tokens. Russian military intelligence group APT28 (also tracked as Fancy Bear and Forest Blizzard) compromised more than 18,000 routers to intercept OAuth authentication tokens for Microsoft Outlook on the web. The campaign affected more than 200 organizations and 5,000 consumer devices at peak. (Krebs on Security reported the campaign in detail.)
https://krebsonsecurity.com/2026/04/russia-hacked-routers-to-steal-microsoft-office-tokens/Breach of France's National Agency for Secure Documents (ANTS). On April 15, 2026, ANTS disclosed a breach exposing login credentials, names, dates of birth, addresses, and account identifiers for an undisclosed number of French citizens.
https://therecord.media/france-cyberattack-agency-passportsPhishing through Apple's legitimate account notification system. Attackers embedded callback-phishing lures inside genuine Apple security notifications sent from appleid@id.apple.com. The messages passed SPF, DKIM, and DMARC checks. (BleepingComputer reported the technique.)
https://www.bleepingcomputer.com/news/security/apple-account-change-alerts-abused-to-send-phishing-emails/Compromise of commercial messaging-app accounts. A joint CISA and FBI advisory warned that Russian intelligence services compromised thousands of individual messaging-app accounts to access encrypted communications without breaking the underlying encryption.
https://www.cisa.gov/resources-tools/resources/russian-intelligence-services-target-commercial-messaging-application-accounts
The pattern: attackers go around authentication, not through it
Each incident exploits a different surface, but the underlying logic is the same.
The router campaign stole tokens after MFA succeeded
APT28 did not phish credentials or defeat MFA. The group exploited known vulnerabilities in end-of-life Mikrotik and TP-Link SOHO routers, modified DNS settings to point to attacker-controlled servers, and intercepted OAuth tokens after users had already authenticated successfully.
Because OAuth tokens are issued after MFA verification, the stolen tokens granted fully authenticated sessions. No further credentials or one-time codes were required. Krebs on Security reported the campaign and noted the technique is highly effective at evading malware-focused detection.
This is an MFA bypass in the most practical sense: MFA worked exactly as designed, and the attacker waited for the token it produced.
The ANTS breach exposed identity data at the source
The compromised ANTS data included login credentials and the personal information used to verify identity in administrative procedures. The Record reported the breach as the latest in a series targeting French government identity infrastructure, including a February 2026 breach of France's National Bank Accounts File that exposed information on roughly 1.2 million accounts.
Stolen identity data of this kind feeds downstream attacks: account takeover, fraudulent document applications, and credential reuse against unrelated services.
The Apple notification abuse weaponized legitimate trust
BleepingComputer reported that attackers embedded fraudulent transaction notices and callback phone numbers inside genuine Apple account-change emails. Because the messages originated from Apple's verified sending infrastructure, they passed every email authentication check designed to detect spoofing.
The attack does not exploit a technical vulnerability. It exploits the gap between sender verification and content trust.
The messaging-app compromises bypassed encryption at the endpoint
The CISA and FBI joint advisory stated explicitly: attackers did not break the encryption of the messaging platforms. They compromised individual user accounts through credential phishing, session token theft, SIM swapping, and exploitation of weak authentication.
Once inside an account, attackers had plaintext access to historical messages, real-time conversations, and contact lists they could use to expand the attack.
Why authentication-layer attacks evade traditional controls
MFA, SPF, DKIM, DMARC, and end-to-end encryption are strong controls. They are also narrow controls. Each verifies one specific thing: that a user holds a second factor, that an email originated from an authorized sender, or that a message was encrypted in transit.
None of them verify that the session in use is legitimate, or detect when a trusted platform delivers malicious content. None of them protect a credential database or a token store. The four recent incidents land at exactly these gaps.
What stops authentication-layer attacks
The structural defense against this pattern is to make stolen credentials and stolen tokens harder to use, and to detect identity misuse when it occurs.
Phishing-resistant MFA
Phishing-resistant MFA uses cryptographic protocols such as FIDO2 (Fast Identity Online 2) and WebAuthn that bind authentication to the specific origin a user is signing into. Unlike one-time codes, push notifications, or SMS, phishing-resistant MFA cannot be replayed, intercepted on a fake site, or approved by a confused user.
It addresses the structural weakness behind credential phishing and many forms of session hijacking. For identity teams reviewing their authentication stack, phishing-resistant MFA is the highest-leverage control available today.
Token binding and conditional access
Token binding ties an authentication token to the device that obtained it. A stolen token cannot be replayed from an attacker's infrastructure. Conditional access policies add risk-based checks at session reuse, not just at sign-in. Together, they reduce the value of a stolen OAuth token of the kind APT28 harvested.
Identity threat detection and credential compromise detection
Detection of identity-based attacks depends on observing what authenticated identities do, not just whether they authenticated. Behavioral monitoring, anomalous-session detection, and analysis of token activity surface compromise even when credentials and MFA were not defeated.
Cisco Duo's identity threat detection and response capabilities operate at this layer. They pair with identity security posture management to surface the configuration weaknesses attackers target.
Identity security as a programmatic discipline
None of these controls work in isolation. They sit inside an identity security program that connects authentication, posture management, detection, and response.
What this means for identity leaders
For a Director of Identity reading this brief, the recent incidents translate into four practical actions.
Treat the authentication layer as an attack surface, not a control surface. Authentication is no longer just something the identity team configures. It is something attackers actively target. Inventory where authentication tokens live, how long they last, and who can use them.
Move toward phishing-resistant authentication. Deprecate SMS and push-only MFA on a defined timeline. Each of the recent incidents demonstrates the limits of authentication factors that can be intercepted, replayed, or socially engineered.
Invest in identity-specific detection. Endpoint detection and network detection do not see identity misuse. Detection of session anomalies, token replay, and unusual authentication patterns requires identity-layer telemetry.
Treat identity infrastructure breaches as catalysts for downstream attacks. A breach like the ANTS disclosure does not end with the disclosed agency. The exposed data feeds account takeover, credential stuffing, and impersonation across unrelated services.
What to expect from this series
This is the first in a series of recurring monthly briefs. Each edition examines the identity-based attacks shaping the threat environment that month, the structural weaknesses they exploit, and the defenses that hold up against them. Attackers are adapting quickly. I will track how that adaptation unfolds and what identity teams need to know.
Visit the Duo blog to follow the identity threat intelligence series and get each monthly edition as it publishes.