Identity-Driven Intrusions Fueled by Infostealer Credentials and MFA-Aware Phishing
Threat actors are increasingly achieving initial access through identity compromise rather than software exploitation, with infostealer malware and phishing infrastructure supplying large volumes of valid credentials for automated login attempts against enterprise authentication front doors. Defused Cyber reported a large-scale credential-stuffing campaign targeting F5 BIG-IP and other SSO-adjacent services (including ADFS, STS, and OWA), where honeypots observed high-confidence corporate email/password pairs being submitted at scale from 219.75.254.166 (OPTAGE Inc., Japan). Correlation against Hudson Rock’s infostealer telemetry indicated the majority of observed credentials were harvested from infostealer-infected employee endpoints, suggesting a pipeline from endpoint infection to external SSO gateway intrusion attempts impacting major enterprises and public-sector entities.
In parallel, Datadog Security Labs documented the evolution of the 1Phish kit into an operationally mature, MFA-aware phishing framework targeting 1Password users, shifting from simple credential capture to multi-stage workflows that explicitly collect 2FA codes—consistent with real-time authentication attempts even without confirmed reverse-proxy session hijacking. Broader incident-response telemetry in Sophos’ Active Adversary Report reinforces the same trend: identity-related techniques (compromised credentials, brute force, phishing) accounted for a majority of observed root causes, and attackers often pivot quickly to Active Directory after initial access. A separate finance-sector “2026” threat landscape post is largely high-level and does not add specific, verifiable details to the infostealer/SSO or 1Phish activity described elsewhere.
Timeline
Mar 24, 2026
Whiteintel maps infostealer-to-dark-web credential exposure pipeline
On 2026-03-24, Whiteintel’s Intelligence Division published research finding that infostealer infections can lead to stolen corporate credentials being exposed or sold on dark web markets in less than 48 hours. The report highlighted unmanaged-device infections as a major enterprise blind spot, linked infostealer activity to credential-based intrusions used by ransomware operators, and noted continued activity from strains including Lumma, StealC, and RedLine.
Feb 27, 2026
Sophos publishes Active Adversary Report 2026 findings
On 2026-02-27, Sophos' Active Adversary Report 2026 was published, summarizing trends from 661 cases across 70 countries. It highlighted identity compromise as the leading initial access vector and found generative AI was mainly increasing the speed and scale of phishing and social engineering rather than creating fundamentally new attack methods.
Feb 27, 2026
1Password says it is monitoring the phishing campaign and pursuing takedowns
As of Datadog's 2026-02-27 report, 1Password said it was aware of the phishing campaign, had been monitoring it, and was pursuing takedowns of lookalike sites. The company also advised users to avoid unsolicited email links and only enter credentials on verified 1Password domains.
Feb 27, 2026
Datadog details four 1Phish versions and infrastructure reuse
On 2026-02-27, Datadog Security Labs published a technical deep dive identifying four distinct 1Phish kit versions, culminating in a REST API-driven build with session management, internationalization, enterprise targeting, and recovery-code harvesting. The report concluded the activity reflects an actively maintained phishing kit with shared artifacts and reused infrastructure across multiple domains.
Feb 27, 2026
Researchers link SSO brute-forcing credentials to infostealer logs
Subsequent analysis published on 2026-02-27 tied 54 of 70 observed email-password pairs from the SSO brute-forcing campaign to Hudson Rock infostealer infection records. The same credentials were also used against ADFS, STS, and OWA, and the attack infrastructure was linked to a compromised Fortinet FortiGate-60E device.
Feb 23, 2026
Defused Cyber flags credential-stuffing against corporate SSO gateways
On 2026-02-23, Defused Cyber publicly reported large-scale login attempts against corporate SSO edge infrastructure, especially F5 BIG-IP interfaces, from IP address 219.75.254.166. Their honeypots showed the campaign was using apparently valid corporate usernames and passwords rather than exploiting software flaws.
Feb 1, 2026
1Phish evolves into MFA-aware multi-stage phishing framework
By February 2026, analysis showed 1Phish had evolved through multiple versions into a more advanced phishing kit with browser and device fingerprinting, bot filtering, staged workflows, and explicit collection of one-time passcodes. The changes indicated an actively maintained framework designed to support real-time authentication abuse rather than simple credential theft alone.
Oct 31, 2025
Sophos observes identity abuse dominating initial access in incident cases
From 2024-11-01 to 2025-10-31, Sophos analyzed 661 incident response and MDR cases and found identity-related techniques such as compromised credentials, brute force, and phishing accounted for 67% of identified initial access root causes. The report also found attackers reached Active Directory in a median of 3.4 hours and that ransomware encryption and exfiltration often occurred outside business hours.
Oct 1, 2025
Malwarebytes reports breach-themed 1Password phishing activity
In October 2025, Malwarebytes publicly reported phishing activity impersonating 1Password, describing breach-themed email lures and typosquatted domains used to steal credentials. This reflects early public documentation of the 1Phish campaign.
Sep 1, 2025
1Phish campaign begins with fake 1Password login pages
In September 2025, the 1Phish phishing kit was operating as a relatively simple credential-harvesting campaign using fake 1Password login pages. The activity targeted 1Password users via lookalike infrastructure and early-stage phishing workflows.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Credential Theft and Identity-Based Intrusions Surge Across Enterprises
**Credential compromise** and identity abuse are increasing as attackers rely more on stolen logins, session artifacts, and phishing rather than noisy exploitation alone. Recorded Future reported a sharp rise in exposed credentials during 2025, including nearly **2 billion** credentials indexed from malware combo lists, with the second half of the year up **50%** over the first and Q4 up **90%** over Q1. The trend is being driven by the industrialization of **infostealer malware**, malware-as-a-service ecosystems, and AI-enabled phishing and social engineering, while weak identity governance continues to expand the attack surface. A separate survey of UK organizations found **77%** fail to promptly disable former employees' accounts, **34%** grant overly broad access, and many still use manual processes such as spreadsheets for account validation, creating persistent opportunities for unauthorized access. A targeted phishing attempt against **Outpost24** illustrates how these identity-focused attacks are being operationalized against even security vendors. Attackers used a convincing fake JP Morgan email, valid **DKIM** authentication via Amazon SES infrastructure, and a **seven-stage redirect chain** leveraging trusted brands including Cisco to steer a C-suite executive toward a Microsoft Office credential-harvesting page while evading email defenses. The broader threat environment shows the same shift toward access abuse and stealthier post-compromise tradecraft: Google Threat Intelligence Group found ransomware actors increasingly favor native Windows tools over **Cobalt Strike**, with data theft present in **77%** of incidents and exploitation of VPNs and firewalls still common for initial access. Together, the reporting shows attackers are increasingly **logging in rather than breaking in**, then using legitimate access and built-in tools to deepen compromise and extort victims.
1 weeks ago
Phishing Campaigns Abuse Trusted Platforms and Collaboration Tools to Steal Credentials
Multiple reports describe a broader **credential-theft trend** in which attackers abuse trusted services and familiar business workflows to make phishing more convincing and harder to detect. One campaign used **compromised WordPress sites** and redirects through `skimresources[.]com` to deliver pixel-perfect fake login pages for **Microsoft Teams**, **Xfinity**, and **UAE Pass**, with lures such as missed voicemail and shared-document alerts. Another campaign abused **LiveChat**'s `lc[.]chat` infrastructure to impersonate brands like **PayPal** and **Amazon**, moving victims into fake support conversations designed to extract sensitive information under the guise of refunds or order issues. A separate industry report reinforces the same operational pattern: attackers increasingly rely on **valid credentials** and trusted collaboration tools rather than software exploits, with cloud identity compromise driving most investigated incidents and some intrusions using **Microsoft Teams voice phishing** and **Quick Assist** to gain access, move laterally, and deploy ransomware. Other references in the set cover different stories entirely, including the **CamelClone** espionage operation, a **FancyBear/APT28** infrastructure exposure, and a general weekly security recap, and do not describe the same phishing activity. This is **not fluff** because the relevant items contain substantive threat intelligence on active attack methods, delivery infrastructure, and attacker tradecraft.
1 months ago
Credential Theft and Evasion Techniques Across Phishing, Webmail Exploitation, and Commodity Malware
Threat actors are continuing to prioritize **credential theft** while using defensive and trusted services to evade detection. DomainTools reported a Microsoft 365 phishing operation that **weaponizes Cloudflare protections** (including *Turnstile* human verification) to block automated analysis and security crawlers, then selectively serves a credential-harvesting flow only to “clean” visitors. The infrastructure used additional gatekeeping such as IP reputation checks (including lookups via `api.ipify.org`), hardcoded blocks for security-vendor and cloud-provider ranges, and user-agent filtering that returns a fake `404` page to bots, with the theft logic hidden behind heavy obfuscation. Separately, Hunt.io documented **Operation Roundish**, assessed with medium-high confidence as aligned to **APT28 (Fancy Bear)**, after discovering an exposed open directory hosting a Roundcube exploitation toolkit used against Ukrainian targets (including `mail.dmsu.gov.ua`). The toolkit included XSS payloads, a Flask-based C2, and modules for credential harvesting, mail forwarding persistence, bulk email exfiltration, address book theft, and 2FA secret extraction, plus a Go-based Linux implant (`httd`) found on a compromised Ukrainian web application. In parallel reporting on credential-access tradecraft, Flashpoint analysis highlighted the low-cost **DarkCloud infostealer** (sold for about **$30**) that steals browser logins/cookies and other data and exfiltrates via common channels (email/FTP/Telegram/HTTP), while Aryaka Threat Labs described the **BlackSanta** campaign using steganographic lures and **BYOVD** techniques to disable EDR and enable stealthy data theft over HTTPS—underscoring that credential access and defense evasion remain common precursors to broader enterprise compromise.
1 months ago