Hacking

New Tools for Identity Compromise

Published  ·  4 min read

Attackers are no longer trying to break systems first.
They are trying to become users.
Once identity is compromised, most defenses step aside.
No exploit chains are required.
Access looks legitimate.
In 2026, identity compromise is usually quieter, faster, and more scalable than malware deployment.

What “New Tools” Really Means
Most tools are not new in concept.
What is new is how they are combined, automated, and aimed directly at identity infrastructure.
Current tooling focuses on:
1. Token abuse
2. Session hijacking
3. OAuth misbinding
4. MFA fatigue and bypass
5. Passwordless flow abuse

Tool Category 1: Token and Session Theft
Modern identity attacks often skip passwords entirely.
Tools Seen in the Wild
1. Evilginx
2. Modlishka
3. Open-source reverse proxies
4. Custom cloud-hosted phishing kits
These tools steal session cookies and tokens, not credentials.

Example: Evilginx Session Capture
Once a victim completes MFA, the session cookie is captured.
From the attacker side:
evilginx -p phishing_phishlet.yaml
The stolen cookie allows direct access to cloud services without reauthentication.
No malware.
No alerts.
No brute force.

Tool Category 2: OAuth and Consent Abuse
OAuth has become a favorite entry point.
Common Attack Pattern
1. User consents to a malicious app
2. App receives long-lived tokens
3. Access persists even after password reset

Tools Used
1. Postman
2. Custom OAuth clients
3. Browser dev tools

Example: Token Inspection
jwt_tool eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9

You are looking for the following:
1. Broadly scoped tokens
2. Tokens with "offline access"
3. Tokens that have a long expiration time
It is important to remember that typically the life of these tokens extends beyond the incident response time frame.

Tool Category 3: MFA Fatigue and Push Abuse
MFA is not bypassed.
It is worn down.
Tools and Techniques
1. Automated Push Request Generation Tools
2. Custom Scripts that Attempt to Authenticate using MFA.
3. Timing Attacks at Working Hours.

Example: Push Flood Script 
while True:
    send_mfa_push(user_id)
    time.sleep(5)
Eventually, someone clicks “Approve” just to stop the noise.
This remains disturbingly effective.

Tool Category 4: Cloud Identity Enumeration
Before compromise, attackers map identity posture.
Tools Commonly Used
1. AzureADInternals
2. BloodHound (Azure / Entra)
3. Roadtools

Example: Azure Identity Recon
roadrecon auth --username [email protected]
roadrecon gather

Results reveal:
1. Conditional access gaps
2. Legacy protocols
3. Overprivileged service accounts
Identity weaknesses become obvious quickly.

Tool Category 5: Service Account Abuse
Service accounts are still among the easiest targets of attack.
Common Problems:
1. No MFA
2. Long-lived Keys
3. Over-permissioned

The Methodology
1. Cloud CLI Tools
2. Secrets Scanner Tools

Example of Leaked Cloud Credentials:
aws sts get-caller-identity
If this command returns a successful response, then the identity has already been compromised, and no exploits are needed.

Example Incident: Non-Malware Identity Access
Investigated incident timeline:
1. Phishing Page proxy for Cloud login
2. Session cookie was obtained after MFA completion
3. Email and File access
4. Added OAuth App for Persistence
5. Password reset performed by Defenders
6. Access for Attacker continues regardless
At no time was malware deployed.

Why Detection Is Still Hard
Identity compromise blends into normal behavior.
Reasons include:
1. Legitimate IP ranges
2. Valid tokens
3. Normal user agents
4. Approved login flows
Traditional indicators fail.

Successful Detection
Timely detection of attacks is based on the following factors:
1. App registration for new OAuth applications
2. Token lifetime anomalies
3. Multi-Factor Authentication (MFA) push notification frequency
4. Unusual activity in regard to consent
5. Unusual behavior by service accounts

An example of the Agent App Review would be:
Get-AzureADServicePrincipal | Where-Object {$_.ReplyUrls.Count -gt 0} 
to identify persistence.

Defensive Improvements That Matter
Based on real incidents:
1. Shorten token lifetimes
2. Restrict OAuth scopes aggressively
3. Alert on new consent grants
4. Protect service accounts like admins
5. Treat identity logs as primary telemetry
Identity is now the perimeter.

Key Takeaways
1. Identity compromise rarely needs malware
2. Tokens matter more than passwords
3. OAuth is a major persistence vector
4. MFA can be abused without bypassing it
5. Legitimate access is the hardest to detect
If access looks normal, verify it anyway.

Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067