In our upcoming 2025 Talos Year in Review, attacks on identity emerged as the dominant theme across multiple vectors. Attackers are not so much trying to batter down doors with noisy exploits; increasingly, they’re looking to be invited in as a recognized user. And once inside, their goal is to operate as if they own the place.
Most organizations have boundaries—segmentation and authentication—but when consent is manipulated (e.g., through social engineering), the system can authorize the intrusion itself.
One of the most common techniques we see involves attackers persuading victims to read out their multi-factor authentication request code in real time, often over the phone, posing as IT support or a trusted vendor. In other cases, adversary-in-the-middle phishing kits proxy the legitimate login page and capture the one-time code as it’s entered.
The code is valid,
the authentication succeeds,
and the session is issued.
In 2025, nearly a third of MFA spray attacks targeted identity access management (IAM) applications. Add to that a 178% surge in fraudulent device registration events, and the trend is clear: attackers are targeting the mechanisms that issue invitations first.