When geopolitical tensions escalate, so does the volume and tempo of cyber activity. Organizations across critical sectors, infrastructure operators, financial institutions, public agencies, see intrusion attempts spike, often within hours of a developing situation. The methods vary by actor and objective, but the entry point is consistent: identity.
Credential-based attacks remain a dominant initial access vector precisely because they are fast, scalable, and difficult to distinguish from legitimate activity. During periods of heightened tension, those properties become more valuable to attackers operating under time pressure and resource constraints.
How credentials are stolen: the attack methods
In a lot of cases, identity is where the attack begins. Credentials are cheap to steal, hard to attribute cleanly, and highly scalable. Attackers do not need sophisticated zero-days when a valid account opens the same doors. MITRE explicitly classifies Valid Accounts as a technique that supports initial access, persistence, privilege escalation, and defense evasion simultaneously, making credential theft one of the most versatile tools in an attacker's arsenal.
The methods used to obtain them are well established and continuously evolving.
- Spearphishing remains the most targeted approach. Carefully crafted emails impersonate trusted entities such as government agencies, cloud providers, HR systems, and financial platforms, directing recipients to convincing fake login pages designed to harvest credentials in real time. During periods of geopolitical tension, lure content adapts rapidly to the news cycle, exploiting urgency and context to increase the likelihood of engagement.
- Smishing and vishing extend the same principle to mobile channels. SMS-based lures impersonating government services, banks, or emergency notifications direct targets to credential harvesting pages or socially engineer them into revealing access information directly. Voice-based impersonation, increasingly augmented by AI-generated audio, is used against high-value individuals where a phone call carries more perceived legitimacy than an email.
- Password spraying takes a different approach. Rather than targeting specific individuals, it tests a small number of commonly used passwords across a large number of accounts, deliberately staying below lockout thresholds to avoid detection. MITRE notes this is specifically designed to help attackers remain quiet, making it attractive for espionage actors operating under long-term dwell objectives. Past incidents have demonstrated exactly how effective this can be: one documented intrusion began with a password spray against a legacy non-production test tenant, which provided a foothold that was then used to access corporate email accounts belonging to senior leadership and security staff. No exploit was required. A weakly protected, overlooked account connected into a high-value environment was sufficient.
- Adversary-in-the-middle frameworks go further by proxying authentication flows in real time. The attacker sits between the user and the legitimate service, capturing session tokens after MFA has already been completed. This means organizations that have deployed standard MFA remain exposed if the underlying model relies on reusable session credentials.
- MFA manipulation represents a further escalation. Past incidents have demonstrated attackers using brute force to compromise accounts and then modifying MFA registrations to maintain persistent access. The objective is not just stealing a password but turning identity infrastructure itself into a persistence mechanism. Once an attacker controls MFA enrollment, they can survive password resets and maintain account control indefinitely.
In the context of state-linked operations, the stakes are considerably higher. Stolen credentials can open email systems, VPNs, cloud management consoles, SaaS applications, remote administration tools, supplier portals, and identity platforms that connect entire government or critical infrastructure environments. The entry point is a single account. The potential reach is the entire organization and, through it, connected supply chain partners.
Why passwords fail predictably
The persistence of this pattern is structural. Passwords remain the default authentication mechanism because they are operationally convenient and compatible with legacy systems. But they fail in consistent, exploitable ways.
Users reuse credentials across personal and professional accounts, meaning a breach of a low-value consumer service can provide access to enterprise systems. Legacy and service accounts accumulate over time with weak hygiene and no active owner to notice anomalous behavior. MFA deployments in most organizations layer a second factor on top of the same underlying transferable secret model rather than replacing it. Remote access infrastructure, VPN appliances, RDP endpoints, and cloud management consoles, creates externally reachable authentication points that are actively enumerated during elevated threat periods. Several widely deployed VPN products have had critical vulnerabilities exploited within days of disclosure during recent escalation periods, with credentials extracted from compromised appliances used to pivot deeper into target environments.
Once an attacker has a valid account, they operate as a legitimate user. Activity blends into normal usage patterns. Detection shifts from signature-based controls to behavioral anomaly detection, a capability that requires a level of visibility most organizations have not yet achieved.
Credentials are not the end goal. They are the operating system of the campaign.
Understanding why credential theft matters requires looking past the initial access event to what follows. A stolen account is not the objective. It is the platform from which everything else is executed.
- Espionage. With access to email, cloud storage, collaboration tools, and document repositories, an attacker can conduct sustained intelligence collection with no malware, no exploits, and no network anomalies that would trigger conventional detection. Communications between executives, operational plans, contract details, personnel records, and policy deliberations are all accessible through a single compromised account with the right permissions.
- Disruption and sabotage. Credentials provide the access required to interact with operational systems, modify configurations, delete data, or deploy destructive payloads. Wiper malware deployments, which do not exfiltrate data but permanently destroy it, have been executed using legitimate administrative credentials and device management infrastructure, requiring no exploitation of technical vulnerabilities. The credential is the weapon delivery mechanism.
- Influence and information operations. Compromised accounts belonging to public figures, journalists, officials, or institutions can be used to spread disinformation, leak selectively edited material, or impersonate trusted voices at critical moments. Past incidents during conflict periods have included the use of compromised government email accounts to conduct further phishing against connected organizations, using the trust associated with a legitimate sender to extend the campaign's reach.
The through-line across all three is the same. The credential provides legitimacy. Legitimacy provides access. Access enables the operation. Addressing credential exposure is therefore not a narrow technical concern. It is foundational to the organization's ability to resist espionage, maintain operational integrity, and protect the people and systems it is responsible for.
What a more resilient identity model looks like
Reducing exposure requires moving away from the transferable secret model rather than adding layers on top of it.
The core problem is not just that passwords are weak. It is that passwords are stored, and anything stored can be stolen, replicated, or harvested at scale. A more resilient model removes stored credentials from the equation entirely, delivering a passwordless experience to the user while ensuring there is no static secret sitting in a database or travelling across a network for an attacker to intercept. This is particularly important for organizations running legacy infrastructure, where systems were built around password-dependent authentication and cannot simply be replaced. The right approach meets those environments where they are and removes the credential risk without requiring a full infrastructure overhaul.
Phishing-resistant authentication, specifically FIDO2 and passkey implementations, replaces the shared secret with a cryptographic key pair bound to a specific device and origin. There is no credential to harvest because nothing transferable is exchanged during authentication. This directly addresses adversary-in-the-middle techniques that bypass traditional MFA and eliminates the risk associated with fake login pages entirely, since the key pair is origin-bound and will not authenticate against a spoofed domain.
Not all passwordless implementations take the same approach to where, and whether, a credential is stored. Most replace the password with a credential stored on the device — a passkey, a hardware token, or a certificate. The risk shifts rather than disappears. A more complete approach uses confidential computing protocols to derive credentials at the moment of authentication rather than storing anything at all. There is no vault, no device-bound secret, and no recovery key that can be extracted. The credential is generated, used, and gone. For organizations running legacy infrastructure, this approach integrates directly with existing enterprise identity and corporate services without requiring infrastructure replacement.
The broader point
Credential attacks will remain prevalent for as long as access depends on information that can be transferred. The goal is not to eliminate that risk entirely but to reduce the opportunities for it to succeed and limit what an attacker can accomplish when it does.
During periods of geopolitical instability, the pace of attack increases and the objectives behind those attacks broaden. Organizations that have reduced reliance on static credentials are meaningfully better positioned than those still operating on the assumption that a username, password, and OTP are sufficient.
Identity is no longer one layer among many. It is the perimeter.
If this is a challenge your organization is working through, we would be glad to walk you through how others in similar environments are approaching it. Request a private briefing to see what a passwordless experience looks like in practice.