Beyond MFA: Identity Abuse Through Token Interception and Consent Manipulation

Published On : 2026-01-08

EXECUTIVE SUMMARY

Multi-Factor Authentication (MFA) has long been positioned as a definitive control against credential-based attacks. However, recent phishing campaigns demonstrate a fundamental change in how adversaries compromise user accounts. Rather than targeting passwords or bypassing MFA, attackers increasingly exploit identity trust mechanisms, such as session tokens and OAuth authorization flows.

This report analyses two emerging identity abuse patterns:

Session interception via adversary-in-the-middle phishing
Authorization abuse via user-assisted consent manipulation

Both techniques achieve persistent account access without defeating MFA or capturing credentials. These attacks operate entirely within legitimate authentication and authorization workflows, making them difficult to detect using traditional security controls.

Threat Landscape Shift: From Credentials to Identity Artifacts

Phishing attacks have historically relied on credential theft, where the primary focus was on authentication data, such as usernames and passwords. In this model, the possession of credentials alone was sufficient to assume a user’s identity, making credential harvesting a highly effective attack vector.

With the adoption of defensive enhancements such as MFA, there was a significant drop in the effectiveness of this model, meaning that attackers failed to progress due to secondary verification requirements.

To tackle this, adversaries adapted by shifting their focus from authentication secrets to post-authentication trust artifacts – i.e., data elements generated after successful authentication that represent a previously verified identity (indicators including session cookies, access tokens, OAuth authorization grants, and delegated API permissions).

Possession of these artifacts allows attackers to inherit the victim’s authenticated state without needing to defeat MFA or re-authenticate – from the perspective of dependent applications, the attacker’s activity is indistinguishable from that of the legitimate user. This change showcases a broader change in attack philosophy: rather than attempting to break authentication controls, attackers now exploit how identity systems are designed to share trust across services.

Modern identity architecture prioritizes seamless access and interoperability, which creates opportunities for abuse when trust artifacts are exposed or misused. Modern phishing now increasingly targets authentication artifacts, rather than raw credentials.

Identity Interception via Adversary-in-the-Middle Phishing

Technique Overview

In this attack model, the adversary deploys a controlled intermediary infrastructure that transparently relays authentication traffic between the victim and a legitimate identity service. The victim is presented with an authentic login experience, while the attacker passively observes and manipulates the authentication exchange in real time.

Instead of attempting to bypass authentication controls, the attacker leverages the legitimate authentication flow: credentials and MFA challenges are forwarded to the legitimate service, and upon successful authentication, the resulting session artifacts are intercepted by the adversary. These artifacts represent a valid authenticated session state and can be replayed by the attacker without additional user involvement.

The attack vector does not rely on deception at the authentication layer but abuses the implicit trust placed in session tokens once authentication has been completed, effectively inheriting the victim’s identity rather than impersonating it.

Key Characteristics

MFA is successfully completed by the victim
No brute force or credential guessing occurs
Session tokens are valid and signed
Login telemetry appears legitimate

Post-Compromise Activity Patterns

Following the establishment of session control, attacker activity transitions quickly from access acquisition to operational execution, with patterns consistent with automated, pre-staged workflows.

Observed attacker behaviour following session acquisition includes:

Rapid creation of inbox or message filtering rules
Immediate outbound messaging activity
Access to cloud-hosted resources inconsistent with user history
Minimal dwell time between login and action

The consistency and speed of post-compromise actions indicate automated tooling designed to exploit session-level access before detection. These behaviors reflect a deliberate strategy to maximize impact while minimizing exposure time.

Consent Manipulation: A New Authorization Abuse Pattern

Technique Overview

This methodology showcases an evolution in identity abuse, targeting authorization workflows rather than authentication processes. Instead of intercepting login traffic or stealing credentials, the attacker exploits legitimate OAuth authorization mechanisms that are designed to enable secure, user-approved access between applications.

Here, the attacker persuades the victim to initiate a valid authorization flow with a trusted identity provider, and once the victim successfully authenticates and grants consent, the victim is then manipulated into transferring authorization-related data (such as an authorization code or redirect URL to attacker-controlled infrastructure).

As such, the attacker is simply reusing the legitimately-issued authorization data to obtain access tokens on their own system, which grant authenticated, API-level access to the victim’s account, often with broad or persistent permissions. The attack does not rely on a software flaw: it instead abuses the user’s trusted role within the authorization workflow.

Why This Technique Is Effective

No credentials are stolen
MFA is not challenged
Authorization appears user-approved
Tokens may remain valid long-term

The above represents authorization abuse rather than authentication compromise: the attacker does not impersonate the user; they operate as a trusted delegate within the identity ecosystem.

Strategic Implications

This technique highlights a critical blind spot in modern identity security: authorization events are rarely monitored with the same rigor as authentication events. Consent manipulation attacks demonstrate that user approval alone is no longer a reliable indicator of benign intent, particularly when authorization workflows are repurposed through deception.

Converging Attack Logic: Different Paths, Same Outcome

Session interception and consent manipulation differ in execution, but they are driven by the same underlying attacker objective: unauthorized acquisition of trusted identity artifacts that confer legitimate access.

In place of exploiting software vulnerabilities in authentication systems, these techniques operate within established identity frameworks, leveraging their execution to obtain artifacts that are trusted by downstream services.

Aspect	Session Interception	Consent Manipulation
Primary target	Authenticated session token	OAuth access token
MFA interaction	Completed legitimately	Completed legitimately
User suspicion	Low	Very low
Detection difficulty	High	Very high

These techniques demonstrate a clear convergence in adversary tradecraft toward authorization-centric abuse. Both serve as proof of identity, granting an attacker the same effective privileges, trust relationships, and access scope as the legitimate user.

This convergence reflects a broader strategic shift:

From breaking security controls to exploiting trust assumptions
From credential compromise to identity state theft
From noisy intrusion techniques to protocol-compliant misuse

ATT&CK Tactic	Technique ID	Technique Name
Initial Access	T1566	Phishing
Credential Access	T1528	Steal Application Access Token
Persistence	T1098	Account Manipulation
Defense Evasion	T1562	Impair Defenses
Lateral Movement (Conditional)	T1021	Remote Services

Detection Methodologies

Identity-based attacks that abuse session and authorization artifacts significantly reduce traditional detection signals; they are not entirely silent. Detection is still possible when analysis shifts away from static indicators and toward behavioral deviations within the identity lifecycle.

Identity Behavior Anomalies: Configuration or account setting changes occurring moments after successful authentication, high-frequency or bulk operations executed shortly after login.
Messaging and Communication Abuse: Rapid creation of filtering, forwarding, or suppression rules designed to evade detection, sudden spikes in outbound messages that exceed historical baselines, repetitive or templated content distributed.
Authorization and Token Misuse Signals: Consent grants that do not align with the user’s typical application usage, permission scopes that exceed the functional requirements of the user’s role.

Strategic Implications

These attack techniques demonstrate that successful authentication can no longer be treated as a definitive indicator of legitimacy. Identity systems increasingly function as distributed trust brokers, and attackers are actively exploiting this trust propagation.

Organizations that continue to model identity as a static control point-validated once at login-will struggle to detect abuse that occurs entirely within legitimate workflows. Effective defence requires continuous identity validation, incorporating context, behaviour, and intent throughout the session lifecycle.

Recommendations

Treat identity artifacts (session tokens, access tokens, authorization grants) as high-value security assets and apply monitoring and controls equivalent to credentials.
Implement continuous identity validation by analysing post-authentication behaviour rather than relying solely on successful login events.
Reduce session and token lifetimes to limit the replay window available to attackers operating with stolen or misused identity artifacts.
Enforce strict authorization governance, including least-privilege permission scopes and regular review of delegated access grants.
Monitor authorization lifecycle events, such as consent grants, token refreshes, and API access, independently from authentication telemetry.
Correlate login events with immediate post-authentication activity, including configuration changes, messaging behaviour, and service access patterns.
Automate response actions for high-risk identity behaviour, such as token revocation, session termination, or step-up authentication.
Limit user-initiated authorization where possible and require administrative approval for high-impact permission grants.
Expand security awareness training to include authorization abuse, emphasizing the risks of sharing URLs, authorization data, or access artifacts.
Develop identity-focused incident response playbooks that address token theft, authorization misuse, and delegated access compromise.
Incorporate identity abuse scenarios into threat modelling and detection validation exercises to ensure readiness against authorization-centric attacks.

Conclusion

The attacks examined in this report demonstrate that modern phishing no longer seeks to defeat security controls—it exploits them. By abusing trusted identity and authorization workflows, adversaries obtain legitimate access without triggering traditional detection mechanisms.

Session tokens and authorization now represent the primary targets, allowing attackers to operate within normal identity contexts while minimizing forensic visibility, and as a result, successful authentication and user-approved access can no longer be treated as indicators of benign activity.

Defending against this threat requires a shift from credential-focused security to continuous identity behaviour analysis, where access is evaluated based on usage, context, and intent. Organizations that fail to adapt will remain exposed as identity systems continue to prioritize trust propagation over verification.