ITDR in 2025: APTs, access brokers, and the phishing that still works

Identity is the attack surface now.

Verizon's 2025 DBIR puts stolen credentials as the top initial access vector at 22% of confirmed breaches. Microsoft's 2024 Digital Defense Report logs 600 million identity attacks per day, of which more than 99% are password attacks. CrowdStrike's 2025 Global Threat Report counted 4,486 access broker advertisements in 2024, up 50% year over year, and noted that 79% of intrusions were malware-free. Mandiant's M-Trends 2025 ranks stolen credentials as the #2 initial infection vector at 16%, second only to exploits, having overtaken phishing for the first time in the report's history.

The corollary is what CISO conversations actually feel like in 2025. The hard part is no longer building a wall around the network. The hard part is that everyone with a session token can walk in.

This post is about three flavors of that problem: APTs running identity playbooks, an initial access broker market that is commoditizing the door, and "simple" phishing that still bypasses MFA at industrial scale. Then how identity threat detection and response (ITDR) actually has to work to keep up.

1. APTs are running identity playbooks

The most prolific intrusion sets of the last two years did not exploit a CVE on the way in. They logged in.

Scattered Spider (also tracked as UNC3944, Octo Tempest, Muddled Libra) is the canonical example. Native English-speaking, financially motivated, with operators primarily in the US and UK. Their 2023 hits on MGM Resorts and Caesars Entertainment shared the same playbook: identify employees on LinkedIn, call the IT help desk, impersonate them, request a password and MFA reset, then walk into the SSO. MGM filed an 8-K on September 12, 2023, the day after initial access. Estimated business impact ran past $100M. Caesars paid roughly $15M to make the extortion go away. CISA's joint advisory AA23-320A (updated November 2024) catalogs an expanded TTP set including SIM swapping, MFA fatigue, and impersonation of Okta, Azure AD, and VPN providers. According to Flashpoint's tracking, eight in ten domains attributed to the group impersonate technology vendors.

The novel part is not the technique. The novel part is how cheap and effective it remains.

Midnight Blizzard (APT29, Cozy Bear) is the other shape of the same thing: nation-state, slower, more patient, equally identity-driven. The January 2024 Microsoft corporate breach started with a password spray against a legacy non-production tenant that did not have MFA. From there, the attacker pivoted to OAuth applications and read email belonging to senior leadership, security, and legal staff. Microsoft reported a 10x increase in password spray volume in February 2024 in the wake of the campaign. The same actor accessed HPE's Office 365 mailboxes starting May 2023, with HPE disclosing in a January 2024 8-K.

Lapsus$, before its 2022 arrests, ran a parallel muscle pattern: SIM swap, MFA fatigue, paying insiders, social engineering. The Okta incident from January 2022 is still cited in security questionnaires today. A customer-success rep at Sitel (an Okta support contractor) was compromised, and up to 366 customer tenants were potentially in scope. The members were teenagers and young adults. The cost of admission to "nation-state grade access" was roughly the cost of patience and a SIM swap.

The pattern across all three: the attack surface is the identity, not the endpoint. A clean laptop logged into Okta with a hijacked session token is, from the platform's perspective, the user.

2. Initial access brokers are commoditizing the door

If APTs are running identity playbooks themselves, initial access brokers (IABs) are turning identity into a wholesale market.

CrowdStrike's 2025 Global Threat Report counted 4,486 access broker advertisements in 2024, a 50% YoY increase. SOCRadar's 2024 IAB tracking reported 58% of listings priced under $1,000 and 86% under $3,000. Typical corporate access lands in the $500 to $3,000 range. High-value targets clear $10,000.

What's being sold is not zero-days. It's:

• VPN credentials for SMB and mid-market companies
• RDP and Citrix portals on networks without MFA
• Office 365, Entra ID, and Workspace tenants with valid sessions
• Cloud console access (the Snowflake credentials harvested by infostealers were re-sold to UNC5537 in 2024 in exactly this pattern)
• SaaS admin accounts: Salesforce, ServiceNow, GitHub, Atlassian

IBM's X-Force 2024 Threat Intelligence Index put valid-account abuse at 30% of incidents, a 71% YoY increase, and tracked a 266% YoY rise in infostealer activity. The infostealer-to-IAB-to-ransomware pipeline is now a reliable supply chain, where each layer specializes.

For defenders, this changes the math. You are not defending against one attacker. You are defending against a market that is continuously testing your perimeter and reselling whatever it gets.

The Snowflake breach is the case study. Mandiant attributed roughly 165 customer-instance compromises to UNC5537 using credentials harvested by infostealers (Lumma, Vidar, Raccoon), some up to four years old, on tenants without MFA enforced and without network allowlists. Victims included Ticketmaster, AT&T, Santander, LendingTree, Advance Auto Parts, Neiman Marcus. Snowflake's own infrastructure was not breached. The credentials were old, the IAB market kept them in circulation, and the tenants stayed exploitable until somebody bought the right list.

3. The "simple" phishing that still works

The third leg is the part security teams have been working on for fifteen years and still cannot fully solve.

The 2025 DBIR put phishing at 16% of initial access, and noted the median time from email open to click is 21 seconds, with another 28 seconds to enter credentials. The window for prevention is roughly the time it takes to read this paragraph.

The 2024 to 2025 evolution of phishing is built around bypassing MFA, not breaking it.

Adversary-in-the-Middle (AiTM) toolkits are now phishing-as-a-service. The kit proxies the real login page, harvests both the password and the session cookie, then the attacker replays the session against the real service. MFA is satisfied because the user actually completed the prompt. The most active kits in late 2024 and into 2025:

• Tycoon 2FA, first seen August 2023, sold from $120 for ten days, used to harvest Microsoft 365 and Gmail session cookies. Some trackers attribute roughly 76% of PhaaS volume to it.
• EvilProxy, the older reverse-proxy kit, with around 280 active servers tracked at any time.
• Mamba 2FA, active since November 2023, $250 a month, supports Entra ID, AD FS, and third-party SSO. Cookies exfiltrated via Telegram.
• Rockstar 2FA, $200 for two weeks or $350 a month, successor to DadSec/Phoenix, with more than 5,000 hits on urlscan.io since May 2024.

Microsoft's 2024 Digital Defense Report logged a 146% YoY increase in AiTM phishing.

Help-desk vishing is the other half. Scattered Spider's primary 2024 access pattern. The 2025 update is volume: CrowdStrike tracked a 442% increase in vishing between H1 and H2 2024. The cost of running a phone call against a help desk is rounding error compared to the value of the resulting access.

QR code phishing (quishing) is the least technical of the bunch. Microsoft's Defender team has been publishing detection improvements specifically for it through 2024. The appeal to attackers is simple: QR codes route the victim to a phone, which is generally outside the corporate email security stack.

The thread connecting all of these is that they are not exotic. They are operationally cheap, reliably effective, and they bypass the layer of controls most enterprises spent the last decade building.

What ITDR actually has to do

Identity threat detection and response is a category, not a product. To move the needle, an ITDR program needs to cover six things.

Identity inventory. Every human and non-human identity. Every privileged role. Every OAuth grant. Every service account. Every legacy auth path. The Microsoft Midnight Blizzard breach landed because a legacy tenant without MFA was not on anyone's inventory. You cannot defend what you cannot enumerate.

Session-layer detection. Stolen-credential intrusions look identical to legitimate logins at the IdP. The signal is in the session: impossible travel, anomalous device fingerprints, anomalous OAuth scope grants, token reuse from new ASNs. ITDR tools that pull SSO and IdP audit logs and cross-correlate with EDR, network, and SaaS audit are doing the actual work.

Help-desk hardening. Verification flows that do not rely on knowledge factors (employee ID, manager name, hire date) the attacker has already scraped from LinkedIn. Out-of-band confirmation for privileged resets. Recording every reset and replaying high-risk ones.

Phishing-resistant MFA in privileged paths. AiTM kits proxy passwords, TOTP, and push notifications. They cannot proxy WebAuthn or FIDO2 tied to device-bound private keys. Anywhere your IdP touches admin scopes, FIDO2 is the answer.

Continuous response. Detection without enforcement is a dashboard. The control plane needs to revoke tokens, rotate credentials, force step-up auth, and quarantine sessions automatically when signal crosses threshold.

Cross-source investigation. Identity intrusions do not live in one log source. The story is in the SSO log, the endpoint log, the SaaS audit log, the email log, and the network log, stitched together. Mandiant's M-Trends 2025 puts global median dwell time at 11 days. Most of those 11 days is investigation time, not detection time. Whatever shortens investigation directly shortens dwell time.

How we think about it

We built Zaun to operate on this exact problem. The platform pulls identity telemetry across IdPs, SSO, SaaS, endpoint, and network into a single correlated graph and runs investigation autonomously. When the signal crosses a threshold, we contain, then explain.

For teams that want a 24/7 layer on top, our MDR offering plugs into the same platform. Same telemetry, same playbooks, same investigations.

If your identity attack surface keeps growing past what your team can staff against, come talk to us.