Identity-based attacks have quietly overtaken malware-laden email attachments as the primary entry point for breaches in Australian organisations. Adversaries no longer need to break in; they log in. Using stolen credentials, hijacked sessions, or bypassed multi-factor authentication, attackers can move through an environment for days or weeks before triggering any alert. The result is not just data theft but operational disruption, regulatory exposure, and, increasingly, ransom demands backed by the threat of public disclosure.
Understanding how these attacks actually unfold is the first step toward stopping them. The techniques have grown more sophisticated since the credential-stuffing waves of the early 2020s, and the defences need to keep pace.
The main types of identity-based attacks
Credential stuffing is still the highest-volume threat. Attackers buy or scrape lists of username-and-password pairs from previous breaches, then automate login attempts across banking portals, government services, and corporate SaaS platforms. Because password reuse remains widespread, even well-publicised breach lists from years ago still yield live accounts. The Notifiable Data Breaches scheme has documented hundreds of incidents where compromised credentials from one organisation enabled downstream intrusions elsewhere.
Phishing-as-a-service has lowered the skill floor dramatically. Platforms sold on criminal forums now provide ready-made adversary-in-the-middle (AiTM) proxies that can capture session cookies in real time, bypassing time-based one-time passwords (TOTP) and SMS codes. The attacker positions themselves between the victim and the legitimate login page, relaying credentials and tokens while silently harvesting the authenticated session. This technique has been used against Australian financial institutions and government contractors in recent years.
Password spraying targets accounts protected by lockout policies. Instead of hammering one account with many passwords, attackers try a single common password across thousands of accounts. It is slow, patient, and effective, particularly against Microsoft 365 and Azure Active Directory tenancies, which are dominant in Australian enterprise environments. Combine spraying with a harvested list of valid usernames from LinkedIn or a company directory, and the success rate climbs significantly.
Business email compromise (BEC) often begins with identity theft but ends as a financial crime. Once an attacker has access to an executive's email account, they use conversation hijacking, invoice fraud, or payment redirection to extract money. Australian businesses lost hundreds of millions of dollars to BEC in recent years, and the Australian Federal Police has linked many incidents to organised groups operating out of West Africa and Eastern Europe.
Why MFA alone is not enough
The widespread rollout of multi-factor authentication across Australian organisations was a genuine step forward, but it has not ended identity-based attacks. It has redirected them. Attackers have adapted with three main techniques.
MFA fatigue, also called prompt bombing, involves sending repeated push notification requests to a target's authenticator app until the user approves one out of frustration or confusion. High-profile incidents overseas have demonstrated this technique against organisations with mature security teams. Australian enterprises using push-based MFA without number matching or additional context prompts remain exposed.
SIM swapping exploits the telco layer. By convincing a mobile carrier to transfer a victim's phone number to an attacker-controlled SIM, the attacker intercepts SMS one-time codes. Australia's telecommunications industry has strengthened porting rules following regulatory pressure, but the technique has not disappeared entirely.
Token theft, enabled by AiTM phishing or malware-based infostealer infections, bypasses MFA entirely by stealing authenticated session tokens from a browser or credential store. The stolen token is replayed from the attacker's machine, inheriting a fully authenticated session without requiring any credential or code.
What effective defences actually look like
Moving toward phishing-resistant MFA is the single highest-return defensive action for most Australian organisations right now. FIDO2 passkeys and hardware security keys are resistant to token-relay attacks because the cryptographic response is bound to the origin domain; an AiTM proxy cannot forge it. Microsoft and Google have both made passkey support native in their identity platforms, and the Essential Eight maturity model now treats phishing-resistant MFA as a baseline expectation at Maturity Level 2 and above.
Conditional access policies add another layer by restricting which devices, locations, and network conditions can authenticate to sensitive applications. An account login from an unfamiliar country at 3 AM should not be silently permitted, even with valid credentials and a passed MFA challenge. Modern identity platforms from Microsoft, Okta, and similar vendors allow fine-grained conditional access rules that can block or step up authentication for anomalous sessions.
Identity threat detection and response (ITDR) is an emerging category that applies behavioural analytics to identity events specifically. Traditional SIEM tools often struggle to surface subtle identity abuse patterns such as an account querying an unusual volume of SharePoint files or exporting contact lists at off-hours. ITDR tools focus on those signals and integrate with identity providers to automate containment responses like session revocation or account suspension.
Privileged access management (PAM) limits the blast radius when an identity is compromised. If every administrative account requires just-in-time elevation through a controlled workflow, a stolen standard-user credential cannot pivot directly to domain administrator. Australian organisations that have implemented PAM alongside zero trust network segmentation report significantly shorter attacker dwell times before detection. The zero trust security model treats every identity, device, and network path as untrusted by default, which maps neatly onto the identity-first threat landscape.
The human layer still matters
Technology controls are necessary but not sufficient. Attackers are increasingly targeting help desk staff with social engineering rather than technical exploitation. By impersonating an employee and requesting a password reset or MFA re-enrolment, they bypass every technical control. Robust identity verification procedures for self-service and help desk processes, including out-of-band callbacks to pre-registered numbers, close this gap.
Security awareness training has a mixed reputation, but targeted simulations focused specifically on MFA fatigue prompts and credential phishing pages do measurably reduce click and approval rates when run regularly. The key is moving beyond annual checkbox compliance toward short, frequent, and realistic exercises tied to current attack campaigns.
For Australian IT and security teams, the practical takeaway is straightforward: assume credentials will be compromised, design defences that make compromised credentials less useful, and monitor identity behaviour continuously rather than at the perimeter. The attackers have already shifted their model. Defenders who do the same will find themselves significantly better placed when the next campaign arrives.