Identity Is the New Perimeter: What ShinyHunters and APT28 Just Taught Us About Identity Exploits
Proactive security operations in an agentic world start at the identity layer. See how recent attack campaigns leveraged Identities to successfully execute their objectives and how boundary defenses can be leveraged in our browsers to help mitigate business risks.
Executive Summary
In early 2026, two major attack campaigns exposed the fundamental shift in enterprise security: ShinyHunters compromised Panera, Match Group, Bumble, and Crunchbase through Microsoft Entra SSO exploitation using vishing and adversary-in-the-middle (AiTM) techniques, while APT28 leveraged a Microsoft Office zero-day (CVE-2026-21509) to deploy MiniDoor and Covenant Grunt implants. Despite different tradecraft, both attacks share a critical lesson for security teams: identity is now the perimeter. Traditional boundary defenses fail when attackers operate through trusted identities. This analysis examines why MSPs and security providers must evolve Security-as-a-Service offerings to treat identity fabrics as the primary control plane, incorporating Identity Threat Detection and Response (ITDR), browser-first defenses, and identity-aware incident response. For security leaders building modern defense strategies, understanding the shift from perimeter-based to identity-centric security is no longer optional; it's existential.
Key Takeaways:
Identity compromise is the common attack path: Despite different initial access methods (ShinyHunters used vishing and AiTM proxies, APT28 used Office zero-day exploits), both campaigns converged on identity theft and abuse to achieve their objectives, demonstrating that identity infrastructure is now the primary attack surface.
Traditional perimeter defenses failed because attackers operated through trusted identity paths: MFA was bypassed via real-time token theft, network security saw legitimate authentication traffic, and federated trust relationships allowed lateral movement across dozens of applications without additional authentication challenges.
Browser-first defense is critical to stop AiTM attacks at the source: Solutions like DefensX that use AI-driven analysis to detect pixel-perfect login clones and block session hijacking at the browser layer provide protection before credentials ever reach identity providers, neutralizing adversary-in-the-middle attacks at the human interface.
Modern Security-as-a-Service requires identity-centric capabilities: MSPs and security providers must evolve beyond "SSO plus MFA" to include Identity Threat Detection and Response (ITDR) as a core service, continuous identity posture management, identity-aware incident response, and business continuity plans that prioritize identity reconstitution and emergency token revocation.
Attack Analysis: TTPs Used by ShinyHunters and APT28
Understanding the specific tactics, techniques, and procedures (TTPs) employed in these attacks reveals why traditional perimeter defenses failed and what modern security architectures must address.
ShinyHunters Campaign: Identity Fabric Exploitation
Primary Attack Vector: Social engineering combined with technical manipulation of the authentication layer
MITRE ATT&CK Mapping: T1566 (Phishing), T1557 (Adversary-in-the-Middle), T1539 (Steal Web Session Cookie), T1078 (Valid Accounts)
Key Techniques:
Vishing (Voice Phishing): Attackers impersonated IT support or trusted vendors via phone calls to trick users into initiating authentication flows to provide initial access with their legitimate credentials.
Adversary-in-the-Middle (AiTM) Proxy: Deployed transparent proxy infrastructure that sat between victims and legitimate Microsoft Entra ID authentication endpoints, capturing credentials and MFA tokens in real-time.
Near Pixel-Perfect Login Page Cloning: Created visually identical replicas of Microsoft 365 sign-in pages, including dynamic elements like organization branding, to defeat cursory visual inspection by users.
Session Token Theft and Replay: Harvested authentication cookies and session tokens during the AiTM attack, then replayed them against legitimate Microsoft Entra endpoints to establish authenticated sessions impersonating the real users Identities.
SSO Federation Abuse: Once authenticated to Microsoft Entra, they leveraged federated trust relationships to access connected SaaS applications (Panera systems, Match Group services, Bumble infrastructure, Crunchbase) without additional authentication challenges to the end user that was compromised.
Token Lifetime Exploitation: Maintained persistence by refreshing stolen tokens before expiration, allowing extended access even after victims changed passwords (which doesn't invalidate active session tokens without explicit revocation).
Why Traditional Defenses Failed:
MFA was bypassed because AiTM proxies captured both passwords and time-based one-time passwords (TOTP) in real-time
Network security controls saw legitimate Microsoft IP addresses and valid TLS certificates
Endpoint detection tools observed normal browser behavior connecting to authentic Microsoft domains
Identity providers authenticated requests with valid tokens and couldn't distinguish replayed sessions from legitimate user activity
APT28 Campaign: Zero-Day to Identity Abuse Pipeline
Primary Attack Vector: Document-based exploitation leading to credential theft and persistent access
MITRE ATT&CK Mapping: T1566.001 (Spearphishing Attachment), T1203 (Exploitation for Client Execution), T1059 (Command and Scripting Interpreter), T1078 (Valid Accounts), T1543 (Create or Modify System Process)
Key Techniques:
CVE-2026-21509 Zero-Day Exploitation: Leveraged a previously unknown remote code execution vulnerability in Microsoft Office's RTF (Rich Text Format) parsing engine that allowed arbitrary code execution when victims opened malicious documents.
Weaponized RTF Documents: Crafted malicious RTF files disguised as legitimate business documents (contracts, reports, invoices) and delivered via spearphishing emails targeting specific organizations and individuals.
Multi-Stage Payload Delivery: Initial exploit downloaded lightweight loaders that retrieved additional malware components from attacker infrastructure, evading signature-based detection.
MiniDoor Backdoor Deployment: Installed a custom, lightweight backdoor providing remote command execution, file system access, and credential harvesting capabilities while maintaining a minimal forensic footprint.
Covenant Grunt C2 Framework: Deployed the open-source Covenant command and control framework (specifically the Grunt implant) to establish redundant access channels and facilitate lateral movement within compromised perimeters.
Credential Harvesting and Abuse: Once established, implants extracted cached credentials from Windows systems, harvested tokens from browser stores, and dumped LSASS memory to obtain plaintext passwords and NTLM hashes.
Identity-Based Lateral Movement: Used stolen credentials and tokens to authenticate to additional systems, cloud resources, and identity providers, moving laterally through networks by impersonating legitimate users rather than exploiting additional vulnerabilities.
Persistence via Scheduled Tasks and Services: Established persistence mechanisms using Windows scheduled tasks and system services that executed with stolen administrative credentials, ensuring access survived system reboots and basic remediation attempts.
Why Traditional Defenses Failed:
Zero-day exploit meant signature-based antivirus and endpoint detection had no prior knowledge
RTF documents appeared as legitimate business files and passed email security gateways
Post-exploitation activity used valid credentials, making network traffic appear legitimate
Lightweight implants used living-off-the-land techniques and legitimate administrative tools, blending with normal IT operations
Lateral movement through identity abuse bypassed network segmentation that relied on IP-based access controls
The Common Thread: Identity as the Attack Surface
Despite different initial access methods, both campaigns converged on the same objective: compromise and abuse identity infrastructure. ShinyHunters went directly for the identity provider, while APT28 used a zero-day to establish a foothold before pivoting to identity theft. Both demonstrate that in 2026, identity is no longer just an authentication mechanism; it's the primary attack surface and the critical control plane for all access decisions.
This convergence on identity-based tradecraft isn't coincidental. It reflects attackers' recognition that modern enterprises have shifted critical resources to cloud services and SaaS applications where traditional network perimeters no longer exist. The identity fabric, your authentication and authorization infrastructure, has become the de facto perimeter.
The New Reality: Data Is Currency, Identity Is the Vault Door
ShinyHunters' 2026 campaign wasn't a traditional application breach. It was an identity breach at scale: compromise of Microsoft Entra SSO credentials through sophisticated social engineering (AI assisted vishing) combined with browser-based adversary-in-the-middle attacks. All they needed to do was hijack a single trusted identity session, for which attackers gained cascading access to everything federated behind that identity.
Similarly, APT28's exploitation of CVE-2026-21509 demonstrates that even zero-day vulnerabilities are ultimately about identity abuse. The Office RCE vulnerability wasn't just about remote code execution; it was a direct pathway to credential theft, persistence, and identity manipulation through backdoors like MiniDoor and Covenant Grunt.
This pattern is clear: When data is currency in the modern economy, your identity fabric (spanning human users, service accounts, APIs, device identities, and Agentic AI) is simultaneously the vault door, the teller, and the audit trail. Compromise one, and attackers inherit the trust relationships of your entire environment that identity can touch.
Key Resources:
Why Perimeter-Only Thinking Fails in 2026
Traditional security models built rigid perimeter defenses: firewalls, VPNs, web application firewalls (WAFs). These technologies assume a clear division: attackers are "outside," protected resources are "inside."
Both ShinyHunters and APT28 obliterated this mental model by riding trusted identity paths:
ShinyHunters exploited SSO authentication flows, where a single compromised Entra session provided legitimate-looking access tokens
APT28 leveraged trusted Office documents, which authenticated users open without hesitation because they appear to come from known sources
Once a single SSO session is hijacked or a signed Office document drops an implant, the "perimeter" is now inside your network: embedded in your Entra tokens, OAuth grants, service principals, Microsoft 365 identities.
If you think about it, once the Attacker has the trusted session now they can then leverage the Agentic AI assistants to supercharge their exploitation goals by using emerging TTP’s against AI’s and LLM’s which are becoming more common place in the workforce.
The Business Continuity Blind Spot
Here's what most perimeter-focused strategies miss: business continuity must be part of identity architecture design. Your identity fabric needs:
Tested backup and recovery procedures for identity stores and authentication systems
Ransomware playbooks that include identity lockdown and emergency re-issuance protocols
Tabletop exercises focused on identity compromise scenarios (not just data exfiltration or other well-known attack vectors)
Identity-centric failover capabilities: can you safely re-issue, revoke, and rotate identities under active attack? Do you have multiple IdP’s? One that can be failed over into for DRaaS while the primary IdP is remediated?
When ShinyHunters compromised Microsoft Entra credentials, many victim organizations discovered they had no rehearsed procedure for emergency token revocation across federated SaaS applications. That's not a technology problem; it's an identity fabric problem.
Key Resources:
Vendor Spotlight
Adversary-in-the-Middle Needs a Browser-First Defense
ShinyHunters' campaign succeeded because they controlled the browser experience. They proxied and cloned Microsoft's legitimate sign-in UX, harvested credentials and session cookies in real-time, and then replayed them upstream against the actual identity provider. This is the attack class that traditional network security and even some MFA implementations fail to stop including passwordless authentications.
This is exactly where browser-layer security becomes critical, and why solutions like DefensX are emerging as essential components of adversary defense. 85% of the work we do every day is wholly within the browser. Enterprise Browsers can mitigate blast radius of these types of attacks, but why not meet the user in the browser they are already accustomed to. DefensX’s method is to turn ANY browser into a secure browser, thus not just mitigating the blast radius, but completely removing it from play in the first place.
How Browser-First Defense Stops AiTM Attacks
DefensX's Secure browser and Remote Browser Isolation (RBI) run web sessions in a secure cloud environment, applying AI-driven analysis to every login page users encounter. By operating at the browser layer, DefensX can:
Assess domain credibility and page similarity in real time, using AI-based image processing to spot lookalike sign-in portals and fake login flows, even when they visually mirror legitimate login portals down to the pixel.
Block or isolate suspicious login pages (including AiTM phishing sites) and prevent users from entering credentials or MFA tokens into them. In many cases, DefensX renders suspicious pages in read-only mode, completely preventing data entry.
Automatically detect and block session and token hijacking attempts, making it significantly harder for attackers to harvest or replay session cookies, even if users click malicious links.
The MSP Advantage
Identity fabrics start at the browser now. If your users can't distinguish between a legitimate Microsoft sign-in page and a pixel-perfect clone, your security stack must do it for them.
For MSPs delivering Security-as-a-Service, DefensX's "Phish Eye" capabilities offer a way to transform any browser into a Secure browser: shutting down adversary-in-the-middle attacks at the human interface layer, not just at the IdP level. This becomes your first line of defense before credentials and the breach ever reach your identity infrastructure.
In the ShinyHunters scenario, if victims' browser traffic had been mediated by DefensX, most of those fake SSO and phishing pages would have been blocked or neutered at render time, before identities and tokens were ever exposed to the attacker.
Key Resources:
Identity Fabrics as the Control Plane for Security-as-a-Service
For MSPs and security providers, this is the strategic inflection point: a modern identity fabric must be your control plane, not an afterthought.
A complete identity fabric spans:
Workforce identities (human users)
Service accounts and workload identities (non-human identities: APIs, automation, CI/CD pipelines. Agentic AI)
SaaS identities (per-application, per-tenant identities)
Device identities (endpoints, servers, OT/IoT devices)
Security-as-a-Service offerings that treat identity as "just SSO plus MFA" are fundamentally fragile. ShinyHunters proved that SSO compromise cascades across dozens of federated SaaS applications simultaneously because each app inherited trust from the compromised identity providers access token.
What Mature Security-as-a-Service Must Include in 2026
A robust Security-as-a-Service stack must incorporate:
Identity Threat Detection and Response (ITDR) as a first-class capability
Not as an add-on, but as a core detection and response function. ITDR monitors identity-specific attack indicators: abnormal token issuance patterns, suspicious privilege escalations, service account abuse, and OAuth grant anomalies.
Continuous posture management of identities and entitlements
Real-time visibility into who has access to what, which permissions are over-provisioned, which service accounts haven't rotated credentials in 90+ days, and which SaaS applications have standing admin access.
Identity-aware network segmentation and micro-perimeters
Zero Trust Network Access (ZTNA) that makes access decisions based on identity posture, device health, and context, not just network location or IP address.
Backup and continuity plans that prioritize identity recovery
Emergency procedures for token revocation, credential re-issuance, session invalidation, and identity store recovery. When attackers compromise your identity fabric, you need a tested playbook for identity reconstitution.
Key Resources:
From Incident Response to Identity Response
Both ShinyHunters and APT28 demonstrate that incident response without identity context is just log collection.
Traditional IR workflows focus on:
Which systems were compromised?
What malware was deployed?
Which files were exfiltrated?
The "new IR" is identity-first:
Which identities were used? (human and non-human)
Which tokens, sessions, or keys were minted or stolen?
Which non-human identities did attackers pivot through? (API keys, service accounts, CI/CD roles, managed identities, Agentic AI’s)
What lateral movement occurred through federated trust relationships?
Which OAuth applications or service principals were weaponized?
This is where Zero Trust Identity Administration (ZTIA) becomes operational doctrine. ZTIA operationalizes the principle that every control, every workflow, every SaaS onboarding step starts with continuous identity posture and least permission, not just network reachability and successful sign in provisioning.
When your IR team can answer identity-centric questions within the first hour of an incident, you're not just responding faster; you're responding to the actual attack surface that matters in 2026.
Key Resources:
The Path Forward: Building Identity-Centric Security
ShinyHunters and APT28 aren't outliers; they're blueprints for modern attack campaigns. As security practitioners and service providers, we face a clear choice:
Continue investing in perimeter-based defenses that assume attackers are "outside" and hope they never compromise a single identity...
Or acknowledge that identity is the new perimeter and build security architectures accordingly.
For MSPs, this means:
Integrating browser-first defenses like DefensX to stop AiTM attacks before they reach your IdP
Deploying ITDR capabilities as core services, not premium add-ons
Designing incident response playbooks around identity compromise scenarios
Building business continuity plans that include identity reconstitution procedures
For enterprise security leaders, this means:
Auditing your identity fabric across workforce, workload, SaaS, and device identities
Implementing continuous posture management for identities and entitlements
Testing your emergency token revocation and credential re-issuance procedures
Training your SOC to investigate identity-centric attack indicators
What's Next: Passwordless Isn't Enough
In a world where attackers can bypass passwords and phish MFA in real time, the conversation can't stop at "go passwordless." The next layer is how we orchestrate MFA, passkeys, and identity policies in a way that still functions when attackers target the Identity Fabric itself.
In my next article, I'll unpack why the Identity Fabric as a whole is more fundamental to your security operations beyond just “set up MFA”, or that push to “Go Passwordless”. Authentication Gates are great, but nothing beats a fabric if it is all interwoven into a seamless experience for the end user that provides minimal daily operational oversight from you once set up. The Identity Fabric supports your vision of client trust and growth so you can focus on other business functions that win the day rather than them being a fight for life.
The shift from perimeter to identity isn't a future trend; it's the current battlefield. The question is whether your security operations has caught up.
Forward Unto Dawn,
Michael Carter II
About the Author
Michael W. Carter II is a Sr. Solutions Engineer at Pax8. He specializes in identity, network, and endpoint security for managed service providers and enterprises. Carter helps MSPs and enterprises design identity-centric security programs and Zero Trust architectures through his work at Pax8 and through his own Colorado based firm, Nomaden. Carter's path to cybersecurity began with operational leadership roles which include managing 1,200+ employees and 180 daily flights at Denver International Airport, followed by standing up a 24/7 Communications Command Center as Operations Director for a university campus police department.
Driven by an unwavering mission to "Secure All of Our Futures, Together," Carter shares insights on identity security, threat intelligence, and defensive strategies through his cybersecurity blog and social channels.
