Strategies to Mitigate the Surge in Credential Theft and AI-Enabled Infostealers

Introduction

The cybersecurity landscape is undergoing a fundamental shift. Traditionally, defenders focused on keeping attackers out by patching vulnerabilities in the perimeter. However, recent data indicates that attackers are increasingly bypassing the technical "breaking in" phase entirely. Instead, they are simply "logging in" using valid credentials stolen through highly industrialized methods.

According to recent reports, credential theft soared in the second half of 2025. This surge is driven by the commoditization of infostealer malware and the integration of AI into social engineering attacks. For IT and security teams, this means the identity perimeter has become the new frontline. If an attacker possesses valid credentials, traditional firewalls and network defenses are often rendered blind. This post analyzes the mechanics of this threat and provides actionable defensive strategies.

Technical Analysis

The current rise in successful breaches is not attributed to a single CVE or software flaw, but rather to the industrialization of identity-based attacks.

• The Threat Vector: Attackers are deploying "Infostealers"—malware designed to siphon authentication tokens, cookies, and passwords from browser sessions. Unlike traditional brute-force attacks, infostealers allow attackers to bypass Multi-Factor Authentication (MFA) by stealing active session cookies (Pass-the-Cookie attacks).
• AI Acceleration: Generative AI is being used to craft sophisticated phishing campaigns (business email compromise) that are nearly indistinguishable from legitimate communications, increasing the success rate of initial malware delivery.
• Affected Systems: While endpoints (Windows and macOS) are the primary target for infostealer execution, the ultimate impact is felt on Identity Providers (IdP) like Microsoft Entra ID (formerly Azure AD), Okta, and Ping Identity.
• Severity: High. Valid credentials allow for privilege escalation, data exfiltration, and ransomware deployment without triggering typical exploit-based alarms.

Executive Takeaways

• MFA is No Longer Silver Bullet: While essential, MFA can be bypassed if session cookies are stolen. Organizations must move toward "Phishing-Resistant" MFA (FIDO2).
• Endpoint Health = Identity Security: The security of user identities is directly tied to the hygiene of the devices they use. An infected endpoint leads to a compromised identity.
• Detection Requires Context: Identifying a login is easy; identifying a malicious login requires correlating user behavior, device health, and geographic anomalies.

Defensive Monitoring

Defenders must move beyond simple login alerts and hunt for anomalies indicative of infostealer activity or session hijacking. The following KQL queries for Microsoft Sentinel can help detect potential credential theft and impossible travel scenarios.

1. Detecting Impossible Travel (Sign-in Anomalies)

This query identifies sign-ins from the same user occurring in geographically distant locations within a time frame that makes physical travel impossible.

let timeframe = 1h;
SigninLogs
| where TimeGenerated >= ago(timeframe)
| where ResultType == 0
| project TimeGenerated, UserPrincipalName, IPAddress, LocationDetails, AppDisplayName, DeviceDetail
| summarize Locations = make_set(IPAddress), TimeSeen = make_set(TimeGenerated) by UserPrincipalName
| extend NumberOfLocations = array_length(Locations)
| where NumberOfLocations > 1
| join kind=inner (
    SigninLogs
    | where ResultType == 0
    | project TimeGenerated, UserPrincipalName, IPAddress, LocationDetails, City = LocationDetails['city'], State = LocationDetails['state']
) on UserPrincipalName
| evaluate GeoDistance(TimeGenerated, IPAddress, TimeSeen, Locations)
| where DistanceBetweenLocations > 1000 // Distance in kilometers
| project TimeGenerated, UserPrincipalName, IPAddress, City, State, DistanceBetweenLocations

2. Detecting Potential Infostealer Activity (PowerShell)

Infostealers often target specific browser directories or process memory. While EDR is the best defense, this PowerShell script can be used in an audit mode to check for the presence of common infostealer artifacts or known suspicious directories in user profiles.

# Audit Script: Check for common Infostealer persistence or loot directories
# Run as Administrator

$SuspectPaths = @(
    "$env:APPDATA\Opera Software\Opera Stable\Local Storage",
    "$env:LOCALAPPDATA\Google\Chrome\User Data",
    "$env:APPDATA\Mozilla\Firefox\Profiles"
)

Write-Host "Auditing browser data locations for unauthorized access patterns..." -ForegroundColor Cyan

foreach ($Path in $SuspectPaths) {
    if (Test-Path $Path) {
        # Get recent modification events on sensitive files (cookies, local storage)
        $recentEvents = Get-ChildItem -Path $Path -Recurse -File -ErrorAction SilentlyContinue |
                        Where-Object { $_.LastWriteTime -gt (Get-Date).AddHours(-24) } |
                        Select-Object FullName, LastWriteTime
                        
        if ($recentEvents) {
            Write-Host "WARNING: Recent activity detected in $Path" -ForegroundColor Red
            $recentEvents | Format-Table -AutoSize
        }
    }
}

Remediation

To defend against attackers who "log in" rather than "break in," organizations must adopt a Zero Trust approach to identity.

1. Implement Phishing-Resistant MFA: Move beyond SMS and TOTP codes. Implement FIDO2/WebAuthn security keys or certificate-based authentication. These methods bind the authentication attempt to a specific hardware device, preventing attackers from using stolen credentials on their own machines.

2. Enforce Conditional Access Policies: Configure policies in your IdP (e.g., Microsoft Entra ID) that require:

   • Compliant Devices: Only allow logins from devices managed by your organization that meet health standards.
   • Trusted Locations: Require MFA or block access entirely when logging in from anonymous IP addresses or unfamiliar countries.

3. Disable Legacy Authentication Protocols: Attackers often use older protocols (like SMTP Auth or IMAP) which do not support MFA. Disable these protocols where possible or enforce strict restrictions.

4. Continuous Access Evaluation (CAE): Enable CAE to critically evaluate session validity in real-time. If a user's risk score changes (e.g., their device is flagged for malware), their existing sessions should be revoked immediately.

5. Browser Isolation and Hygiene: Educate users on the risks of unauthorized browser extensions. Consider using enterprise browser management policies to prevent users from syncing corporate credentials to personal browsers.

Related Resources

Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub