Threat reports from the big vendors are full of buzzwords. This isn't one of those reports. These are the five techniques our analysts actually saw in customer environments last quarter — what attackers tried, what worked, and what stopped them.
1. AiTM phishing for session token theft
Adversary-in-the-Middle phishing kits like Evilginx and Tycoon proxy the real Microsoft login page and quietly capture the session cookie post-MFA. Number-matching MFA helps but does not stop this attack — the attacker has the legitimate token. We've seen 3 attempts against customers in Q1 alone.
What stopped it: conditional access policies requiring compliant device + sign-in risk policies that flagged impossible-travel within minutes of token replay.
2. SSO IdP-to-SaaS lateral movement
Once an attacker compromises an identity, they don't stop at email. They walk into every SaaS app federated to that IdP — HR, finance, file shares, internal wikis. Lateral movement no longer requires kernel exploits; it requires a session cookie.
What stopped it: consolidated identity-centric monitoring (Blue Shield) catching the same identity hitting six different SaaS audit logs from a new IP within minutes.
3. OAuth consent phishing
Instead of stealing passwords, attackers register a malicious app and trick users into granting it Mail.Read or Files.ReadWrite permissions. The user "logs in" and never realizes they just gave a third-party app long-lived API access to their mailbox.
What stopped it: blocking user-initiated app consent in tenant settings (Microsoft published this guidance two years ago; most orgs still haven't implemented it). Plus monitoring for new application service principal creations.
4. Edge device exploitation
Firewalls and VPN concentrators continue to be a top entry point. Fortinet FortiOS, Citrix NetScaler, and SonicWall all had actively-exploited zero-days in Q1. Once the edge is owned, attackers have a foothold inside the network with full network reachability.
What stopped it: Red Shield's external scans flagging the vulnerable versions before public PoC was widely available, plus aggressive isolation rules in Blue Shield triggering when edge devices started initiating outbound to unfamiliar destinations.
5. Living-off-the-cloud
The new "living off the land." Instead of dropping malware, attackers abuse legitimate cloud features — AWS Lambda functions, Azure Runbooks, Google Cloud Functions — to run their tooling. There's no binary to detect, no process to flag.
What stopped it: behavioral analytics on cloud control-plane API calls (CloudTrail, Activity Log). Detection had to shift from "is this binary malicious?" to "is this identity behaving normally?"
The pattern across all five
Notice what every one of these has in common: identity is the front door and cloud is the playground. Endpoint EDR is still essential, but the modern attack chain rarely touches an endpoint until late in the kill chain — if at all.
If your detection program is still focused 80% on endpoints, you're defending last decade's attacks.
The defense priorities to invest in today: identity threat detection and response, SaaS posture monitoring, edge device hardening, and cloud control-plane visibility. None of it is a product. All of it is operational discipline — which is exactly what an agentic SOC is built to deliver.