Credential Stuffing
Replay credentials from third-party breach dumps against the target login.
§ Where this technique fits
W-AUTH-STUFFING is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 3 approved dossiers in the registry, typically at step 2.3 on average.
§ Dossiers chaining this technique
- step 1 / 6
Leaked legacy VPN credential → ransomware (Colonial-class)
A dormant VPN account whose password appeared in a third-party breach is still active, has no MFA enforced. Sign in, recon AD, deploy ransomware across the estate.
- step 1 / 6
MFA fatigue / prompt-bombing → M365 admin compromise
Attacker has the password (from breach / spray) but not MFA. Spam push approvals at 2 AM until the user taps yes out of habit — used in the Uber and 0ktapus breaches.
- step 5 / 5
Evil twin + captive portal → credential harvest
Spoof the corporate SSID with a stronger signal and a captive portal that looks like the company AD login. Auto-connecting clients submit creds to the attacker page.
§ What commonly comes next
- 01Leaked Legacy VPN Credential (Colonial-class)seen 1×APT-VPN-LEAKED-CRED · Initial Access
- 02MFA Fatigue / Prompt Bombingseen 1×PH-MFA-FATIGUE · Initial Access