hi. let’s kill the myth once and for all: hackers don’t break in. they log in.
they don’t chase encrypted vaults or fight with multi-layered firewalls. they go for people. because people are the weakest, squishiest, most exploitable part of any system.
Daniëlle Haneveer hit the nail on the head in her recent post: attackers no longer waste time brute-forcing passwords when they can manipulate humans who already have access.
the modern threat: identity over infrastructure
instead of smashing down digital doors, attackers walk in wearing digital badges that look totally legit. why? because identity has become the new perimeter. and the methods are terrifyingly simple:
- phishing for credentials that work
- stealing session tokens from memory
- replaying MFA prompts until u click “approve”
- hijacking browser cookies
this isn’t high-tech espionage. this is exploiting trust, not breaking crypto.
let’s be precise. in a system using OAuth 2.0 with token-based auth, session hijacking can occur if the attacker obtains a valid bearer token. mathematically, if where is the valid token set, and the identity mapping , then access is granted regardless of the origin of . cryptography doesn’t fail — policy enforcement does.
social engineering: the payload is language
human attacks don’t need malware. they need context.
- a fake Teams invite with just enough detail
- an email from “CFO” asking for a wire transfer
- a fake support call saying “click here to validate device access”
these tricks work because they bypass all tech defenses and hit the one thing that’s always vulnerable: the human mind.
most social engineering exploits follow an S.T.E.A.L. model:
- Set up trust (spoofed identity, urgency)
- Trigger fear or reward (compliance, panic)
- Elicit action (click, download, transfer)
- Abuse access (token use, login session)
- Leave no trace (clean logs, legit sessions)
phishing emails today use generative AI to simulate writing style, timing, and phrasing that match real contacts. with LLMs, attackers generate thousands of custom payloads with contextual hooks in minutes.
why traditional IAM isn’t enough
identity systems were built for compliance, not active defense. just-in-time access? least privilege? conditional logic? all great — until a real user gets phished.
attackers abuse valid credentials and session states. and once they’re inside, it’s hard to tell who’s who. is that Alex from HR? or a session replay from Brazil running with the same cookie?
the average session hijack incident involves zero malware. instead, threat actors use cookie replay attacks. if is a session cookie and where is a valid active session and is the auth hash function, access is granted.
according to Verizon DBIR 2024, over 80% of breaches involved a human element. phishing was in the top 3 attack vectors globally. the average time to click on a phishing link? 42 seconds. median time to first credential submission? under 4 minutes.
how to defend people (not just passwords)
- MFA? Yes. But smarter. Use phishing-resistant methods: FIDO2, certificate-based auth, Entra ID protection.
- Real-time detection. Monitor session anomalies: location, device posture, impossible travel.
- Educate constantly. Not once a year. Every quarter. Real-world phishing simulations. Targeted campaigns. Micro-trainings.
- Kill legacy auth. No more basic auth, IMAP, POP3, or unmonitored endpoints.
- Zero trust isn’t a slogan. Enforce it. Assume breach. Validate everything. Always.
TL;DR
Hackers want humans. Not firewalls. Not passwords. Not ports. People.
If your security model doesn’t put human behavior at the center, it’s already broken.
update your mindset. secure the person, not just the credential.
’cause they’re already inside. and they’re smiling like your boss.
Saty safe.
rgds,
Alex