TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

#ShadyHacks with Kyle Hanslovan

2025-11-26 · Read original ↗

ATT&CK techniques detected

13 predictions
T1078.004Cloud Accounts
92%
"# shadyhacks with kyle hanslovan hackers don ’ t need elite exploits to break in anymore. instead, they shop on the dark web for stolen identities and abuse the built - in functionality of the legitimate tools and platforms you rely on every day, like microsoft 365. by stringing …"
T1564.008Email Hiding Rules
76%
"actions we see attackers take in our customers ’ and partners ’ environments. creating malicious inbox rules one of the first things hackers do is set up inbox rules to maintain control and hide in the noise. they often create rules with inconspicuous names, like a single period …"
T1111Multi-Factor Authentication Interception
64%
", which is important for attackers, as security products are getting smarter at detecting and invalidating previously compromised passwords. step two : bypassing multi - factor authentication ( mfa ) with a valid username and password, the first roadblock attackers usually encoun…"
T1539Steal Web Session Cookie
63%
"an infostealer script that steals all active session cookies from his browser and sends them to the attacker. step four : session hijacking and gaining access with the stolen session tokens, kyle uses a free browser extension called cookie editor to import them into his browser. …"
T1566.002Spearphishing Link
58%
"they can impersonate you without needing your password or mfa device. step three : stealing session tokens with clickfix when grady clicks the link in the phishing email, he ’ s taken to a fake login page and prompted with a captcha challenge instead of his password. we ’ ve all …"
T1556.006Multi-Factor Authentication
58%
", which is important for attackers, as security products are getting smarter at detecting and invalidating previously compromised passwords. step two : bypassing multi - factor authentication ( mfa ) with a valid username and password, the first roadblock attackers usually encoun…"
T1204.004Malicious Copy and Paste
48%
"they can impersonate you without needing your password or mfa device. step three : stealing session tokens with clickfix when grady clicks the link in the phishing email, he ’ s taken to a fake login page and prompted with a captcha challenge instead of his password. we ’ ve all …"
T1098Account Manipulation
48%
"resetting passwords for other applications many critical business applications don ' t support single sign - on ( sso ). instead, they rely on email - based password resets. so an attacker with inbox access can simply request a password reset for things like your payroll software…"
T1111Multi-Factor Authentication Interception
43%
"an infostealer script that steals all active session cookies from his browser and sends them to the attacker. step four : session hijacking and gaining access with the stolen session tokens, kyle uses a free browser extension called cookie editor to import them into his browser. …"
T1137.005Outlook Rules
38%
"actions we see attackers take in our customers ’ and partners ’ environments. creating malicious inbox rules one of the first things hackers do is set up inbox rules to maintain control and hide in the noise. they often create rules with inconspicuous names, like a single period …"
T1566.002Spearphishing Link
36%
", which is important for attackers, as security products are getting smarter at detecting and invalidating previously compromised passwords. step two : bypassing multi - factor authentication ( mfa ) with a valid username and password, the first roadblock attackers usually encoun…"
T1114.003Email Forwarding Rule
34%
"actions we see attackers take in our customers ’ and partners ’ environments. creating malicious inbox rules one of the first things hackers do is set up inbox rules to maintain control and hide in the noise. they often create rules with inconspicuous names, like a single period …"
T1566Phishing
33%
"they can impersonate you without needing your password or mfa device. step three : stealing session tokens with clickfix when grady clicks the link in the phishing email, he ’ s taken to a fake login page and prompted with a captcha challenge instead of his password. we ’ ve all …"

Summary

Huntress CEO Kyle Hanslovan's live hack demo: modern hacker playbook, with stolen credentials, MFA bypass, and M365 token hijacking. Get defense tips, stay protected.