Account Attacks and IAM Monitoring

Key Takeaways

Credential attacks include password spraying, credential stuffing, brute force, phishing, and MFA fatigue.
IAM monitoring looks for unusual login patterns, risky token use, impossible travel, and privilege changes.
Password spraying uses a few common passwords against many accounts to avoid lockouts.
Credential stuffing uses known username and password pairs from another breach.
Account attack response often includes session revocation, password reset, MFA reset review, and access audit.

Last updated: April 2026

Account Attacks and IAM Monitoring

Many security incidents start with identity. A valid username and password can make attacker activity look like normal access unless monitoring considers context: source, time, device, token, geolocation, MFA behavior, and privilege changes.

Common Account Attacks

Attack	Pattern	Detection clue
Brute force	Many guesses against one account	High failures for one username
Password spraying	One or a few passwords against many accounts	Same password attempt pattern across many users
Credential stuffing	Known leaked username and password pairs	Successes from unusual sources after automated attempts
Phishing	User tricked into revealing credentials or approving access	New device, suspicious link, unexpected MFA
MFA fatigue	Repeated push requests until user approves	Many MFA prompts followed by success
Token theft	Attacker reuses session or refresh token	Login without normal MFA path or from unusual device

Realistic Log Snippets

Password spraying pattern:

2026-04-29T09:10:02Z auth result=fail user=amiller source_ip=203.0.113.44 reason=bad_password
2026-04-29T09:10:03Z auth result=fail user=bchen source_ip=203.0.113.44 reason=bad_password
2026-04-29T09:10:04Z auth result=fail user=ckhan source_ip=203.0.113.44 reason=bad_password
2026-04-29T09:10:05Z auth result=fail user=dross source_ip=203.0.113.44 reason=bad_password

MFA fatigue pattern:

2026-04-29T22:41:11Z mfa user=jprice method=push result=denied source_ip=198.51.100.88
2026-04-29T22:41:50Z mfa user=jprice method=push result=denied source_ip=198.51.100.88
2026-04-29T22:42:31Z mfa user=jprice method=push result=denied source_ip=198.51.100.88
2026-04-29T22:43:04Z mfa user=jprice method=push result=approved source_ip=198.51.100.88

Privilege change after suspicious login:

2026-04-29T22:45:19Z directory action=add_member actor=jprice target_group=Cloud-Admins target_user=jprice result=success

The last event changes the priority. A suspicious login is important; suspicious login followed by privilege escalation is urgent.

Monitoring Signals

Good IAM monitoring combines authentication logs, MFA logs, directory audit logs, endpoint posture, cloud control plane activity, and privileged access events. Useful detections include:

Many failed logins across many users from one IP address.
Successful login after repeated failures.
New privileged group membership.
Impossible travel or unusual country for the user.
Sign-in from a device that is not managed.
MFA reset followed by successful login.
Service account login from an unusual host.
OAuth consent grant for a suspicious application.

Response Walkthrough

An analyst sees repeated MFA prompts for one user and a later successful login from an unfamiliar source. The best immediate response is to contain the identity risk: revoke active sessions, disable or reset the account as policy allows, verify MFA methods, inspect recent privilege changes, and review activity performed after the successful login. Long-term actions such as user awareness training are useful, but they do not contain the active threat.

Common Traps

Treating a successful MFA event as automatically safe.
Focusing only on failed logins while ignoring privilege changes after success.
Resetting a password but leaving active sessions and refresh tokens valid.
Ignoring service accounts because they do not have mailboxes.
Blocking one IP address without checking whether credentials were used elsewhere.

Test Your Knowledge

Many accounts show one failed login from the same source IP using a common password. Which attack is most likely?

Password spraying

Bluejacking

ARP poisoning

DNSSEC validation

Test Your Knowledge

A user denies five MFA push requests and then approves one from the same unfamiliar source. What should the analyst suspect?

MFA fatigue or push bombing

Normal certificate renewal

Successful network segmentation

A routine access review

Test Your KnowledgeMulti-Select

After a suspected account takeover, which actions help contain identity risk? Select three.

Select all that apply

Revoke active sessions

Review recent privileged group changes

Reset credentials and verify MFA methods

Ignore successful logins because the password was correct

Delete all logs to protect privacy

Up Next

Log Sources and Telemetry

Logging, Monitoring, and Detection

CompTIA Security+

1Introduction & Exam Overview

2Domain 1: General Security Concepts (12%)

3Domain 1: Identity, Trust, and Cryptography Basics

4Domain 2: Threat Actors, Vectors, and Social Engineering

5Domain 2: Threats, Vulnerabilities, and Mitigations - Attacks

6Domain 2: Threats, Vulnerabilities, and Mitigations - Vulnerabilities

7Domain 3: Security Architecture - Secure Architecture Models

8Domain 3: Security Architecture - Network Security Architecture

9Domain 3 Part C: Data Protection and Resilience

10Domain 4 Part A: Secure Operations for Hosts, Cloud, Mobile, and IoT

11IAM Operations and Access Control

12Logging, Monitoring, and Detection

13Incident Response

14Digital Forensics and Investigation

15Vulnerability, Patch, Asset, and Automation Operations

16Governance, Policies, and Risk Management

17Third-Party Risk, Compliance, and Privacy

18Audits, Penetration Testing, and Awareness

19Final Review and PBQ Labs

Account Attacks and IAM Monitoring

Key Takeaways

Account Attacks and IAM Monitoring

Common Account Attacks

Realistic Log Snippets

Monitoring Signals

Response Walkthrough

Common Traps