Executive Summary
Cyber security strategies often prioritise protection against sophisticated technical exploits. However, investigations conducted by MTI’s 24/7/365 UK-based Security Operations Centre (SOC) show that many real-world intrusions begin with far simpler techniques.
Analysis of incidents investigated between December 2025, and March 2026 shows attackers consistently leveraging phishing, credential harvesting malware, browser extensions, and compromised credentials to gain access to organisational environments.
Rather than exploiting technical vulnerabilities, attackers increasingly rely on user interaction and identity compromise to establish access.
This shift means that effective detection now depends less on traditional perimeter defence and more on visibility across identity activity, endpoints, and network behaviour.
For organisations, the implication is clear: security strategies must evolve to include continuous monitoring, behavioural analysis, and rapid incident response capabilities.
MTI SOC Activity Snapshot
Period: 01 December 2025 – 01 March 2026
Incidents Investigated – 1,638
High-Severity Incidents – 195
Most Common MITRE ATT&CK Techniques Observed
- Credential Phishing (T1566)
- Malicious Downloads/Credential Harvesting Malware (T1555)
- Browser Hijacking/Malicious Extensions (T1176)
- Credential Abuse Using Valid Accounts (T1078)
While the volume of alerts analysed by the SOC is significantly higher, these investigations represent incidents that required deeper analyst review – highlighting the challenge of distinguishing real threats from security noise.
Across these investigations, SOC analysts observed a recurring attack sequence involving phishing, credential harvesting, and identity-based access attempts.
All observations in this report are derived from aggregated investigations conducted by MTI’s Security Operations Centre and do not disclose information relating to any individual customer environment.
Key Findings from SOC Investigations
Analysis of SOC investigations this quarter revealed several consistent attacker behaviours.
1. Identity-based attacks dominate modern intrusions
Attackers increasingly target credentials and authentication tokens rather than exploiting software vulnerabilities.
2. Phishing remains the most common initial access vector
Many incidents began with phishing emails designed to trick users into downloading files or visiting malicious links.
3. Infostealer malware accelerates credential compromise
Infostealers allow attackers to quickly collect browser credentials, authentication tokens, and stored passwords.
4. Browser extensions introduce unmanaged risk
Malicious extensions installed through unverified download sites can redirect traffic, inject advertising scripts, and communicate with attacker infrastructure.
5. Legitimate credentials are frequently used to bypass security controls
Once attackers obtain valid credentials, they can often authenticate directly to cloud services and operate within environments without triggering traditional intrusion alerts.
Attack Pattern Observed Across Investigations
Across multiple incidents investigated this quarter, MTI SOC analysts observed a recurring attack pattern involving three common stages.
Stage 1 – Credential Phishing Leading to Infostealer Malware
What we observed
Several investigations began with phishing emails encouraging users to download files or access external links.
These emails commonly impersonated legitimate communications such as:
- legal notifications
- document sharing requests
- delivery alerts
- administrative communications
In one investigation, a user clicked a link expecting to download a PDF document. Instead, the download delivered an executable disguised as a document.
Endpoint protection controls detected the activity and identified the file as an infostealer malware variant.
Infostealers are designed to harvest sensitive information such as:
- browser credentials
- authentication tokens
- saved passwords
- session cookies
The collected data is typically transmitted to attacker-controlled infrastructure shortly after execution.
Why this matters
Infostealers allow attackers to obtain authentication data rapidly, enabling account compromise without exploiting technical vulnerabilities.
Stage 2 – Malicious Browser Extensions and Download Sites
What we observed
The SOC investigated endpoints generating repeated network traffic to suspicious advertising and media domains.
Although network security controls blocked most of the connections, investigation revealed that the activity originated from browser extensions installed on affected devices.
These extensions were typically introduced when users installed free software from unverified websites or added browser extensions outside official marketplaces.
Once installed, the extensions attempted to:
- redirect search queries
- inject advertising traffic
- communicate with external domains associated with suspicious infrastructure
Why this matters
Browser extensions often require extensive permissions within the browser environment.
Malicious or poorly controlled extensions can therefore:
- harvest browsing data
- redirect users to malicious websites
- deliver additional malware
- persist within the environment for extended periods
Without appropriate governance, browser extensions represent a significant and often overlooked attack surface.
Stage 3 – Initial Access Using Compromised Credentials
What we observed
Following credential theft, attackers attempted to authenticate to cloud services using harvested credentials or authentication tokens.
SOC investigations identified suspicious sign-in behaviour including:
- logins from unfamiliar geographic locations
- authentication attempts from previously unseen IP addresses
- login attempts shortly after malware execution on the affected endpoint
Because attackers were using legitimate credentials, these activities often resembled normal user behaviour.
Why this matters
Credential-based attacks remain one of the most effective methods for gaining access to organisational environments.
By using valid credentials or session tokens, attackers can bypass many traditional security controls and access services in the same way as legitimate users.
Detecting this activity requires strong monitoring of identity and behavioural signals.
SOC Analyst Perspective
From an operational standpoint, one of the most consistent observations across SOC investigations is that attackers increasingly rely on simple techniques executed at scale.
Phishing campaigns, credential harvesting malware, and credential abuse enable attackers to operate within environments without relying on complex exploitation.
For SOC teams, detecting this activity requires correlating signals across multiple telemetry sources including endpoint activity, authentication logs, and network behaviour.
Security teams that rely solely on signature-based detection often struggle to identify these attacks early.
Emerging Threat Trends to Watch
Based on patterns emerging across recent investigations, our SOC analysts are closely monitoring several developments likely to influence the threat landscape in the coming months.
1. Growth in identity-based attacks
Credential abuse continues to increase as attackers focus on harvesting authentication tokens and session data.
2. Expansion of infostealer malware ecosystems
Infostealer malware is increasingly distributed through “malware-as-a-service” platforms, making credential harvesting accessible to a wider range of threat actors.
3. Greater reliance on legitimate tools
Attackers continue to use legitimate administrative tools and system utilities to avoid triggering traditional malware detection.
4. Increasing attack surface from unmanaged applications
Browser extensions, SaaS integrations, and unapproved applications introduce additional opportunities for compromise when not properly governed.
Security Recommendations
Based on patterns observed across SOC investigations, organisations should prioritise the following defensive measures.
Strengthen phishing and download protection
- Implement advanced email filtering to reduce the delivery of malicious links and attachments.
- Restrict downloads from untrusted websites using web filtering and endpoint controls to prevent users executing unverified software.
Invest in User Awareness and Behavioural Risk Reduction
Organisations should implement regular, targeted security awareness training focused on:
- identifying phishing attempts
- recognising suspicious downloads and links
- understanding the risks of installing unapproved software
Training should be continuous and supported by simulated phishing exercises to reinforce behaviour over time.
Enforce Browser and Application Control
Organisations should implement centralised browser management, such as Chrome Enterprise or Microsoft Edge management deployed via Intune, to control:
- which extensions can be installed (allow-listing)
- browser configurations and security settings
- user ability to install unapproved add-ons
Controls should also prevent the installation of alternative browsers that could bypass security policies.
Monitor and Respond to Suspicious Identity Activity
- Enable alerts for suspicious authentication behaviour including:
- impossible travel events
- unfamiliar sign-in locations
- high-risk authentication activity
- Automated response actions can reduce the time attackers have access to compromised accounts.
The Value of SOC Visibility
Operating a mature Security Operations Centre provides organisations with far more than alert monitoring – it provides continuous visibility into how attacks develop across real environments.
Through its 24/7 UK-based SOC, MTI investigates thousands of alerts and hundreds of incidents each quarter across organisations in regulated and commercial sectors. This broad operational visibility allows analysts to identify emerging attacker techniques earlier and continuously refine detection logic.
MTI analysts take full ownership of incidents from investigation through containment, reducing Mean Time to Detect and Mean Time to Respond, with 95% of incidents contained without customer action.
Each customer is supported by a named Technical Lead and Technical Delivery Manager, ensuring direct access to the engineers investigating incidents and maintaining alignment between day-to-day operations and longer-term security improvement.
The result is not simply faster incident response, but clearer security visibility, improved detection maturity, and stronger operational resilience over time.
Conclusion
The incidents investigated by MTI’s SOC this quarter highlight a consistent trend across modern cyber threats.
Rather than relying on complex exploits, attackers increasingly focus on credential theft, user interaction, and identity compromise.
For organisations, effective cyber defence therefore depends on:
- strong identity protection
- controlled endpoint environments
- continuous threat monitoring
- rapid investigation and response capabilities
Organisations that combine these capabilities with the visibility provided by a mature Security Operations Centre are significantly better positioned to detect suspicious activity early and reduce the potential impact of compromise.
About The Author
Josh King is a cyber security leader at MTI with more than twelve years’ experience across managed services, security operations, and cyber defence. As head of MTI’s UK Security Operations Centre (SOC), he leads teams responsible for protecting organisations against an increasingly complex threat landscape. Combining deep technical expertise with hands-on leadership, Josh helps organisations strengthen their cyber resilience through proactive threat detection, incident response, and security best practices.