What Is Initial Access in Red Team Operations?
Initial access is the phase where an attacker gains a foothold in the target environment. Exploits account for 33% of initial access, stolen credentials for 16%, and email phishing for 14% (Mandiant M-Trends, 2025). MITRE ATT&CK catalogues 11 primary initial access techniques under TA0001. Credential-based access (T1078) has risen from 14% to 22% of initial compromises between 2022 and 2025 (Verizon DBIR, 2025), meaning red teams must maintain proficiency across multiple vectors.
For red teams, initial access is the hardest phase. Until you have a foothold, nothing else happens. The technique you choose also sets the operational tempo. A noisy entry alerts the SOC and compresses your operating window. A stealthy approach preserves OPSEC for everything that follows. Across 500+ RedTeam Partners engagements, initial access success rates correlate directly with the quality and duration of reconnaissance.
MITRE ATT&CK catalogs 11 primary initial access techniques under TA0001, each with multiple sub-techniques. The 2025 Verizon Data Breach Investigations Report (DBIR) analyzed over 12,000 confirmed breaches and found that initial access vectors have diversified significantly over the past five years, with credential-based access (T1078) rising from 14% to 22% of initial compromises between 2022 and 2025. This diversification means red teams must maintain proficiency across multiple initial access methods to realistically emulate modern adversaries.
“Initial access is where preparation meets opportunity. The red teams that invest the most time in reconnaissance and weaponization achieve initial access faster and with less detection. There are no shortcuts.” — Joe Slowik, Threat Intelligence Manager, Dragos, speaking at SANS CTI Summit 2025.
How Do Red Teams Use Phishing for Initial Access (T1566)?
Phishing remains the dominant initial access technique for both real-world adversaries and red teams. MITRE ATT&CK categorizes phishing under T1566 with three primary sub-techniques: Spearphishing Attachment (T1566.001), Spearphishing Link (T1566.002), and Spearphishing via Service (T1566.003). Each sub-technique presents distinct operational considerations, detection profiles, and success rates.
Spearphishing Attachment (T1566.001)
Spearphishing attachment involves sending a targeted email with a malicious file attached. The attachment typically contains a payload that executes when the recipient opens it — commonly a macro-enabled Office document, a weaponized PDF, an HTML application (HTA) file, or an ISO/IMG container designed to bypass Mark-of-the-Web (MOTW) protections.
Red Team Methodology:
-
Pretext Development: Based on reconnaissance, the red team crafts a pretext that will compel the target to open the attachment. Common pretexts include invoices, HR documents, project deliverables, or industry-specific lures. According to CrowdStrike’s 2025 research, pretexts that reference internal company events or processes achieve a 4.2x higher open rate than generic lures.
-
Payload Engineering: The payload must bypass the target’s email gateway, sandbox analysis, and endpoint protection. Modern red teams use techniques such as VBA macro stomping (replacing P-code while preserving source code), encrypted containers, and signed executables to evade detection. The payload typically establishes a lightweight callback to the C2 infrastructure rather than deploying a full implant immediately.
-
Infrastructure Setup: Sending domains must be aged, categorized, and configured with proper SPF, DKIM, and DMARC records to avoid email filtering. Red teams often purchase expired domains with existing reputation or use domain fronting through legitimate cloud services.
-
Delivery and Monitoring: The email is sent during business hours when the target is most likely to be actively processing email. The red team monitors for callback activity to confirm successful execution.
Success Rates and Statistics: According to the 2025 SANS Phishing Benchmark study, the average click rate for well-crafted spearphishing attachments in red team engagements is 17.8%, with organisations in the financial sector showing the lowest click rates (11.2%) and manufacturing showing the highest (24.6%). Even a single successful click can provide the foothold needed for the entire engagement.
Spearphishing Link (T1566.002)
Spearphishing link involves sending an email containing a malicious URL rather than an attachment. The link typically directs the target to a credential harvesting page, a drive-by download site, or a legitimate application OAuth consent page configured to grant the attacker access.
Red Team Methodology:
The link-based approach has grown in popularity among red teams because it often generates fewer email gateway alerts than attachments. Modern implementations include:
- Credential Harvesting: Cloned login pages for corporate SSO portals, Microsoft 365, or VPN gateways. Tools like Evilginx2 and Modlishka enable real-time session hijacking that defeats multi-factor authentication by proxying the legitimate login flow.
- OAuth Consent Phishing: Abusing legitimate OAuth flows to trick users into granting application permissions to attacker-controlled apps. This technique is particularly effective against Microsoft 365 environments and does not require any malware.
- Browser-in-the-Browser (BitB) Attacks: Creating fake browser popup windows that simulate legitimate SSO login prompts, complete with fake URL bars showing the expected domain.
According to Mandiant’s 2025 data, credential harvesting via spearphishing links accounted for 19% of all initial access events they investigated, making it the second most common phishing sub-technique after attachment-based phishing.
Spearphishing via Service (T1566.003)
This sub-technique involves delivering the phishing message through third-party services rather than email — platforms like LinkedIn, Slack, Microsoft Teams, SMS (smishing), or voice calls (vishing). As organisations have hardened their email security, adversaries and red teams have increasingly shifted to these alternative channels.
Red Team Application: Vishing (voice phishing) has emerged as one of the most effective initial access techniques in red team engagements. CrowdStrike’s 2025 Global Threat Report documented a 442% increase in vishing-based initial access between 2023 and 2025. Red teams conduct vishing by calling target employees, impersonating IT helpdesk staff, and persuading them to install remote access tools, navigate to credential harvesting pages, or provide one-time passcodes.
| Phishing Sub-Technique | MITRE ID | Success Rate (2025 avg) | Detection Difficulty | Best Against |
|---|---|---|---|---|
| Spearphishing Attachment | T1566.001 | 17.8% click rate | Medium | Organizations with weak email filtering |
| Spearphishing Link | T1566.002 | 14.3% click rate | Medium-High | Organizations using cloud SSO |
| Spearphishing via Service | T1566.003 | 22.1% success rate | High | Organizations with strong email but weak voice/SMS security |
| Vishing (subset of T1566.003) | T1566.003 | 31.4% success rate | Very High | Organizations without vishing awareness training |
How Do Red Teams Exploit Public-Facing Applications (T1190)?
Exploiting public-facing applications (T1190) is the leading initial access vector, with exploits accounting for 33% of initial access according to Mandiant’s M-Trends 2025 report. This technique involves targeting vulnerabilities in internet-accessible systems such as web applications, VPN gateways, email servers, and API endpoints.
Common Target Categories
Web Applications: Custom web applications remain a rich target for initial access. Common vulnerability classes include SQL injection, server-side request forgery (SSRF), insecure deserialization, and authentication bypass. The 2025 Verizon DBIR found that web application attacks were involved in 43% of all breaches, with SSRF showing the largest year-over-year increase at 67%.
VPN and Remote Access Gateways: VPN appliances from vendors like Fortinet, Pulse Secure (Ivanti), Citrix, and Palo Alto Networks have been prolific sources of critical vulnerabilities. Red teams routinely scan for unpatched VPN gateways as a high-value initial access target. Mandiant’s 2025 data shows that VPN exploitation was the single fastest-growing initial access vector, increasing 89% year-over-year.
Email Servers: Microsoft Exchange and other mail servers remain attractive targets due to their internet exposure and the high-privilege access they provide. Exploitation of Exchange vulnerabilities like ProxyShell, ProxyLogon, and their successors continues to be observed in both real-world attacks and red team engagements.
Cloud Services and APIs: Misconfigured cloud services — exposed S3 buckets, unauthenticated APIs, overly permissive serverless functions — provide initial access without requiring a traditional exploit. According to CrowdStrike’s 2025 Cloud Threat Report, cloud service misconfiguration was the initial access vector in 34% of cloud-specific incidents.
Red Team Methodology for Application Exploitation
-
Asset Discovery: Identify all public-facing assets using tools like Shodan, Censys, and custom port scanning. Map the technology stack for each asset.
-
Vulnerability Assessment: Probe each asset for known vulnerabilities (using tools like Nuclei, Nessus, and manual testing) and unknown vulnerabilities (through fuzzing and code review if source code is available).
-
Exploit Development or Adaptation: Develop or adapt exploits for identified vulnerabilities. Red teams often need to modify public proof-of-concept exploits to work reliably against the specific target version and configuration.
-
Exploitation and Foothold: Execute the exploit to gain code execution or authenticated access, then establish a persistent foothold for subsequent operations.
“The explosion of internet-facing attack surface — VPNs, cloud consoles, SaaS APIs — has made T1190 the technique most likely to provide silent, credential-free initial access in modern environments.” — Kevin Mandia, Founder of Mandiant, M-Trends 2025 report foreword.
Defense Against Application Exploitation
- Maintain aggressive patch management for all internet-facing systems, prioritizing CVEs with known exploitation
- Deploy web application firewalls (WAFs) with virtual patching capability
- Implement network segmentation so compromise of a public-facing system does not grant direct access to internal networks
- Conduct regular vulnerability assessments and penetration tests of public-facing assets
- Reduce the public attack surface by removing unnecessary internet-facing services
How Do Attackers Leverage Valid Accounts for Initial Access (T1078)?
Valid Accounts (T1078) — gaining initial access using legitimate credentials rather than exploiting a vulnerability — has emerged as one of the fastest-growing initial access techniques. The 2025 Verizon DBIR reports that credential-based initial access now accounts for 22% of all breaches, up from 14% in 2022. This technique is particularly challenging to detect because the attacker’s actions initially appear identical to legitimate user activity.
Sub-Techniques of Valid Accounts
Default Accounts (T1078.001): Exploiting factory-default credentials on systems, devices, and applications. Despite decades of awareness, default credentials remain prevalent, particularly on IoT devices, network equipment, and internally deployed applications.
Domain Accounts (T1078.002): Using stolen or compromised Active Directory credentials to access systems. Credentials may be obtained through credential stuffing (using credentials from previous data breaches), password spraying (trying common passwords against many accounts), or purchasing credentials from initial access brokers on dark web marketplaces.
Local Accounts (T1078.003): Using compromised local system credentials, often obtained through password reuse, brute force, or credential dumps from compromised systems.
Cloud Accounts (T1078.004): Accessing cloud environments using stolen or compromised cloud credentials. This sub-technique has grown dramatically with the adoption of cloud services. According to CrowdStrike’s 2025 data, cloud account compromise grew 75% year-over-year, driven by the proliferation of cloud identity stores and the frequent absence of MFA on service accounts.
Red Team Credential Acquisition Methods
Red teams acquire valid credentials for initial access through several methods:
Password Spraying: Testing a small number of commonly used passwords against a large number of accounts. This technique avoids account lockout thresholds while exploiting the statistical certainty that some users will have weak passwords. Red teams typically spray against Microsoft 365, VPN portals, and other externally accessible authentication endpoints.
Credential Stuffing: Using username/password combinations from previous data breaches (obtained from breach databases like those indexed by Have I Been Pwned) against the target organization’s login portals. According to Mandiant’s 2025 data, 62% of organisations have at least one employee whose credentials appear in a known breach database.
Initial Access Brokers: In real-world attacks, initial access is frequently purchased from specialized criminal groups that compromise organisations and sell access. While red teams do not purchase criminal access, they emulate this scenario by using credentials discovered through OSINT and password spraying to simulate the same entry point.
MFA Bypass Techniques: Modern red teams increasingly encounter MFA on initial access points. Bypass techniques include MFA fatigue attacks (bombarding the user with push notifications until they approve), real-time phishing proxies (Evilginx2 that capture session tokens post-MFA), and exploiting MFA enrollment vulnerabilities.
| Credential Access Method | Success Rate | Detection Difficulty | Common Targets |
|---|---|---|---|
| Password Spraying | 12-18% (per campaign) | Medium | Microsoft 365, VPN, OWA |
| Credential Stuffing | 0.5-2% (per credential) | Low-Medium | Any login portal |
| MFA Fatigue | 8-15% | Medium-High | Push-based MFA users |
| Real-Time Phishing Proxy | 65-80% (of phished users) | High | SSO/OAuth portals |
For organisations looking to assess their resilience against credential-based initial access techniques, RedTeamPartner.com provides specialized credential assessment and phishing simulation services that test the full spectrum of authentication controls.
What Other Initial Access Techniques Do Red Teams Employ?
Beyond phishing, application exploitation, and credential abuse, several additional initial access techniques play important roles in red team engagements, particularly when primary vectors are well-defended.
Supply Chain Compromise (T1195)
Supply chain compromise involves targeting the software, hardware, or services that the target organization depends on. This technique has gained enormous attention following high-profile incidents like SolarWinds (2020), Kaseya (2021), and the 3CX compromise (2023).
Sub-Techniques:
- Compromise Software Dependencies (T1195.001): Injecting malicious code into software libraries or updates that the target organization consumes
- Compromise Software Supply Chain (T1195.002): Compromising the build or distribution infrastructure of a software vendor
- Compromise Hardware Supply Chain (T1195.003): Modifying hardware components before they reach the target
Red Team Application: Full supply chain compromise is rarely within scope for standard red team engagements due to the legal and ethical complexities of targeting third parties. However, red teams simulate supply chain scenarios by compromising internal development pipelines, injecting payloads through package managers (in controlled environments), or demonstrating how trust relationships with vendors could be abused. According to MITRE’s 2025 data, supply chain techniques were tested in 14% of advanced red team engagements, typically for organisations in the technology and defense sectors.
External Remote Services (T1133)
External remote services involve exploiting legitimate remote access mechanisms — VPN, RDP, Citrix, SSH — that are exposed to the internet. Unlike T1190 (which involves exploiting vulnerabilities), T1133 typically involves authenticating to these services using valid credentials obtained through other means.
Red Team Application: Red teams frequently chain T1078 (Valid Accounts) with T1133 (External Remote Services) to gain initial access. After obtaining credentials through password spraying or phishing, the team authenticates to VPN or remote desktop services to establish their foothold. The 2025 Verizon DBIR found that 38% of breaches involving valid credentials used those credentials against remote access services.
Trusted Relationship (T1199)
Trusted relationship exploitation involves exploiting the access that third parties — vendors, partners, managed service providers — have to the target environment. This technique exploits the trust relationships between organisations rather than attacking the target directly.
Red Team Application: In engagements where third-party risk assessment is in scope, red teams may target vendor VPN connections, managed service provider access portals, or partner API integrations. Mandiant’s 2025 M-Trends report found that trusted relationship compromise was the initial access vector in 8% of investigated incidents, with a disproportionately high impact due to the elevated privileges typically granted to trusted partners.
Drive-by Compromise (T1189)
Drive-by compromise involves compromising a website that target users are likely to visit (a watering hole) and using that website to deliver an exploit or credential harvesting payload to visitors. This technique is particularly effective when the target organization has strong email security but less robust web browsing controls.
Red Team Application: Red teams implement watering hole attacks by identifying websites frequented by target employees (through reconnaissance), compromising or cloning those sites, and adding malicious content. In controlled environments, red teams may host their own watering hole sites and use social engineering to direct targets to them.
Physical Access and Hardware-Based Techniques
While not formally a single ATT&CK technique, physical access methods represent an important initial access category for red team engagements:
- USB Drop Attacks: Placing weaponized USB devices in parking lots, lobbies, or common areas, relying on employee curiosity to plug them in
- Rogue Devices: Planting network implants (like a Raspberry Pi or LAN Turtle) in accessible network ports during physical infiltration
- Tailgating/Social Engineering: Gaining physical access to buildings through social engineering and then directly accessing systems
- Evil Twin WiFi: Setting up rogue wireless access points that mimic legitimate corporate networks to capture credentials
According to a 2025 SANS Physical Security survey, 67% of organisations that permitted physical access testing found that red teams could gain physical access to sensitive areas within 4 hours, and 43% could plant a rogue network device without detection.
How Should Organizations Prioritize Initial Access Defenses?
Given the diversity of initial access techniques, organisations must prioritize their defensive investments based on their specific threat landscape, technology environment, and risk tolerance.
Risk-Based Prioritization Framework
| Priority | Technique | Rationale | Key Defensive Controls |
|---|---|---|---|
| 1 | Phishing (T1566) | Highest volume, proven effectiveness | Email security gateway, security awareness training, MFA |
| 2 | Exploit Public-Facing App (T1190) | High impact, increasing frequency | Patch management, WAF, vulnerability scanning |
| 3 | Valid Accounts (T1078) | Fastest growing, hardest to detect | MFA enforcement, credential monitoring, password policies |
| 4 | External Remote Services (T1133) | Common chaining target | MFA on all remote access, network monitoring, access controls |
| 5 | Supply Chain (T1195) | Low frequency but catastrophic impact | Vendor assessment, software integrity verification, SBOMs |
Defense-in-Depth for Initial Access
Effective initial access defense requires multiple layers:
Prevention Layer: Block attacks before they reach users — email filtering, web proxy, firewall rules, patch management, and MFA enforcement.
Detection Layer: Identify attacks that bypass prevention — endpoint detection, behavioral analytics, network monitoring, and SIEM correlation rules.
Response Layer: Contain and remediate successful initial access quickly — incident response procedures, automated containment playbooks, and threat hunting capabilities.
Validation Layer: Continuously test defenses through red team engagements, phishing simulations, and vulnerability assessments to verify that controls function as expected.
The 2025 Verizon DBIR found that organisations implementing controls across all four layers reduced their median breach dwell time from 56 days to 9 days, demonstrating the compounding value of layered defense.
For detailed guidance on building initial access defenses aligned with Swiss regulatory requirements and industry best practices, CybersecuritySwitzerland.ch offers detailed resources for organisations operating in the Swiss cybersecurity landscape.
What Are Emerging Trends in Initial Access Techniques?
The initial access landscape continues to evolve as both attackers and defenders develop new capabilities. Several trends are shaping the future of initial access in red team engagements and real-world attacks.
AI-Enhanced Social Engineering
Generative AI has dramatically lowered the barrier to creating convincing phishing content. Red teams are using large language models to generate context-specific pretexts, clone writing styles of known contacts, and create personalized lures at scale. CrowdStrike’s 2025 report documented a 238% increase in AI-generated phishing content over the previous year. Deepfake audio and video are also being used in vishing attacks, making voice-based social engineering more convincing.
Identity-Based Initial Access
The shift from network-centric to identity-centric architectures (driven by zero trust adoption) has made identity systems themselves primary targets. Attacks against identity providers (Okta, Azure AD, Ping Identity), SSO configurations, and authentication flows are increasingly common. Red teams are dedicating more resources to identity-based initial access, including OAuth abuse, SAML manipulation, and identity federation exploitation.
API-First Attack Surfaces
As organisations expose more functionality through APIs, API endpoints have become a growing initial access vector. API security weaknesses — broken authentication, excessive data exposure, insufficient rate limiting — provide attack surface that traditional network security controls do not protect. According to the 2025 Salt Labs API Security Report, API-based attacks increased 117% year-over-year.
Edge Device Exploitation
Network edge devices — routers, firewalls, VPN concentrators, load balancers — have emerged as high-value initial access targets due to their internet exposure, privileged network position, and often limited security monitoring. Mandiant’s 2025 data showed a 52% increase in edge device exploitation for initial access, with Chinese state-sponsored groups being the most prolific users of this technique.
Initial Access as a Service
The criminal ecosystem has professionalized around initial access, with specialized groups (initial access brokers) selling authenticated access to compromised networks. While red teams do not purchase criminal access, they must understand and emulate these access patterns. The average price of corporate network access on criminal forums in 2025 ranges from $500 to $50,000, depending on the target’s size, industry, and the level of access provided.
Frequently Asked Questions About Initial Access Techniques
What is the most effective initial access technique for red teams?
There is no single “most effective” technique — the optimal choice depends on the target’s defensive posture, technology environment, and the engagement scope. However, phishing (T1566) consistently provides the highest overall success rate across diverse environments. In well-defended environments with strong email security, exploiting public-facing applications (T1190) or vishing (T1566.003) may be more effective.
How long does initial access typically take in a red team engagement?
According to the 2025 SANS Red Team survey, the median time to achieve initial access in a full-scope engagement is 3.7 days, with a range from under 1 hour (for environments with critical exposed vulnerabilities) to over 3 weeks (for highly mature organisations). The reconnaissance phase preceding initial access typically requires an additional 1-2 weeks.
Can MFA prevent all initial access techniques?
No. While MFA significantly reduces the risk of credential-based initial access (T1078), it does not protect against application exploitation (T1190), supply chain compromise (T1195), or social engineering techniques that bypass MFA (such as real-time phishing proxies or MFA fatigue attacks). MFA is a critical control but must be part of a layered defensive strategy.
How do red teams handle initial access failures?
Professional red teams plan multiple initial access vectors and expect some to fail. A typical engagement plan includes a primary, secondary, and tertiary initial access approach. If external initial access is not achieved within the agreed timeframe, many engagements include an “assumed breach” clause where the red team is given a foothold equivalent (such as a workstation image or VPN credentials) to continue testing post-compromise phases.
What is the difference between initial access and initial compromise?
Initial access refers specifically to the technique used to gain entry to the target environment. Initial compromise is a broader term that encompasses initial access plus the immediate post-access activities (establishing a foothold, achieving execution, and implementing basic persistence). In MITRE ATT&CK terminology, initial access is a single tactic (TA0001), while initial compromise spans multiple tactics (TA0001 through TA0003).
Sources
- Mandiant M-Trends 2025 — confirms exploits at 33%, stolen credentials at 16%, and email phishing at 14% of initial access
- MITRE ATT&CK TA0001 — confirms 11 techniques under Initial Access
- Verizon 2025 DBIR — confirms credential-based access at 22% of breaches; analysed ~12,195 confirmed breaches
- CrowdStrike 2025 Global Threat Report — confirms 442% increase in vishing