Quarterly threat report: Q4 2024 — credential stuffing against vendor portals

Every quarter we publish what our telemetry is actually showing. Not what threat intelligence vendors are selling as the seasonal narrative — what we observed in the traffic and authentication events flowing through SEND-SECURELY.COM infrastructure and what our customers’ security teams reported back. Q4 2024 had a clear theme: credential stuffing against vendor-facing portals, increasingly paired with OAuth abuse to persist access after the initial foothold.

The Q4 pattern

Starting in late October and accelerating through December, we tracked a sustained campaign pattern targeting the external-facing file-transfer portals that procurement teams, healthcare clearinghouses, and financial services firms expose to third-party vendors. The campaign wasn’t novel in technique — MITRE ATT&CK catalogues this under T1110.004 (credential stuffing) — but it was notable for its operational sophistication and its targeting precision.

The attackers weren’t spraying random credentials. They were working from breach-compilation datasets that appeared specifically curated for B2B portal access: corporate email addresses, not consumer handles. The combos showed evidence of deduplification and email-domain filtering — someone had done the work of pulling business-domain accounts out of the underlying breach data. That’s more operational investment than typical credential-stuffing infrastructure and signals either a financially motivated actor with a specific target profile or initial-access-broker behavior where the portal access is being acquired for downstream sale.

The authentication failure rates we saw were 3.1× the Q3 2024 baseline across customer workspaces with externally accessible recipient portals. For customers with MFA enforced at the portal entry point, the conversion rate — failed attempts that resulted in a successful authentication — was effectively zero. For customers using password-only authentication on the recipient side, the story was worse.

Why vendor portals are attractive targets

The obvious question is: why portals specifically, as opposed to internal file-transfer infrastructure or cloud storage directly?

Vendor portals sit at an intersection of three properties that make them high-value targets. First, they’re externally accessible by design. Unlike internal collaboration platforms that live behind VPN or SSO, vendor portals exist to be reachable from the public internet by third parties who don’t have domain accounts. That’s the point of them. Attackers don’t need to break through a network perimeter.

Second, the accounts that access them are often undertended. A procurement manager at a mid-size manufacturer might have dozens of vendor portal accounts across suppliers, logistics partners, and service providers. Password hygiene on those accounts is unlikely to match the hygiene enforced on the primary corporate identity. Credential stuffing exploits the weakest link in a distributed web of B2B relationships, and vendor portals are frequently that weakest link.

Third, the value on the other side is high. A vendor portal for a healthcare organization contains payment routing information, contract documents, and in some workflows actual PHI. A financial services vendor portal may contain transaction files, settlement data, or regulatory filings. The attacker isn’t after the portal itself — they’re after what flows through it.

OAuth token theft (MITRE T1078) adds a second dimension. In workflows where the vendor portal authenticates via OAuth to a customer’s identity provider, a successful stuffing attempt that produces a valid OAuth token can be laterally extended. We saw multiple instances in Q4 where an initial portal login was followed within minutes by token reuse attempts against other OAuth-connected services in the same organization’s footprint.

Defensive baseline

The controls that showed measurable impact in Q4 telemetry, in rough order of effectiveness:

MFA on the recipient path. This is the highest-leverage control. Phishing-resistant MFA (FIDO2/passkeys) is preferable, but even TOTP meaningfully disrupts stuffing campaigns that depend on automated credential replay. The implementation challenge is friction: third-party vendors are less tolerant of authentication friction than internal employees, and portal operators sometimes disable or weaken MFA to reduce support burden. That trade-off is no longer defensible given Q4 traffic patterns.

Velocity limits with behavioral fingerprinting. Rate limiting alone is insufficient — sophisticated stuffing tools rotate IP addresses and use residential proxy networks to flatten the velocity signal. What works better is behavioral fingerprinting: login events that have the right velocity but wrong behavioral context (new device, unexpected geography, no session history) should trigger step-up authentication or temporary lockout. We tuned this signal in Q4 and it caught campaign traffic that velocity limits alone would have missed.

OAuth token lifetime caps. For workflows where portal access generates OAuth tokens, short token lifetimes combined with rotation requirements prevent harvested tokens from remaining useful. RFC 9700 (OAuth 2.1 best current practices) recommends access token lifetimes under 15 minutes for high-value resource servers. Many implementations we’ve audited use multi-hour or multi-day access token lifetimes that turn a brief credential compromise into extended access.

Audit log review for anomalous download volume. Successful authentication followed by bulk download activity is the signature of a credential-stuffing success that cleared authentication controls. Teams that weren’t watching download-volume anomalies in their audit logs missed detections that were visible in hindsight. This is detective rather than preventive, but it matters for containment timing.

What we’re seeing into Q1

The Q4 campaign infrastructure hasn’t gone quiet. Going into Q1 2025 we’re tracking continuing activity with two new dimensions.

First, we’re seeing integration of MFA bypass techniques against implementations that didn’t deploy phishing-resistant MFA. MITRE T1078.004 (cloud account access) via session cookie theft from compromised endpoints is showing up in incident reports. If a user’s endpoint is compromised, TOTP-based MFA can be bypassed through session hijacking even if the initial authentication was correctly completed. This doesn’t mean TOTP is useless — it raises the cost — but it means phishing-resistant MFA is meaningfully more resilient and worth the deployment overhead for high-value portals.

Second, we’re watching a pattern of MFA fatigue attacks against portal users who received push-based MFA prompts. Repeated push notifications intended to frustrate users into approving a fraudulent request is not new, but it’s appearing in vendor-portal contexts where it had previously been concentrated against internal enterprise accounts.

Our recommendation going into Q1: audit every externally accessible portal endpoint in your environment for MFA coverage and token lifetime configuration. If you’re running SEND-SECURELY.COM, the recipient-side MFA settings and OAuth token lifetime caps are in workspace security settings. If you have recipient-facing portals from other vendors, pull their security configuration documentation now.