The Procedure Is the Threat: Why an Intrusion's Shape Outlives Its Toolkit

The Shape That Survives Rotation

Most of what looks like attacker innovation is substitution at the surface. A runtime changes: PowerShell becomes JavaScript, AppleScript, Python, Go, Rust, a browser extension, an npm postinstall hook, or a signed remote-support binary. A platform changes: email becomes Teams, Slack, GitHub issues, Signal, LinkedIn, an Okta device-code prompt, or a help-desk portal. A brand changes: Microsoft, DocuSign, AWS, Okta, the payroll vendor, the law firm client portal, the courier notice. These rotate quickly because defenders block them, vendors patch them, and brand owners file takedowns.

The procedure underneath rotates much more slowly. It rotates slowly because it is not a creative choice. It is a constrained answer to the question of how a remote stranger gets a logged-in human to hand over an asset that has value to a buyer. The constraints are stable, so the answer is stable.

The reusable shape, almost regardless of the surface, is six handoffs:

1. Create urgency or legitimacy. 2. Move the victim into a trusted workflow. 3. Make the victim perform an action that looks normal in that workflow. 4. Capture a token, session, credential, approval, device code, or remote-control foothold. 5. Use that access quickly, before the defender understands the channel. 6. Preserve access with mailbox rules, OAuth grants, session reuse, remote tools, or downstream account changes.

Every credible 2024–2026 intrusion chain we have written about fits this shape. The interesting analytical work is not in naming the chain. It is in noticing which step the attacker has rotated this quarter, and which step is still the same as a year ago.

The Six Handoffs

**Legitimacy.** The chain has to start with a reason for the victim to engage at all. A renewal notice, a security alert, a quote request, a Teams chat from "IT," a help-desk callback number on a phishing PDF, a signed support binary from a vendor the victim recognizes. The brand and channel rotate. The job — making the next step feel obligatory — does not. The Silent Ransom Group escalation we covered in [the FBI flash analysis](/articles/silent-ransom-group-in-person-helpdesk-law-firms) is the same legitimacy step, performed in person, after the phone and email variants started failing.

**Workflow transfer.** Once the victim is engaged, the attacker moves them into a workflow that already has trust baked in. Quick Assist, AnyDesk, ScreenConnect, Teams screen-share, an OAuth consent dialog, an Okta verification prompt, the help-desk's own ticketing portal. The [Storm-1811 Quick Assist chain](/articles/storm-1811-teams-quick-assist-phishing-chain) and the [MuddyWater Teams screen-share method](/articles/muddywater-teams-screen-share-credential-theft-false-flag) are the same transfer step performed through two different vendors' UX.

**Normalized action.** Inside that workflow, the attacker asks the victim to do something that looks like setup, verification, or routine support: paste a command from the clipboard, approve a prompt, install a profile, click "Allow," type a six-digit code. The [ClickFix paste-and-run trend](/articles/clickfix-fake-captcha-paste-and-run-trend) is the canonical 2025–2026 version, but the principle is older than the lure. The user is not asked to do anything they would describe as risky. They are asked to do something that the surrounding workflow tells them is normal.

**Capture.** The action hands the attacker a primitive: an AiTM-relayed session cookie, a refresh token, a device-code redemption, a signed OAuth grant, an RMM agent on the workstation, an SSH key, a recovery code. The [AiTM phishing-as-a-service market analysis](/articles/aitm-phishing-as-a-service-market-2024-2026) and the [credential kits / device-bound session replay piece](/articles/credential-kits-device-bound-session-replay) document how the capture primitive has migrated from password-and-OTP to session-and-refresh-token over the last twenty-four months. The brand of the kit changes; the primitive being captured is the asset.

**Fast use.** The attacker moves immediately, because they are racing the defender's understanding of the channel. Mail rules get pushed within minutes. Outbound payment instructions, partner lookups, supplier emails, and code commits happen before the SOC has correlated the report. Speed is not a stylistic choice; it is a structural one. The window between capture and revocation is the entire game, which is why our [phish-report-to-token-revocation timing piece](/articles/phish-report-to-token-revocation-60-minutes) is a procedural metric rather than a tool one.

**Persistence.** The last handoff is the one defenders consistently underweight. The attacker leaves something behind that survives password resets and session revocation. A [mailbox rule on a hybrid Exchange tenant](/articles/mailbox-rule-abuse-hybrid-m365). An [unmanaged OAuth grant on a SaaS app](/articles/unmanaged-oauth-grants-saas-backdoor) with offline scopes. An RMM agent on a workstation, as in the [SimpleHelp and ScreenConnect persistence pattern](/articles/rmm-phishing-persistence-simplehelp-screenconnect). A device registration. A new SSO admin. A backup recovery key. The persistence primitive is chosen to outlast the response.

Why the Shape Is Durable

The shape is durable because the attacker's constraints are durable. They need a believable pretext, because cold contact does not convert. They need a trust transfer, because the assets they want are not handed to strangers. They need an action primitive, because no asset transfers itself. They need a capture they can monetize, because the campaign has to pay. They need speed, because telemetry exists. They need persistence, because access without a way back is a one-shot.

Each of those needs corresponds to a step. None of them is solved by any single tool. That is why a defender who watches the procedural layer keeps catching the same actor after the toolkit is rebuilt, and why a defender who watches the tool layer keeps writing the same detection three times a year.

What Rotates Around the Shape

The runtime rotates because endpoint vendors block. PowerShell-based ClickFix on Windows became AppleScript-based ClickFix on macOS in the [shub-reaper macOS pivot](/articles/shub-reaper-macos-applescript-clickfix-pivot). The same normalized-action step, the same paste-into-a-shell primitive, a different runtime under a different EDR.

The platform rotates because brand owners and platform abuse teams take pretexts down. Email-only callback phishing became Teams-message callback phishing became Signal-DM callback phishing. The [Signal backup recovery key support-impersonation piece](/articles/signal-backup-recovery-key-phishing-support-impersonation) is the same legitimacy and workflow-transfer steps on a platform whose abuse surface was not yet mature.

The brand rotates because the supplier landscape changes. The pretext that worked as a Microsoft renewal notice in 2024 worked as a payroll vendor notice in 2025 and as an AI-tool license notice in 2026 — see the supply-chain trust thread in our [APT methods watch](/articles/apt-methods-watch-geofenced-lures-clickfix-supply-chain) for the current rotation. The brand is interchangeable, because the legitimacy step only needs a name the victim recognizes; the procedure does not care which.

Tracking the Procedure, Not the Tool

For detection engineering, the practical move is to instrument the handoffs, not the implementations. Telemetry around the workflow-transfer step (new RMM agents, Quick Assist sessions, screen-share invitations to external users, OAuth consents with offline scopes) outlives any given toolkit. Telemetry around the capture step (session cookies on unrecognized devices, token redemption from new ASNs, device registrations from new browsers) outlives any given kit family. Telemetry around the persistence step (new inbox rules, new OAuth grants, new SSO admins, new MFA recovery methods) outlives every campaign in this space.

For red teams, the procedural lens is also the realistic one. An exercise scored on "did we deliver this payload" is scored on the surface that rotates. An exercise scored on "did the chain complete the six handoffs, and where did each one get caught" is scored on what actually changes a customer's posture. The [APT methods watch piece](/articles/apt-methods-watch-geofenced-lures-clickfix-supply-chain) framed this as tracking methods, not actors; the same logic applies one layer down — tracking handoffs, not methods.

The named groups will keep rebranding. The toolkits will keep getting replaced. The six handoffs are what the attacker is doing in every one of those chains, and they are what the defender's program should be built around. The brand on the lure this quarter is the least durable thing in the picture.