Credential relay is the immediate forwarding of captured authentication material from a phishing environment to the legitimate service. It is dangerous because it converts a one-time code or token into an active access path before the victim can react or the session can expire.
Expanded Definition
Credential relay is a phishing-to-session technique in which intercepted authentication material is forwarded in real time to the legitimate service, allowing the attacker to ride the victim’s own trust path. It differs from simple credential theft because the value lies in immediate reuse, not later cracking or resale. In NHI and IAM discussions, the term often overlaps with session hijacking, token replay, and adversary-in-the-middle activity, but the operational emphasis is on speed: the attacker must exchange or consume the material before expiry, revocation, or user interruption. No single standard governs this yet, so definitions vary across vendors and incident writeups. For a control-oriented view, the OWASP Non-Human Identity Top 10 frames related risks around exposed secrets, weak token handling, and identity misuse rather than treating relay as a standalone category.
The most common misapplication is treating a relayed session as if it were a normal login, which occurs when monitoring focuses only on credential validity and not on origin, timing, or device anomalies.
Examples and Use Cases
Implementing defenses against credential relay rigorously often introduces friction in legitimate access flows, requiring organisations to weigh phishing resistance against user and automation convenience.
- A user enters a one-time code into a fake login page, and the attacker forwards it instantly to the real service to establish a session before the code expires.
- An attacker captures a browser session cookie and replays it from a separate device, bypassing the password challenge entirely.
- A compromised automation workflow forwards API tokens through a phishing lure, enabling access to downstream cloud resources until the token is revoked.
- Security teams investigate a burst of logins from a suspicious IP after reviewing patterns described in the Guide to the Secret Sprawl Challenge, then trace the access path back to a relayed authentication event.
- Identity architects use NIST SP 800-63 Digital Identity Guidelines to reduce replay risk by strengthening phishing-resistant authentication and session binding.
Where organisations adopt dynamic rather than reusable credentials, the attack window narrows, which is why NHIMG research on Ultimate Guide to NHIs – Static vs Dynamic Secrets is often relevant to the control design. Relay also appears in supply chain intrusions when attackers use captured access to pivot quickly, as seen in the Reviewdog GitHub Action supply chain attack.
Why It Matters in NHI Security
Credential relay matters because it turns a single successful phish into immediate, policy-bypassing access, which can expose cloud workloads, CI/CD systems, and AI agents that trust short-lived tokens as proof of legitimacy. For NHI programs, the risk is not only human users clicking a lure; service principals, automation identities, and agentic workloads can also be induced to forward secrets or authorize actions under false assumptions. NHIMG research shows that 23.7% of organisations still share secrets through insecure methods such as email or messaging applications, a practice that expands relay opportunities and weakens incident containment. The same risk logic applies when organisations fail to distinguish static from dynamic secrets or do not enforce origin-aware session checks. The right response is to reduce token replay value, bind sessions to context, and detect abnormal reuse paths quickly. The 230M AWS environment compromise and the Cisco Active Directory credentials breach both illustrate how rapidly exposed access material can be operationalized once it is no longer tied to the original user context.
Organisations typically encounter credential relay only after an alertless login or suspicious cloud action has already succeeded, at which point token replay analysis becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Addresses secret exposure and misuse patterns that enable relay-driven access abuse. |
| NIST SP 800-63 | Digital identity guidance informs phishing-resistant authentication and replay-resilient session design. | |
| NIST CSF 2.0 | PR.AC-7 | Access controls must validate identity and context continuously to resist hijacked sessions. |
Reduce relay risk by hardening token handling, limiting secret exposure, and detecting replay paths fast.
