Repeated device fingerprints, shared proxy infrastructure, similar navigation paths, and the same behavioural pattern across multiple accounts are stronger indicators of a campaign than any one event alone. Teams should correlate signals over time and across users, because attackers routinely recycle infrastructure and methods.
Why This Matters for Security Teams
account takeover is rarely a one-off event once attackers have a working recipe. A single fraud attempt can look noisy or opportunistic, but a campaign usually shows repetition across identities, devices, and sessions. Security teams should focus on shared infrastructure, timing clusters, and reused behavioural sequences, because those patterns reveal automation and operational scale far better than any isolated login failure. This is especially important when secrets or session tokens are being harvested and reused, as shown in NHIMG research on The State of Secrets in AppSec, where remediation delays and fragmented secrets controls increase exposure. The NIST Cybersecurity Framework 2.0 also reinforces that detection must be correlation-driven, not event-driven alone.
In practice, many security teams encounter the real campaign only after the attacker has already tested the same playbook across multiple accounts, rather than through intentional detection of the first suspicious login.
How It Works in Practice
Campaign-level detection depends on joining weak signals into a stronger narrative. Repeated device fingerprints can indicate browser automation, emulation, or a shared toolset. Shared proxy infrastructure may show up as rotating IPs from the same hosting provider or adjacent subnet ranges. Similar navigation paths, such as the same page order, hesitation points, and transaction steps, suggest scripted behaviour or a trained operator following a repeatable workflow. The critical step is to compare these signals across users and time windows, not just within one account.
Operationally, teams often build a score that combines:
- device and browser consistency across accounts
- IP reputation, ASN clustering, and proxy reuse
- session timing, dwell time, and click-path similarity
- credential stuffing indicators such as high failure rates before a successful login
- post-authentication actions like profile changes, payout edits, or MFA reset attempts
That approach works best when telemetry from IAM, fraud, endpoint, and application logs is normalized into one detection layer. Cross-account correlation also helps distinguish a single frustrated user from a broader abuse run. NHIMG’s coverage of the GitLocker GitHub extortion campaign illustrates how attackers reuse methods and infrastructure across targets, which is exactly why campaign logic matters. Where possible, defenders should enrich raw log events with identity risk signals, secret exposure data, and device trust context.
These controls tend to break down in highly distributed consumer environments where NAT, carrier-grade proxies, or shared devices make one-to-one attribution too noisy without additional behavioural context.
Common Variations and Edge Cases
Tighter campaign detection often increases alert volume and analyst workload, requiring organisations to balance sensitivity against false positives. That tradeoff is unavoidable when attackers deliberately mimic normal user behaviour or spread activity across small bursts to avoid thresholds.
Current guidance suggests treating the following as higher-confidence campaign indicators, especially when they occur together:
- the same device or fingerprint appears across many newly compromised accounts
- multiple accounts fail in a similar sequence before one succeeds
- proxy rotation keeps the same behavioural pattern intact
- account changes happen in the same order, such as email swap before payout change
There is no universal standard for this yet, but best practice is evolving toward identity graph analysis and real-time scoring rather than static rules alone. That matters for shared environments, call centres, and family device households where the same browser profile can legitimately touch multiple accounts. It also matters after credential leaks, because attackers can test access quickly and repeatedly across a population. In sectors with high transaction velocity, teams may need shorter observation windows and stronger step-up checks to separate campaign activity from normal customer churn.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | DE.CM-1 | Campaign detection depends on continuous monitoring and correlation of repeated events. |
| OWASP Non-Human Identity Top 10 | NHI-05 | Reused tokens and compromised secrets often enable multi-account takeover campaigns. |
| NIST AI RMF | Risk management requires combining signals into accountable, context-aware decisions. |
Track secret exposure and revoke suspicious credentials fast when takeover patterns span multiple identities.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
