Selective redirection is an attack pattern where only chosen users or requests are sent to malicious infrastructure while normal service continues for everyone else. It reduces visibility, delays detection, and often signals an espionage-oriented operation rather than broad commodity malware.
Expanded Definition
Selective redirection is an attack pattern in which an adversary routes only specific users, sessions, or requests to malicious infrastructure while leaving the rest of a service seemingly normal. In NHI and identity operations, that makes it a stealth tactic for credential theft, token interception, session hijacking, or tampering with agent workflows without triggering broad outages. The behavior is often aligned with espionage goals because it preserves the appearance of service health while targeting high-value identities or actions. Guidance varies across vendors on whether this is treated as phishing infrastructure, traffic manipulation, or a broader evasion technique, so practitioners should anchor the term to observable routing behavior and outcome. This pattern is easier to miss when monitoring focuses on aggregate availability rather than per-identity request paths, and it becomes more dangerous when AI agents, service accounts, or API keys are allowed to reach tools without strong provenance checks. The most common misapplication is assuming a stable-looking service is clean, which occurs when only a narrow identity slice is being redirected.
For a control-oriented view of identity risk, see the NIST Cybersecurity Framework 2.0 and NHIMG’s Ultimate Guide to NHIs — 2025 Outlook and Predictions.
Examples and Use Cases
Implementing detection for selective redirection often introduces telemetry complexity, requiring organisations to weigh finer-grained visibility against noise, cost, and privacy constraints.
- A phishing page proxies normal traffic for most visitors, but sends executives and cloud administrators to a credential-harvesting clone after their user agent or IP is recognized.
- A malicious reverse proxy forwards ordinary browsing correctly, while redirecting only login requests from service accounts to capture tokens and refresh secrets.
- An attacker compromises DNS or routing for a subset of regional users, exposing only the security team to a fake update portal while general customers see the legitimate site.
- A hostile middleware layer in an AI workflow sends only high-privilege agent prompts or tool calls to a tampered endpoint, leaving low-risk requests untouched.
Selective redirection is easier to spot when request logs are correlated with identity context, network path, and token usage patterns. NHI-focused governance guidance from the Ultimate Guide to NHIs — 2025 Outlook and Predictions is most useful when paired with external identity and monitoring baselines such as the NIST Cybersecurity Framework 2.0.
Why It Matters in NHI Security
Selective redirection matters because it undermines confidence in authentication, routing, and agent execution without creating obvious service failure. That makes it especially relevant where NHIs hold durable access, because one redirected API key, service account, or agent callback can expose secrets, alter automation, or silently approve malicious actions. NHIMG research shows that only 5.7% of organisations have full visibility into their service accounts, which means most teams are poorly positioned to notice when only a narrow identity slice is being manipulated. It also matters for incident response: if defenders do not distinguish between ordinary traffic and identity-targeted traffic, they can miss the path of compromise and misclassify an espionage operation as routine user error. NHI governance should therefore treat unusual per-identity routing as a security event, not just a network anomaly. The practical lesson is that redirection controls, trust signals, and secret hygiene need to be reviewed together, not in separate silos.
Organisations typically encounter the full impact only after a high-value token is abused or an agent task is silently altered, at which point selective redirection becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-04 | Covers abuse paths where NHI traffic is misrouted to steal credentials or hijack sessions. |
| NIST CSF 2.0 | DE.CM | Continuous monitoring should detect anomalous request routing and identity-specific traffic patterns. |
| NIST Zero Trust (SP 800-207) | SC-7 | Zero Trust network segmentation helps limit and observe request redirection abuse. |
Enforce segmentation and verify request paths so redirected traffic cannot access high-value assets.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
