Back to Journal
Red Team05 February 2026· 14 min read
Red Team Playbook: Initial Access Techniques That Still Work in 2026
Despite advances in EDR and email security, initial access remains achievable. We share the techniques that consistently succeed during our red team engagements — and how defenders can stop them.
Overview
The initial access phase is often considered the hardest part of a red team engagement. Modern EDR solutions, email gateways, and security awareness training have raised the bar considerably. Yet skilled adversaries continue to find ways in.
Techniques That Still Work
1. HTML Smuggling Embedding payloads within HTML files that reconstruct malicious binaries client-side, bypassing email gateway scanning.
2. OAuth Consent Phishing Instead of stealing credentials, we trick users into granting OAuth permissions to attacker-controlled applications — no passwords needed.
3. Supply Chain Adjacent Attacks Targeting vendor portals, partner integrations, and shared infrastructure that the target organization trusts implicitly.
4. Living-Off-Trusted-Services Using legitimate cloud services (SharePoint, OneDrive, Google Drive) as C2 channels and payload delivery mechanisms.
What Defenders Should Do
- Implement FIDO2/WebAuthn for phishing-resistant MFA
- Review and restrict OAuth application consent policies
- Monitor for anomalous OAuth grants and API permissions
- Segment vendor and partner network access
- Deploy browser isolation for high-risk users
Conclusion
The cat-and-mouse game continues. The most effective defense isn't any single technology — it's layered security with continuous testing to validate that controls actually work.
— Closing
Want us to test
your defenses?
Our research feeds directly into our offensive engagements. Let's find your vulnerabilities before attackers do.