Red Team Playbook: Initial Access Techniques That Still Work in 2026

Overview

The initial access phase is often considered the hardest part of a red team engagement. Modern EDR solutions, email gateways, and security awareness training have raised the bar considerably. Yet skilled adversaries continue to find ways in.

Techniques That Still Work

1. HTML Smuggling Embedding payloads within HTML files that reconstruct malicious binaries client-side, bypassing email gateway scanning.

2. OAuth Consent Phishing Instead of stealing credentials, we trick users into granting OAuth permissions to attacker-controlled applications — no passwords needed.

3. Supply Chain Adjacent Attacks Targeting vendor portals, partner integrations, and shared infrastructure that the target organization trusts implicitly.

4. Living-Off-Trusted-Services Using legitimate cloud services (SharePoint, OneDrive, Google Drive) as C2 channels and payload delivery mechanisms.

What Defenders Should Do

• Implement FIDO2/WebAuthn for phishing-resistant MFA
• Review and restrict OAuth application consent policies
• Monitor for anomalous OAuth grants and API permissions
• Segment vendor and partner network access
• Deploy browser isolation for high-risk users

Conclusion

The cat-and-mouse game continues. The most effective defense isn't any single technology — it's layered security with continuous testing to validate that controls actually work.