This is part 2 of a 2 part series, if you missed part 1 -- Go back and read it now!

TL;DR

Key Points

• Enforce phishing-resistant MFA and conditional access on material workflows; deprecate device code flow where feasible.
• Govern OAuth consent like a supply chain: inventory Connected Apps, least-privilege scopes, verified publishers, IP restrictions, short-lived tokens.
• Move edge appliances to exploit-driven SLAs (24–72h) keyed to Known Exploited Vulnerabilities (KEV); pre-stage hot spares, factory-reset playbooks, identity blast‑radius rotations.
• Align controls and comms to NIS2 and US Coast Guard maritime reporting clocks; rehearse evidence capture.
• Targets with outcomes: ≥90% phishing-resistant MFA for admins/finance in 90 days (cuts BEC exposure window); ≤4h MTTR to revoke/rotate tokens in high‑risk SaaS (limits lateral reuse); ≥95% of KEV‑listed patches applied within 72h (reduces downtime hours).

The story in 60 seconds

Identity-first intrusion and SaaS supply-chain abuse—Adversary‑in‑the‑Middle (AiTM) phishing, device code flow phishing, illicit OAuth consent, and token replay—drove bulk API exfiltration and Business Email Compromise (BEC).

Named proof points: threat actors replayed OAuth tokens tied to Salesloft and Drift connected apps to export data from many Salesforce tenants; Ivanti Connect Secure CVE‑2025‑0282/0283 was exploited within a week of KEV addition, forcing isolation, factory resets, and mass credential rotations; UK retailer Marks & Spencer estimated $403M operating profit impact after identity-led disruption.

Regulation (NIS2; US maritime cyber rule) tightened board accountability and reporting timelines, shifting spend toward identity and SaaS governance and KEV‑paced edge response.

AlphaHunt

Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe!

Like this? Forward this to a friend!

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

High Impact, Quick Wins

• Identity and consent hardening: passkeys/cert‑based MFA + conditional access for admins/finance; block device code flow except approved exceptions; verified‑publisher‑only consent, low‑risk scopes. Target: ≥90% phishing‑resistant coverage in 90 days—cuts BEC exposure window.
• SaaS token hygiene and logging: shorten lifetimes, enable Continuous Access Evaluation, auto‑revoke on posture change; enable Salesforce Event Monitoring/Entra/Workspace logs; detect bulk API exfiltration and unverified app consent; rotate secrets promptly. Target: ≤4h token revocation/rotation MTTR—limits lateral reuse.
• Edge appliances at KEV speed: isolate within 24h of KEV entry; patch/return‑to‑service within 72h using hot spares and immutable configs; include identity reset blast‑radius playbooks. Target: ≥95% of KEV‑listed patches applied within 72h—reduces downtime hours.

Why it matters

SOC

• Log cues: consent to unverified/high‑scope apps; bulk exports by integration users; device registration/user risk anomalies; Teams external message/link abuse.
• Alerting: token replay (impossible travel for service principals), rare Autonomous System Number (ASN)/API usage, off‑hours object enumerations.
• Correlate: Connected App activity → data export → downstream credentials and secrets use across SaaS.

IR

• Triage: confirm AiTM or device code flow phishing entry; enumerate valid‑account pivots and app role/permission changes.
• Preserve: Salesforce Event Monitoring, Microsoft Entra SignIn/Audit, Teams audit, Google Workspace Token Audit, Snowflake LOGIN_HISTORY/SESSIONS.
• Actions: revoke/rotate tokens/keys; factory reset compromised edge appliances using clean images; invalidate sessions; hunt for secrets‑mining (AWS/Snowflake/API keys).

SecOps

• Controls: authentication strength for privileged operations; verified‑publisher‑only consent; least‑privilege scopes; IP restrictions on integration users; token lifetimes + Continuous Access Evaluation.
• Edge: exploit‑driven SLAs; golden/immutable configs; integrity checks pre/post‑upgrade; hot spares and rollback automation; Secure Access Service Edge (SASE) change windows aligned to KEV.

Strategic

• Governance: board KPIs on phishing‑resistant MFA coverage, token revocation MTTR, KEV patch timeliness, supplier tiering and logging coverage.
• Compliance: pre‑stage evidence packs and comms to meet NIS2 and US maritime reporting clocks; rehearse board‑ready timelines.

See it in your telemetry

Network

• Sudden increases in SaaS API egress by integration users; bulk exports and unusual object enumerations.
• Edge appliance indicators: management‑plane logins from rare IPs; unexpected outbound to unfamiliar ASNs after KEV entries.
• VPN/SASE authentication drift: service accounts accessing from new geos/ASNs; session reuse after resets.

Endpoint

• Token/session artifacts accessed via browsers/SDK CLIs; web token replay without interactive logon.
• Signed Binary Proxy Execution (T1218) via rundll32/regsvr32 and PowerShell/Impacket bursts tied to lateral movement after edge compromise.
• Teams client signals: external link clicks, app permission prompts, anomalous Graph API calls from installed apps.

AlphaHunt Converge - Plug in your Flight Crew

Get intelligence where it counts. No dashboards. No detours. AlphaHunt Converge teases out your intent, reviews the results and delivers actionable intel right inside Slack. We turn noise into signal and analysts into force multipliers.

Anticipate, Don’t Chase.

Plug it In!

2025 Retrospective: Where Cyber Research Missed What Moved US/EU Economies

TL;DR

• Identity/OAuth abuse and edge-appliance exploits, not “catastrophic zero-days,” drove most real-world downtime and loss in 2025.
• SaaS supply-chain abuse (OAuth tokens, third-party apps) scaled data theft across enterprises; board exposure came via trusted platforms.
• Edge-device exploitation windows outpaced patch cycles; containment steps caused operations slowdowns and recovery costs.
• Regulation changed operating math: NIS2 scope and US maritime cyber rule shifted board accountability, reporting duties, and spend.

Executive Summary: 2025 Reality vs. Popular Narratives

• Narrative (miss): Catastrophic, infrastructure-level cyber “black swans” would dominate macro risk.

  • Reality: Material losses clustered in identity-first attacks and SaaS supply chain abuse (device-code phishing, OAuth consent/token replay) and rapidly weaponized edge-device exploits. These caused broad but “mid-intensity” operational friction—degraded throughput, prolonged incident triage—and downstream legal/notification cost, not grid-scale collapse.

• Narrative (miss): AI would deliver autonomous intrusions at scale.

  • Reality: AI consistently amplified social engineering quality/volume; attackers monetized OAuth/device code and token theft more than novel autonomy. Defenses that increased phish-resistant coverage and token hygiene outperformed tooling spend on speculative AI “auto-hack” threats.

• Narrative (miss): High-profile takedowns and point events would depress e-crime.

  • Reality: 2025 showed attacker adaptation around SaaS and third-party app ecosystems; post-event recidivism and visibility gaps raised containment and legal costs. Sustainable gains required governance on third-party integrations and token lifecycle controls.

Named Incidents and Impacts (US/EU)

• OAuth supply-chain compromise via third-party app (Salesloft Drift) → mass Salesforce data theft

  • What happened: Threat actor UNC6395 abused compromised OAuth tokens tied to Salesloft Drift to export large datasets from many corporate Salesforce instances; searched for high-value secrets (AWS keys, passwords, Snowflake tokens).
  • Why it mattered economically: Cross-tenant data exfil at enterprise scale forced emergency credential resets, partner notifications, and integration downtime across sales/CS operations—expensive even without encryption events.
  • Evidence/techniques: OAuth token theft and replay (T1528, T1550.003), API data exfiltration; third-party app trust abuse.
  • Source: Google Cloud Threat Intelligence advisory and updates (2025-08-26/28).

• UK retail disruption at scale (Marks & Spencer)

  • What happened: Cyberattack around Easter forced M&S to shut automated stock systems, revert to manual processes, and pause online shopping, leaving shelves empty.
  • Why it mattered economically: Company estimated ~$403M impact to operating profit in the year to March 2026; sustained online outage and supply-chain stress dented market cap.
  • Evidence/techniques: Not fully disclosed publicly; profile consistent with identity-first intrusion → operational system disruption.
  • Source: Al Jazeera citing M&S business update (2025-05-21).

• Identity-first attack tradecraft matured (device-code phishing, AiTM, OAuth consent)

  • What happened: Microsoft detailed active campaigns abusing device code auth flows (e.g., Storm-2372), AiTM phish kits, Teams/vishing blends, and OAuth consent to gain persistent cloud access across sectors.
  • Why it mattered economically: These methods converted cheaply into BEC/fraud, SaaS exfiltration, and prolonged latent access, driving breach notifications, legal spend, and customer churn.
  • Evidence/techniques: Device-code phishing (T1556.006 + T1528), token theft/replay (T1550.003), AiTM phishing (T1566).
  • Sources: Microsoft DDR 2025; Microsoft identity attack techniques blog (2025-05-29).

• Edge-appliance exploitation (Ivanti Connect Secure) → hard downtime + costly resets

  • What happened: Critical ICS VPN flaws (CVE-2025-0282/0283) were exploited in the wild (campaigns traced to China-nexus UNC5337/UNC5221). Required factory resets, patching, and broad credential hygiene.
  • Why it mattered economically: Perimeter-device exploitation forced emergency isolation/reset actions, invalidation of sessions, identity resets—adding days of degraded throughput and overtime, particularly for suppliers and services with OT-adjacent dependencies.
  • Evidence/techniques: Exploit public-facing application (T1190), valid accounts (T1078), remote execution and lateral movement with living-off-the-land.
  • Source: CRN attack summaries (2025-01); corroborating IR trendlines: Cisco Talos YIR 2024 (published 2025-03) on identity-led intrusions and LoLBins.

The 5 Big Misses That Mattered to Boards

• Underestimated identity-first economics

  • Miss: “MFA coverage” as a KPI masked token theft, OAuth sprawl, device-code flow abuse.
  • 2025 signal: Identity-based attacks rose materially; device-code/OAuth consent featured in multi-stage intrusions across US/EU enterprises.
  • Impact: Fraud/BEC, regulatory notifications, SaaS downtime, partner cascade.
  • Fix: Track phish-resistant MFA coverage on material workflows, OAuth governance (publisher verification, low-risk scopes, consent fatigue controls), token hygiene (short lifetimes, continuous access evaluation, revocation on posture change).

• Ignored SaaS third-party integration blast radius

  • Miss: Vendor risk reviews focused on the SaaS provider, not apps/plugins with tenant-wide scopes.
  • 2025 signal: Drift/Salesforce OAuth token abuse scaled multi-tenant exfil; secrets-mining raised secondary-compromise odds.
  • Impact: Costly rotations, partner disclosures, business ops slowdowns; trust erosion with customers.
  • Fix: Treat OAuth-connected apps as privileged supply chain; enforce app governance and IP restrictions; instrument session logs for Connected Apps; rotate on drift.

• Downplayed edge-appliance exploitation windows

  • Miss: Patch SLAs anchored to monthly cycles while mass exploitation lags shrank to days.
  • 2025 signal: Ivanti Connect Secure campaigns triggered resets/patches under time pressure; Talos IR showed LoLBins/valid accounts dominating post-exploit flows.
  • Impact: 24–96 hours degraded ops for some suppliers/logistics nodes; overtime, expedited freight costs; identity reset blast radius.
  • Fix: Exploit-driven SLAs (24–72h), hot standby capacity, immutable configs, automated rollbacks, and pre-baked identity reset playbooks.

• Misread AI’s role

  • Miss: Focused on “autonomous AI attacks,” under-weighted AI-amplified social engineering and identity abuse.
  • 2025 signal: Higher-quality/phased lures (email/Teams/vishing/QR), more OAuth/device-code phishing; Microsoft guidance emphasized phish-resistance and conditional access, not “AI detectors.”
  • Impact: More initial access conversions → broader legal/ops costs.
  • Fix: Phish-resistant MFA for admins/finance by policy; enforce conditional access, device-join hardening; invest in user behavioral defense where AI raises lure quality.

• Treated regulation as compliance, not operating constraint

  • Miss: Boards underweighted the operational and disclosure implications from NIS2 scope and US Coast Guard MTS cyber rule.
  • 2025 signal: ENISA’s NIS2 implementation guidance and “roles/skills” mapping clarified expectations for MSPs/digital providers; USCG final rule imposed cyber plans, officers, drills, incident reporting across vessels/facilities.
  • Impact: New board oversight duties, incident reporting clocks, training and plan costs; procurement re-tiering of MSPs/SaaS.
  • Fix: Tie controls/KPIs to regulatory outcomes: incident comms SLAs, supplier tiering and continuity testing, board-ready documentation and cyber drills.

Board-Facing Metrics That Correlated With Reduced Loss

• Identity and SaaS

  • Percent of material workflows under phishing-resistant MFA (admins, finance, identity teams).
  • OAuth app governance burn-down (unverified publishers; high-scope apps; tenant-wide scopes reduced).
  • Mean time to revoke/rotate compromised tokens and secrets across SaaS/IDP.
  • Device-code flow exposure (where enabled) and conditional access enforcement rate.

• Edge/Perimeter

  • Edge fleet “patch vs. active exploitation” SLA performance (24–72h target).
  • Time to isolate/reset compromised appliances; time to invalidate sessions and rotate credentials.
  • Identity reset blast radius (count of accounts/keys rotated per incident).

• Supply-chain/SaaS

  • Third-party app risk inventory completeness (Connected Apps/Integrations with IP restrictions and least-privilege scopes).
  • Session logging coverage for API access on critical SaaS (e.g., Salesforce Event Monitoring, Entra sign-in risk).

• Regulatory readiness (US/EU)

  • NIS2-aligned supplier criticality tiering; tabletop cadence with authorities/partners.
  • USCG cyber plan readiness milestones met (plans, officer designation, drills, reporting).

What Worked Technically (2025 Controls With Evidence)

• Enforced phishing-resistant MFA and conditional access on privileged roles and finance workflows (Microsoft observed significant uplift from these controls across identity attacks).
• Blocked or tightly governed device-code flows; enforced Teams external messaging controls and “attack simulation” user training for modern lures.
• OAuth governance: publisher verification, consent policies that allow only low-risk scopes/tenant-registered apps; IP restrictions on Connected Apps; “API Enabled” permission minimization.
• Token hygiene: short lifetimes, continuous access evaluation, rapid revocation on posture change; secret scanning for leaked keys in SaaS cases like Salesforce.
• Edge hygiene: exploit-driven patch SLAs; golden configs/immutable appliances and factory-reset playbooks; staged hot spares to cut downtime.

For US/EU Boards: 90-Day Action Plan

1. Identity-first hardening

   • Mandate phishing-resistant MFA for admins/finance; block device-code where feasible; require conditional access on privileged operations.
   • Launch OAuth governance program with publisher verification, consent restrictions, and routine app attestation; remove “full” scopes.

2. Token/secret hygiene

   • Adopt continuous access evaluation; shorten token lifetimes; automate revocation on device posture change.
   • Scan and rotate secrets after any SaaS integration breach; instrument SaaS logs for Connected Apps and unusual query patterns.

3. Edge-appliance resilience

   • Move to exploit-driven SLAs; pre-stage hot spares; maintain immutable configs; practice factory reset drills.
   • Include identity reset blast-radius playbooks and credential rotation automation.

4. Regulatory alignment

   • US: Implement USCG cyber plan milestones (officer, drills, reporting) for maritime-exposed operations.
   • EU: Align with ENISA NIS2 technical guidance; document roles/skills and evidence needed for MSP/digital providers; rehearse comms with authorities.

5. KPIs to report quarterly

   • Phish-resistant MFA coverage on material workflows; OAuth risk burn-down; mean time to revoke tokens; edge patch SLA vs active exploits; incident comms/notification SLA adherence.

Recommendations, Detections, Actions, Suggested Pivots, Forecasts, Next Steps and References..