No malware required: device-code phishing + Teams as the intrusion surface
No malware. Still owned. đ§ŸđđŹ Device-code phishing + Teams as the âlobbyâ + stolen OAuth tokens = API-speed SaaS exfil. If youâre hunting binaries, youâre late.
TL;DR
Key Points
-
Your biggest H1 2026 risk isnât âmalware on laptopsâ â itâs legitimate access paths: stolen OAuth/refresh tokens and connected apps driving API-scale SaaS exfil (CRM first, then everything integrated to it).
-
Identity persistence is trending toward âno malware requiredâ: device-code phishing + token replay + tenant device registration, plus Teams as a recon/social-engineering/exfil surface that bypasses email-centric controls.
-
Perimeter + supply chain remain the accelerants: edge zero-days/access brokers, weaponized PoCs + post-exploitation frameworks, and wormable npm-style supply chain incidents â so prioritize behavior/sequence detections over CVE signatures alone.
AlphaHunt
Stop doomscrolling, start decisioning. We chewed through the muck so your team doesnât have to. â Subscribe!
Like this? Forward this to a friend!
(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))
Strategic Overview
This H1 2026 watchlist reflects a shift: attackers increasingly win by operating âinside the rulesââabusing OAuth-connected apps, integration tokens, and collaboration surfaces to move data at scale while looking legitimate. The highest-risk cluster is SaaS token compromise â bulk API export â secret harvesting from SaaS text fields, because one stolen integration token can drive high-volume, low-friction CRM theft and then pivot into email/other SaaS via shared integrations.
At the same time, identity-led compromise without malware is becoming a repeatable playbook: device-code phishing, refresh-token replay, and device registration for durable access. Teams is also a primary intrusion surface for recon and social engineering, with exfil paths through M365 linkagesâso you need Teams-specific auditing/protections and cross-tenant anomaly hunting, not only email controls.
Perimeter and supply chain remain accelerants: edge zero-days/access brokers, weaponized PoCs + post-exploitation frameworks, npm propagation, and web framework RCE. The practical strategy is to invest in sequence/behavior detections (new session â high-value action; beaconing + privileged actions) and tighten exploit-speed hygiene (inventory, patch SLAs, centralized edge logs, segmented management planes).
AlphaHunt Converge - Plug in your Flight Crew
Get intelligence where it counts. No dashboards. No detours. AlphaHunt Converge teases out your intent, reviews the results and delivers actionable intel right inside Slack. We turn noise into signal and analysts into force multipliers.
Anticipate, Donât Chase.
Prioritized H1 2026 watchlist
| Priority activity | Initial access (IA) | Post-compromise tradecraft / objectives | High-signal telemetry to hunt | Practical defender takeaways |
|---|---|---|---|---|
| 1) SaaS connected-app token compromise â API-scale CRM data theft + credential harvesting | Stolen OAuth access/refresh tokens for a third-party connected app | Bulk export of Salesforce objects; keyword-searching exports for secrets (e.g., cloud keys, passwords) | Salesforce UniqueQuery spikes (e.g., repeated SELECT COUNT()), unusual âconnection userâ access, Bulk API job creation + deletion attempts |
Govern connected apps like Tier-0: minimize scopes, enforce IP restrictions, shorten session lifetimes, rehearse token revocation + rotation, scan SaaS text fields for secrets |
| 2) âIntegration blast radiusâ across SaaS (CRM â email â other apps) | Same vendor platform storing multiple integration tokens | Pivot from CRM to other integrated services (example: email access limited to integrated accounts) | OAuth token revocations/rotations events; anomalous access limited to âintegrated subsetâ users | IR playbook should include ârevoke everywhere this vendor touches,â not just resetting user passwords; maintain an integration inventory with owners + kill-switch process |
| 3) Device code phishing â token replay + tenant device registration (identity persistence without malware) | User tricked into completing device-code flow | Graph API collection; internal lateral attempts via additional phishing; device registration to obtain stronger session artifacts | Entra sign-ins showing device code flow patterns (e.g., rapid 50199 then success); Device Registration Service events; risky sign-ins correlated to device enrollments | Block device code flow where possible; restrict who can register/join devices; rapidly revoke sessions (revokeSignInSessions) on suspicion; enforce risk-based Conditional Access |
| 4) Teams as a primary intrusion surface (recon â social engineering â exfil/persistence) | External tenant chat/calls; compromised tenant; abuse of meetings/guest/external access | Recon via Graph tooling; delivery of RMM; data collection via Teams/OneDrive/SharePoint linkages | Purview Audit + Defender tables (e.g., CloudAppEvents/MessageEvents) for external chat bursts, new external threads, suspicious URL clicks | Tighten external access/guest policy; ensure auditing is enabled; deploy Safe Links/Safe Attachments for Teams; hunt on cross-tenant anomalies (not only email) |
| 5) Edge zero-day access brokers (Ivanti CSA-focused) enabling resale + follow-on intrusions | Exploitation of multiple zero-days on edge appliances | Rootkit + open-source tooling; access monetization/resale; occasional exfiltration/cryptomining | Appliance logs (where available) for exploitation artifacts; unusual admin sessions; outbound VPN/commercial VPN usage from edge | âExploit-speed hygieneâ: inventory exposed edge, patch SLAs, restrict management surfaces, centralize edge logs, and hunt for post-exploit persistence (webshell/backdoor) |
| 6) Perimeter exploitation waves using weaponized PoCs + open-source post-exploitation frameworks | Rapid targeting of VPN/firewall/load balancer/email perimeters | Deployment of frameworks (e.g., Cobalt Strike) and open-source backdoors; broad victimology | Edge telemetry + network detections for known post-exploitation frameworks; suspicious beaconing after edge access | Build detections around follow-on behaviors (C2, lateral movement) rather than CVE signatures alone; segment and monitor management planes |
| 7) Scan spikes as early warning on edge tech (Cisco ASA example) | Coordinated internet scanning / brute force against specific login paths | Often precedes exploitation/credential attacks when disclosures land | Web portal hits to Cisco ASA login paths at abnormal rates; bursts from many source IPs | Treat scan spikes as actionable risk signals: rate-limit, temporarily geo/ASN-filter where appropriate, and pre-stage mitigations before patch windows close |
| 8) Wormable npm supply chain â CI/CD credential harvest + self-propagation | Compromised developer identity/tokens | Credential scanning (PATs/cloud keys), exfiltration, automated injection + republish of packages | Lockfile drift; unexpected install-time network egress; GitHub API usage (repo creation) tied to build context | Pin to known-good versions; rotate developer credentials fast; enforce phishing-resistant MFA for npm/GitHub; restrict CI egress during dependency resolution |
| 9) High-velocity web framework RCE (React2Shell) â tunneling/backdoors/miners | Unauthenticated RCE in React Server Components / Next.js ecosystems | Drop tunnelers/downloaders/backdoors; persistence via systemd/cron; opportunistic mining | Web server processes spawning curl/wget; creation of new systemd services; hidden directories and modified shell startup files |
Patch immediately; deploy WAF rules as interim control; hunt for Linux persistence + unusual outbound from web workloads |
| 10) Criminal infrastructure-as-a-service (VDS/RDP marketplaces) enabling âcleanâ ops at scale | Actors rent cloned Windows RDP servers with consistent fingerprints | Mass phishing/BEC, password spray, fraud workflows from disposable infra | RDP telemetry with repeat host fingerprints (e.g., WIN-BUNS25TD77J); AnyDesk/tooling installs on remote servers | Enrich sign-ins with hosting/VDS context; alert on suspicious remote admin tools on ânon-corporateâ Windows hosts; monitor for credential attacks sourced from rented VDS ranges |
![[FORECAST] Integrator CI/CD Compromise by End-2026?](/content/images/size/w600/2026/01/z-6.png)
