identity - AlphaHunt Newsletter

weekly

SIGNALS WEEKLY: Cisco Catalyst SD-WAN Exploitation + OAuth Redirect Abuse + Prompt Injection Observed in the Wild

Edge + identity + AI = the new “oops.” 😬🧨🤖 ED 26-03 on Cisco Catalyst SD-WAN exploitation, OAuth redirect abuse that lands users in malware without token theft, plus Gemini panel hijack vs indirect prompt injection in the wild.

identity

The 90-Day Disruption Dividend: How Intel-Led Hunting Reduces Dwell Time Without a Massive SOC

Your SOC isn’t understaffed. It’s late. ⏱️😈 Attackers aren’t scaling with malware—they’re scaling with OAuth + tokens + “normal” API exports. Big tech wins by yanking kill-switches fast. Can you revoke an OAuth grant in <30 min?

weekly

SIGNALS WEEKLY: ShinyHunters, Vishing, and the MFA Hijack Problem in SaaS

MFA isn’t “done.” It’s now the excuse attackers use on the phone. ☎️😈🔑 Vishing → MFA reset/re-enroll → post-login SaaS data grabs. Plus: selective Notepad++ updater abuse + proxy traffic making IP rep cry.

forecasts

[FORECAST] ShinyHunters SaaS Data Theft: Why Non-Ransom Monetization Looks Increasingly Attractive

Our new forecast asks: will ShinyHunters make more in 2H 2026 by selling SaaS access/data than by getting paid? Signals say yes. 🕵️‍♂️💸☁️

weekly

SIGNALS WEEKLY: Teams QR/callback phishing beats patching

KEV speedrun of the week 🏁: Office CVE-2026-21509 + WinRAR CVE-2025-8088. Patch anyway… then protect sessions 🍪 (Teams QR/callback lures 📱, SSO/SAML token abuse)

ai

If your “AI Coworker” Gets Targeted, What Tips You Off First?

Your “AI coworker” isn’t the breach. The OAuth trust event is. 🔥🕵️‍♂️ Device-code phishing + consent traps = “approve to exfil.” (And yes, AI agents are already being used as the wrapper.)

identity

No malware required: device-code phishing + Teams as the intrusion surface

No malware. Still owned. 🧾🔑💬 Device-code phishing + Teams as the “lobby” + stolen OAuth tokens = API-speed SaaS exfil. If you’re hunting binaries, you’re late.

breaches

[DEEP RESEARCH] Token Factory: The 5 Costliest US Breaches of 2025

2025’s costliest US breaches: identity, outage math, outcomes Identity-led intrusions at distributors, govtech, healthcare, and an appliance vendor drove nine-figure losses. Outage duration and revocation speed determined the spread between disruption and recovery.

sass

[DEEP RESEARCH] Zero-Days Are a Distraction: 2025’s Biggest Losses Were Stolen Tokens + OAuth

Most downtime and spend stemmed from OAuth/SaaS abuse and edge appliances—not catastrophic zero-days. Here’s what drove real operating impact and the fastest ways to shrink it.

oauth

Zero-Days Are a Distraction: 2025’s Biggest Losses Were Stolen Tokens + OAuth

Zero-days get the headlines. Stolen tokens + OAuth consent abuse get the invoices. 🧾🔑😈 2025 pain = AiTM/device-code phishing + token replay + KEV-speed edge fires.