weekly
SIGNALS WEEKLY: Teams QR/callback phishing beats patching
KEV speedrun of the week 🏁: Office CVE-2026-21509 + WinRAR CVE-2025-8088. Patch anyway… then protect sessions 🍪 (Teams QR/callback lures 📱, SSO/SAML token abuse)
identity
ai
If your “AI Coworker” Gets Targeted, What Tips You Off First?
Your “AI coworker” isn’t the breach. The OAuth trust event is. 🔥🕵️♂️ Device-code phishing + consent traps = “approve to exfil.” (And yes, AI agents are already being used as the wrapper.)
identity
No malware required: device-code phishing + Teams as the intrusion surface
No malware. Still owned. 🧾🔑💬 Device-code phishing + Teams as the “lobby” + stolen OAuth tokens = API-speed SaaS exfil. If you’re hunting binaries, you’re late.
![[DEEP RESEARCH] Token Factory: The 5 Costliest US Breaches of 2025](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/01/z.png)
breaches
[DEEP RESEARCH] Token Factory: The 5 Costliest US Breaches of 2025
2025’s costliest US breaches: identity, outage math, outcomes Identity-led intrusions at distributors, govtech, healthcare, and an appliance vendor drove nine-figure losses. Outage duration and revocation speed determined the spread between disruption and recovery.
![[DEEP RESEARCH] Zero-Days Are a Distraction: 2025’s Biggest Losses Were Stolen Tokens + OAuth](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2025/12/zz-3.png)
sass
[DEEP RESEARCH] Zero-Days Are a Distraction: 2025’s Biggest Losses Were Stolen Tokens + OAuth
Most downtime and spend stemmed from OAuth/SaaS abuse and edge appliances—not catastrophic zero-days. Here’s what drove real operating impact and the fastest ways to shrink it.
oauth
Zero-Days Are a Distraction: 2025’s Biggest Losses Were Stolen Tokens + OAuth
Zero-days get the headlines. Stolen tokens + OAuth consent abuse get the invoices. 🧾🔑😈 2025 pain = AiTM/device-code phishing + token replay + KEV-speed edge fires.