oauth - AlphaHunt Newsletter

identity

No malware required: device-code phishing + Teams as the intrusion surface

No malware. Still owned. 🧾🔑💬 Device-code phishing + Teams as the “lobby” + stolen OAuth tokens = API-speed SaaS exfil. If you’re hunting binaries, you’re late.

breaches

[DEEP RESEARCH] Token Factory: The 5 Costliest US Breaches of 2025

2025’s costliest US breaches: identity, outage math, outcomes Identity-led intrusions at distributors, govtech, healthcare, and an appliance vendor drove nine-figure losses. Outage duration and revocation speed determined the spread between disruption and recovery.

breaches

Token Factory: The 5 Costliest US Breaches of 2025

2025’s priciest breaches weren’t “elite malware.” They were tokens + SaaS + downtime 🪙⏱️🔥 If your revoke MTTR is measured in days, the attackers already won.

sass

[DEEP RESEARCH] Zero-Days Are a Distraction: 2025’s Biggest Losses Were Stolen Tokens + OAuth

Most downtime and spend stemmed from OAuth/SaaS abuse and edge appliances—not catastrophic zero-days. Here’s what drove real operating impact and the fastest ways to shrink it.

oauth

Zero-Days Are a Distraction: 2025’s Biggest Losses Were Stolen Tokens + OAuth

Zero-days get the headlines. Stolen tokens + OAuth consent abuse get the invoices. 🧾🔑😈 2025 pain = AiTM/device-code phishing + token replay + KEV-speed edge fires.

oauth

The Quiet Token Heist: Why 2026’s Biggest SaaS Breaches Won’t Start With Passwords

2026’s nastiest SaaS breaches will ride valid tokens + “trusted” apps. We already got the trailer with the Salesloft/Drift OAuth blast radius. And the browser? Yeah, it’s part of the perimeter now. 😬🔑💬

ai

Dark LLMs: When Your AI Traffic Is C2

Your “normal” AI traffic can be stealth C2 now. Dark LLMs are writing per-host pwsh one-liners, self-rewriting droppers, and hiding in model APIs you approved. If you’re not policing AI egress, you’re not doing detection. 😬🤖