Typhoon doesn’t knock—it asks for consent. 🌀
One “Allow” on the wrong app and you’ve handed over quiet, durable, tenant-wide access. This week’s twist: attackers are wrapping consent prompts in legit-looking AI agent flows, then siphoning OAuth tokens. Meanwhile, device-code phishing keeps grinding away, and Typhoon clusters continue to blend in via “good” U.S. infrastructure.
Counter-moves: lock down admin-only consent for risky scopes, enable device-bound tokens, and practice mass token/consent rollback like it’s a fire drill. If an upstream tool or MSP gets popped, your blast radius shouldn’t.
Question: If you had to kill one today—user consent, device-code flow, or legacy EWS app perms—which goes first in your org, and why?
Read the 60-sec brief → https://blog.alphahunt.io/typhoon-by-consent-quiet-durable-everywhere
Subscribe for weekly CTI hits → https://blog.alphahunt.io/
#AlphaHunt #IdentitySecurity #M365 #OAuth #CloudSec