🚫🦠 “No malware” doesn’t mean “no breach.”
H1 2026’s nastiest intrusions are boring on purpose:
Stolen OAuth/refresh tokens + “connected apps” = API-speed SaaS exfil (CRM first… then whatever it’s integrated to). 🔑
Device-code phishing + token replay + tenant device registration = persistence without dropping a single binary. 🧾
Teams becomes the new lobby: recon + social engineering + link-led exfil that slips past email-first controls. 💬
If your detection stack is still CVE alerts + endpoint malware, you’re watching the wrong movie.
Open question: what’s your fastest “kill switch” today—revoke sessions/tokens across all integrations, or… a ticket queue and a prayer? 😇
Read / subscribe: https://blog.alphahunt.io/no-malware-required-device-code-phishing-teams-as-the-intrusion-surface
#AlphaHunt #MicrosoftTeams #EntraID #OAuth #ThreatHunting