Your “AI coworker” didn’t get you popped.
Your OAuth trust event did. 🔥
Device-code prompts + consent screens are the new “click here to exfiltrate,” because the login is real… and the attacker walks away with tokens.
And yes, the “AI layer” is already showing up as a wrapper for OAuth phishing (Copilot Studio agents, legit Microsoft domains, same old consent trap).
So if your detections still start at endpoint IOCs, congrats—you’ll always be early… to the post-incident meeting. 🧯
Question: Do you alert on NEW OAuth app grants + lookalike app names + risky scopes as a first-class incident?
Read it (and steal the detection priority list): https://blog.alphahunt.io/if-your-ai-coworker-gets-targeted-what-tips-you-off-first
#AlphaHunt #EntraID #OAuth #CloudSecurity #ThreatHunting