Sign up to save your podcasts
Or
Share Device Code, OAuth, PhaaS: How Session Token Theft is Breaking the Phishing Playbook
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Device Code, OAuth, PhaaS: How Session Token Theft is Breaking the Phishing Playbook
Your user clicked a link, landed on a real Microsoft login page, typed their password, completed MFA, and walked away thinking nothing happened. Somewhere across the internet, an attacker's device just received an authenticated session token. The password is irrelevant. The MFA prompt already fired and passed. With PhaaS platforms now converging on token-theft tradecraft and post-compromise automation executing in seconds, defenders are racing a scripted attacker with a manual playbook.
Join hosts Brandon and John as they discuss:
- How device code phishing uses real authentication infrastructure to capture valid session tokens
- How one campaign hit 35,000+ users across 13,000+ organizations in 26 countries
- Why rogue device registrations complete before the average analyst reads the alert
Two questions your organization should be asking right now:
- Has your Conditional Access policy been reviewed specifically for device code grant flows, not whether CA policies exist, but whether they cover the OAuth flows that session-token theft actually exploits?
- When a phishing confirmation fires, how many manual steps stand between that alert and full token revocation with rogue device deregistration, and is that response faster than the attacker's automation?
Resources: https://linktr.ee/ReliaQuestShadowTalk
Brandon Tirado: Director of GreyMatter Operations for ReliaQuest. A skilled cyber defense professional with a unique combination of management and hands-on experience. With a deep understanding of adversary motives and the tactics, techniques, and procedures (TTPs) they use to achieve their goals, Brandon enjoys operationalizing his knowledge to make it more difficult for adversaries to operate within the environments of ReliaQuest customers. His managerial and hands-on experience enriches ShadowTalk with practical and strategic viewpoints.
John Dilgen: Cyber Threat Intelligence Analyst at ReliaQuest, where he specializes in researching cyber threats impacting ReliaQuest customers. With a strong technical background, he previously served as an Incident Response Analyst and Trainer at ReliaQuest.
View all episodes
By ReliaQuest
4.7
4242 ratings
Your user clicked a link, landed on a real Microsoft login page, typed their password, completed MFA, and walked away thinking nothing happened. Somewhere across the internet, an attacker's device just received an authenticated session token. The password is irrelevant. The MFA prompt already fired and passed. With PhaaS platforms now converging on token-theft tradecraft and post-compromise automation executing in seconds, defenders are racing a scripted attacker with a manual playbook.
Join hosts Brandon and John as they discuss:
- How device code phishing uses real authentication infrastructure to capture valid session tokens
- How one campaign hit 35,000+ users across 13,000+ organizations in 26 countries
- Why rogue device registrations complete before the average analyst reads the alert
Two questions your organization should be asking right now:
- Has your Conditional Access policy been reviewed specifically for device code grant flows, not whether CA policies exist, but whether they cover the OAuth flows that session-token theft actually exploits?
- When a phishing confirmation fires, how many manual steps stand between that alert and full token revocation with rogue device deregistration, and is that response faster than the attacker's automation?
Resources: https://linktr.ee/ReliaQuestShadowTalk
Brandon Tirado: Director of GreyMatter Operations for ReliaQuest. A skilled cyber defense professional with a unique combination of management and hands-on experience. With a deep understanding of adversary motives and the tactics, techniques, and procedures (TTPs) they use to achieve their goals, Brandon enjoys operationalizing his knowledge to make it more difficult for adversaries to operate within the environments of ReliaQuest customers. His managerial and hands-on experience enriches ShadowTalk with practical and strategic viewpoints.
John Dilgen: Cyber Threat Intelligence Analyst at ReliaQuest, where he specializes in researching cyber threats impacting ReliaQuest customers. With a strong technical background, he previously served as an Incident Response Analyst and Trainer at ReliaQuest.
More shows like ShadowTalk: Powered by ReliaQuest
View all
Hacked
188 Listeners
Security Now (Audio)
2,007 Listeners
WSJ Tech News Briefing
1,657 Listeners
Risky Business
376 Listeners
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
649 Listeners
CyberWire Daily
1,026 Listeners
Click Here
420 Listeners
Darknet Diaries
8,051 Listeners
Cybersecurity Today
179 Listeners
CISO Series Podcast
192 Listeners
True Spies: Espionage | Investigation | Crime | Murder | Detective | Politics
1,951 Listeners
Cybersecurity Headlines
136 Listeners
Cyber Hack
1,597 Listeners
Risky Bulletin
45 Listeners
The Economics Show
142 Listeners