The invisible key: Securing the new attack vector of OAuth tokens
gvarisco
0 views
71 slides
Oct 16, 2025
Slide 1 of 71
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
About This Presentation
OAuth tokens are the new crown jewels. Once issued, they bypass MFA and give API-level access that is hard to monitor. The opaque nature of their use and the difficulty in monitoring their activity create a dangerous blind spot for security teams, making them a primary target for attackers. This pre...
Slide Content
The invisible key: Securing the new attack
vector of OAuth tokens
October 2025
vector of OAuth tokens
October 2025
Who am I
Gianluca Varisco
<[email protected]>
Currently:
CEO, Netsec
Former:
●Security & OCISO @ Google Cloud
●CISO @ Arduino
●CISO @ Digital Transformation Team
(Italian Government)
●CISO @ Rocket Internet
●Engineer @ Red Hat
●Engineer @ Lastminute.com Group
Gianluca Varisco
<[email protected]>
Currently:
CEO, Netsec
Former:
●Security & OCISO @ Google Cloud
●CISO @ Arduino
●CISO @ Digital Transformation Team
(Italian Government)
●CISO @ Rocket Internet
●Engineer @ Red Hat
●Engineer @ Lastminute.com Group
“Hackers don’t
break in, they
log in.”
Corey Nachreiner | CSO, WatchGuard
Technologies
break in, they
log in.”
Corey Nachreiner | CSO, WatchGuard
Technologies
Agenda (45 mins)
1.OAuth (2.0) 101
2.The blind spot: Why tokens are a perfect
target
3.Threat Actor TTPs: How gangs like Scattered
Spider and ShinyHunters steal data
4.Actionable defense: Strategies for visibility,
control, and response
5.Q&A
1.OAuth (2.0) 101
2.The blind spot: Why tokens are a perfect
target
3.Threat Actor TTPs: How gangs like Scattered
Spider and ShinyHunters steal data
4.Actionable defense: Strategies for visibility,
control, and response
5.Q&A
OAuth (2.0)
101
101
What is OAuth 2.0?
OAuth (Open
Authorization) is an
authorization framework
used to delegate the user
authentication to third
party applications.
OAuth (Open
Authorization) is an
authorization framework
used to delegate the user
authentication to third
party applications.
How does OAuth 2.0 works
Four roles
●Resource owner
●Client
●Resource server
●Authorization
server
Four roles
●Resource owner
●Client
●Resource server
●Authorization
server
An efficient (and very powerful) architecture
Source: AppOmni
Source: AppOmni
How does OAuth 2.0 works
To generate trust
between the
authorization/resource
server and the client,
you must register your
application first.
Once you register your app in the authorization server, this gives a pair of OAuth keys:
-Client ID
-Client Secret
To generate trust
between the
authorization/resource
server and the client,
you must register your
application first.
Once you register your app in the authorization server, this gives a pair of OAuth keys:
-Client ID
-Client Secret
OAuth 2.0 - Grant Types
Four flows to get an access
token (grant types):
1.Authorization Code
Flow
2.Implicit Flow with Form
Post (e.g. SPAs)
3.Resource Owner
Password Flow
4.Client Credentials Flow
(M2M comms)
Four flows to get an access
token (grant types):
1.Authorization Code
Flow
2.Implicit Flow with Form
Post (e.g. SPAs)
3.Resource Owner
Password Flow
4.Client Credentials Flow
(M2M comms)
OAuth 2.0 vs OpenID Connect (OIDC)
OAuth 2.0 is not an authentication
protocol.
It’s a framework designed to support the
development of authentication and
authorization protocols.
It provides a variety of standardized
message flows based on JSON and HTTP;
OpenID Connect uses these to provide
authentication (it utilizes an additional
token, called the ID token; it also adds
structure to the scopes and claims).
OAuth 2.0 is not an authentication
protocol.
It’s a framework designed to support the
development of authentication and
authorization protocols.
It provides a variety of standardized
message flows based on JSON and HTTP;
OpenID Connect uses these to provide
authentication (it utilizes an additional
token, called the ID token; it also adds
structure to the scopes and claims).
OAuth 2.0 Playground
AuthPlay.io
The blind spot:
Why tokens are
a perfect target
Why tokens are
a perfect target
“OAuth tokens and third-party
integrations have become the backbone of
productivity and connectivity as SaaS
apps become the operating system of
modern business. Yet behind this
convenience, OAuth tokens often
introduce hidden security risks that can
compromise sensitive company data,
expose critical systems, and increase the
risk of data breaches.”
Source: AppOmni
integrations have become the backbone of
productivity and connectivity as SaaS
apps become the operating system of
modern business. Yet behind this
convenience, OAuth tokens often
introduce hidden security risks that can
compromise sensitive company data,
expose critical systems, and increase the
risk of data breaches.”
Source: AppOmni
The security blind spot: Why is this so hard?
You can’t secure what you can’t see.
●Opaqueness: Tokens are often opaque strings. Without introspection, you
don’t know the user, scopes, or expiry.
●Monitoring gap: Traditional tools (FWs, WAFs, etc.) see API calls, but they lack
the context of the token’s identity and permissions. Is this a legitimate script or
an attacker?
●Decentralization: Tokens are issued by one service (e.g. Okta, Google) and
consumed by hundreds of others.
●Hard to contain/restrict: Conditional access or zero-trust network controls
don’t apply cleanly to tokens once issued — they bypass network and device
context.
You can’t secure what you can’t see.
●Opaqueness: Tokens are often opaque strings. Without introspection, you
don’t know the user, scopes, or expiry.
●Monitoring gap: Traditional tools (FWs, WAFs, etc.) see API calls, but they lack
the context of the token’s identity and permissions. Is this a legitimate script or
an attacker?
●Decentralization: Tokens are issued by one service (e.g. Okta, Google) and
consumed by hundreds of others.
●Hard to contain/restrict: Conditional access or zero-trust network controls
don’t apply cleanly to tokens once issued — they bypass network and device
context.
The attacker’s value proposition
●Direct API access: No need to navigate a clunky UI. Attackers can use
scripts for mass data exfiltration (e.g., download all emails, files, or
contacts).
●Persistence: A stolen refresh token can provide access for months or
even years if not detected.
●Stealth: API activity can look like legitimate application traffic, making
it incredibly difficult to detect among millions of legitimate calls.
●Direct API access: No need to navigate a clunky UI. Attackers can use
scripts for mass data exfiltration (e.g., download all emails, files, or
contacts).
●Persistence: A stolen refresh token can provide access for months or
even years if not detected.
●Stealth: API activity can look like legitimate application traffic, making
it incredibly difficult to detect among millions of legitimate calls.
The star of the show: the token lifecycle
●Access Token: Short-lived,
used to access the API. Like a
ticket for one movie.
●Refresh Token: Long-lived,
used to get new access tokens.
Like a subscription pass to the
whole cinema.
●Crucial Point: The refresh
token is the ultimate prize for
an attacker.
Source: Stateful.com
●Access Token: Short-lived,
used to access the API. Like a
ticket for one movie.
●Refresh Token: Long-lived,
used to get new access tokens.
Like a subscription pass to the
whole cinema.
●Crucial Point: The refresh
token is the ultimate prize for
an attacker.
Source: Stateful.com
The hidden risks
lurking in OAuth
workflows
lurking in OAuth
workflows
The hidden risks lurking in OAuth workflows
Token longevity and
forgotten access
Token leakage
Overbroad scopes and
privilege creep
Revocation gaps and
offboarding failure
Supply chain risk:
the domino effect
Token longevity and
forgotten access
Token leakage
Overbroad scopes and
privilege creep
Revocation gaps and
offboarding failure
Supply chain risk:
the domino effect
Examples of attacks
Silent email
takeover
Mass data
exfiltration
Privilege
escalation and
shadow admins
Silent email
takeover
Mass data
exfiltration
Privilege
escalation and
shadow admins
How tokens are stolen - Common vectors
1.Illicit consent grants: Tricking users into authorizing a malicious third-party
OAuth app.
2.Phishing for sessions: Stealing session cookies which can then be used to
access tokens.
3.Token leakage in source code (the biggest leaker): Tokens accidentally
committed to public or private repositories (e.g. GitHub).
4.Malware / Infostealers: Exfiltrating tokens stored insecurely in browser local
storage, config files, or developer environments.
5.Redirect URI hijacking: Exploiting misconfigured applications to intercept
the authorization code.
6.Forged tokens: If an attacker compromises an Identity Provider or its signing
certificate, they can mint new tokens that appear fully valid, effectively
bypassing all token checks.
1.Illicit consent grants: Tricking users into authorizing a malicious third-party
OAuth app.
2.Phishing for sessions: Stealing session cookies which can then be used to
access tokens.
3.Token leakage in source code (the biggest leaker): Tokens accidentally
committed to public or private repositories (e.g. GitHub).
4.Malware / Infostealers: Exfiltrating tokens stored insecurely in browser local
storage, config files, or developer environments.
5.Redirect URI hijacking: Exploiting misconfigured applications to intercept
the authorization code.
6.Forged tokens: If an attacker compromises an Identity Provider or its signing
certificate, they can mint new tokens that appear fully valid, effectively
bypassing all token checks.
UNC6395 stolen OAuth tokens abused for SaaS-to-SaaS
compromise
Source: AppOmni
compromise
Source: AppOmni
Commvault supply‑chain breach
Source: AppOmni
Source: AppOmni
GitHub OAuth consent phishing
GitHub OAuth consent phishing
How 30+ popular Chrome extensions got hacked through a clever
OAuth phish
Source: Cyberhaven
OAuth phish
Source: Cyberhaven
Double-clickjacking: Bypassing browser defenses with two deceptive clicks
Source: Paulos Yibelo
Source: Paulos Yibelo
Threat Actor Spotlight
Scattered Spider
and
ShinyHunters
Scattered Spider
and
ShinyHunters
Scattered Spider (UNC3944)
A financially-motivated threat actor characterized by its persistent use of social engineering and brazen
communications with victims. Known for social engineering, SIM swapping, and identity-focused attacks.
Their goal is initial access and persistence.
Source: Mandiant
A financially-motivated threat actor characterized by its persistent use of social engineering and brazen
communications with victims. Known for social engineering, SIM swapping, and identity-focused attacks.
Their goal is initial access and persistence.
Source: Mandiant
ShinyHunters (UNC6040 and UNC6240)
A prominent cybercriminal group, also linked to Scattered Spider, specializing in
large-scale data breaches and the exfiltration of sensitive data for financial gain.
The UNC6395 campaign resulted in the largest SaaS compromise in history, affecting
over 700 organizations. Using the stolen tokens, ShinyHunters exfiltrated approximately
1.5 billion data records from 760 companies, including major tech firms like Cloudflare,
Zscaler, and Palo Alto Networks.
Attack Vector #1:
Social Engineering
Attack Vector #2:
Stolen 3rd-party
Tokens
Record-Breaking
Impact
A prominent cybercriminal group, also linked to Scattered Spider, specializing in
large-scale data breaches and the exfiltration of sensitive data for financial gain.
The UNC6395 campaign resulted in the largest SaaS compromise in history, affecting
over 700 organizations. Using the stolen tokens, ShinyHunters exfiltrated approximately
1.5 billion data records from 760 companies, including major tech firms like Cloudflare,
Zscaler, and Palo Alto Networks.
Attack Vector #1:
Social Engineering
Attack Vector #2:
Stolen 3rd-party
Tokens
Record-Breaking
Impact
UNC6240 Salesforce vishing (voice phishing) campaign
UNC6240 Salesforce vishing campaign
Source: Cloudprotection
Source: Cloudprotection
UNC6240 Salesforce vishing campaign
Source: Cloudprotection
Source: Cloudprotection
UNC6240 Salesforce vishing campaign
Source: Cloudprotection
Source: Cloudprotection
UNC6240 Salesforce vishing campaign
Source: Cloudprotection
Source: Cloudprotection
Case Study: The 2025 Salesforce Attack (08/2025)
What would this attack have looked like in the logs?
●Massive API query volume from a
single token.
●Access to endpoints or data
unusual for the associated
user/application.
●Anomalous refresh token usage
(e.g., from a new/suspicious IP
address, ASN, or User-Agent).
●Rapid succession of token
issuances.
Identity Provider Logs
(e.g. Azure AD, Okta)
API / Application Logs
(e.g. Salesforce Event Monitoring)
What would this attack have looked like in the logs?
●Massive API query volume from a
single token.
●Access to endpoints or data
unusual for the associated
user/application.
●Anomalous refresh token usage
(e.g., from a new/suspicious IP
address, ASN, or User-Agent).
●Rapid succession of token
issuances.
Identity Provider Logs
(e.g. Azure AD, Okta)
API / Application Logs
(e.g. Salesforce Event Monitoring)
Salesloft Drift breach - August 2025
How a simple social engineering attack led to a
catastrophic data breach. It unfolded in several layers:
Initial
compromise of
Drift OAuth
tokens
Mass querying of
Salesforce objects
(Account, Case,
User, Opportunity)
Harvesting of
embedded
secrets (AWS
keys, Snowflake
tokens, VPN
URLs)
Lateral expansion
into Drift Email →
Google
Workspace
accounts.
How a simple social engineering attack led to a
catastrophic data breach. It unfolded in several layers:
Initial
compromise of
Drift OAuth
tokens
Mass querying of
Salesforce objects
(Account, Case,
User, Opportunity)
Harvesting of
embedded
secrets (AWS
keys, Snowflake
tokens, VPN
URLs)
Lateral expansion
into Drift Email →
Workspace
accounts.
Salesloft Drift breach - Attack Flow
1.Compromise trusted
third‑party (Drift) and harvest
OAuth tokens.
2.Authenticate to Salesforce via
valid tokens; enumerate and
bulk‑query core objects.
3.Mine embedded secrets from
exports; operationalize
access to cloud/data
platforms.
4.Pivot via Drift Email into
scoped Google Workspace
accounts; expand blast radius.
Source: SlashID
1.Compromise trusted
third‑party (Drift) and harvest
OAuth tokens.
2.Authenticate to Salesforce via
valid tokens; enumerate and
bulk‑query core objects.
3.Mine embedded secrets from
exports; operationalize
access to cloud/data
platforms.
4.Pivot via Drift Email into
scoped Google Workspace
accounts; expand blast radius.
Source: SlashID
Salesloft Drift breach - Timeline
Initial
compromise of
Salesloft GitHub
repo
Earliest Drift
Token Abuse
Last confirmed
data theft
activity
GTIG publishes
analysis
March - June August 8 August 18 August 26
Source: SlashID
Initial
compromise of
Salesloft GitHub
repo
Earliest Drift
Token Abuse
Last confirmed
data theft
activity
GTIG publishes
analysis
March - June August 8 August 18 August 26
Source: SlashID
Salesloft Drift breach - App scopes
Source: SlashID
Source: SlashID
Salesloft Drift breach - Initial access
Mandiant’s investigation has since clarified that between March
and June 2025, the threat actor accessed Salesloft’s GitHub
account, where they downloaded repositories, added a guest
user, and established workflows.
This activity led to Drift’s AWS environment being accessed,
which ultimately gave the attackers OAuth tokens for Drift
customers’ integrations. So, this was how the Drift OAuth tokens
were compromised.
Source: SlashID
Mandiant’s investigation has since clarified that between March
and June 2025, the threat actor accessed Salesloft’s GitHub
account, where they downloaded repositories, added a guest
user, and established workflows.
This activity led to Drift’s AWS environment being accessed,
which ultimately gave the attackers OAuth tokens for Drift
customers’ integrations. So, this was how the Drift OAuth tokens
were compromised.
Source: SlashID
Salesloft Drift breach - Salesforce access & data harvesting
Attackers then started to perform recon in the environment. Based
on Cloudflare’s public write-up, we know that attackers would
perform the following actions:
Source: SlashID, Mandiant, Cloudflare
Send a GET request for a list of
objects in the Salesforce tenant:
/services/data/v58.0/sobjects/
Send a GET request for metadata
information for case objects in the
Salesforce tenant:
/services/data/v58.0/sobjects/Case/d
escribe/
Attackers then started to perform recon in the environment. Based
on Cloudflare’s public write-up, we know that attackers would
perform the following actions:
Source: SlashID, Mandiant, Cloudflare
Send a GET request for a list of
objects in the Salesforce tenant:
/services/data/v58.0/sobjects/
Send a GET request for metadata
information for case objects in the
Salesforce tenant:
/services/data/v58.0/sobjects/Case/d
escribe/
Salesloft Drift breach - Salesforce access & data harvesting
Source: SlashID, Mandiant
SELECT COUNT() FROM Account;
SELECT COUNT() FROM Opportunity;
SELECT COUNT() FROM User;
SELECT COUNT() FROM Case;
A series of systematic SOQL queries
SELECT Id, Username, Email, FirstName, LastName,
Name, Title, CompanyName, Department, Division,
Phone, MobilePhone, IsActive, LastLoginDate,
CreatedDate, LastModifiedDate, TimeZoneSidKey,
LocaleSidKey, LanguageLocaleKey,
EmailEncodingKey FROM User WHERE IsActive = true
ORDER BY LastLoginDate DESC NULLS LAST LIMIT
20;
They pulled full User tables, complete with emails,
names, phone numbers, and login timestamps
Source: SlashID, Mandiant
SELECT COUNT() FROM Account;
SELECT COUNT() FROM Opportunity;
SELECT COUNT() FROM User;
SELECT COUNT() FROM Case;
A series of systematic SOQL queries
SELECT Id, Username, Email, FirstName, LastName,
Name, Title, CompanyName, Department, Division,
Phone, MobilePhone, IsActive, LastLoginDate,
CreatedDate, LastModifiedDate, TimeZoneSidKey,
LocaleSidKey, LanguageLocaleKey,
EmailEncodingKey FROM User WHERE IsActive = true
ORDER BY LastLoginDate DESC NULLS LAST LIMIT
20;
They pulled full User tables, complete with emails,
names, phone numbers, and login timestamps
Salesloft Drift breach - Secret mining & covering tricks
After exfiltrating the bulk Salesforce data, they hunted for secrets, tokens, etc. to
extend their compromise beyond Salesforce. Likely techniques:
Common patterns:
Source: SlashID, Mandiant
Regex scrapers for known
credential formats.
TruffleHog / Gitleaks‑style scans for
entropy‑heavy strings, AWS patterns, API
key regexes.
AKIA[0-9A-Z]{16} # AWS Access Key
snowflakecomputing\.com # Snowflake domain references
(password|secret|key)\s*[:=] # Generic key-value credential markers
After exfiltrating the bulk Salesforce data, they hunted for secrets, tokens, etc. to
extend their compromise beyond Salesforce. Likely techniques:
Common patterns:
Source: SlashID, Mandiant
Regex scrapers for known
credential formats.
TruffleHog / Gitleaks‑style scans for
entropy‑heavy strings, AWS patterns, API
key regexes.
AKIA[0-9A-Z]{16} # AWS Access Key
snowflakecomputing\.com # Snowflake domain references
(password|secret|key)\s*[:=] # Generic key-value credential markers
Salesloft Drift breach - Drift Email -> Google Workspace
UNC6395 didn’t stop at Salesforce. They realized that OAuth trust
relationships through Drift could extend into other ecosystems — and
the Drift Email integration was the next pivot.
●Aug 9, 2025: Using compromised Drift OAuth tokens tied to
Drift Email, attackers gained scoped access to a subset of
Google Workspace accounts integrated with Drift (not
domain‑wide; only explicitly connected accounts).
●Aug 28, 2025: Google revoked affected OAuth tokens and
disabled the Drift Email integration, cutting off this pivot.
Source: SlashID, Mandiant
UNC6395 didn’t stop at Salesforce. They realized that OAuth trust
relationships through Drift could extend into other ecosystems — and
the Drift Email integration was the next pivot.
●Aug 9, 2025: Using compromised Drift OAuth tokens tied to
Drift Email, attackers gained scoped access to a subset of
Google Workspace accounts integrated with Drift (not
domain‑wide; only explicitly connected accounts).
●Aug 28, 2025: Google revoked affected OAuth tokens and
disabled the Drift Email integration, cutting off this pivot.
Source: SlashID, Mandiant
Salesloft Drift breach - Covering tracks, but..
●Deleting jobs: Attackers deleted
query jobs after exfiltration to
make it harder for incident
responders to quickly see “large
export jobs” or unusual query
activity.
●Leaving footprints: Even though
the job objects were removed, the
underlying event logs
persisted.Salesforce logs record
the fact that queries were run,
including timestamps, User-Agent
strings, and IP addresses.
Source: SlashID
●Deleting jobs: Attackers deleted
query jobs after exfiltration to
make it harder for incident
responders to quickly see “large
export jobs” or unusual query
activity.
●Leaving footprints: Even though
the job objects were removed, the
underlying event logs
persisted.Salesforce logs record
the fact that queries were run,
including timestamps, User-Agent
strings, and IP addresses.
Source: SlashID
Actionable
Strategies for
visibility, control,
and response
Strategies for
visibility, control,
and response
Pillar 1 - Gaining visibility
Audit OAuth Apps Centralize logs Detection rules
Regularly review all
third-party apps in your
env. What permissions
do they have? Are they
verified? Remove
unused or
over-privileged apps.
Ingest logs from your
IdP, cloud providers,
and key SaaS
applications into your
SIEM.
Build alerts for the IoCs
discussed earlier
Audit OAuth Apps Centralize logs Detection rules
Regularly review all
third-party apps in your
env. What permissions
do they have? Are they
verified? Remove
unused or
over-privileged apps.
Ingest logs from your
IdP, cloud providers,
and key SaaS
applications into your
SIEM.
Build alerts for the IoCs
discussed earlier
Pillar 1 - Deception: early, high-fidelity visibility
What Where Detect
Plant believable, fake OAuth
artifacts that look real but
are never used by
production (canary tokens,
fake redirect URIs, dummy
client secrets, decoy config
files).
Public/private repos,
CI/CD logs, artifact
registries, developer VMs,
partner app listings.
Build alerts for the IoCs
discussed earlier
What Where Detect
Plant believable, fake OAuth
artifacts that look real but
are never used by
production (canary tokens,
fake redirect URIs, dummy
client secrets, decoy config
files).
Public/private repos,
CI/CD logs, artifact
registries, developer VMs,
partner app listings.
Build alerts for the IoCs
discussed earlier
Canarytokens.org
Pillar 1 - Deception: early, high-fidelity visibility
Detection signals Automation playbook Example alert flow
Auth header use of canary
token; callback /
authorization code
exchange to honey redirect;
introspection or mint
attempts; git/blob access.
Send high-priority to
SIEM/SOAR with artifact
context; revoke client/rotate
secrets, block IPs, isolate
hosts, snapshot for
forensics; run attack path
graph, rotate downstream
credentials, notify affected
teams
Canary token used in
Authorization header → SIEM
alert → automation fetches
repo commit metadata →
auto-revoke OAuth client +
block source IP → create
incident ticket with owner
and snapshot.
Detection signals Automation playbook Example alert flow
Auth header use of canary
token; callback /
authorization code
exchange to honey redirect;
introspection or mint
attempts; git/blob access.
Send high-priority to
SIEM/SOAR with artifact
context; revoke client/rotate
secrets, block IPs, isolate
hosts, snapshot for
forensics; run attack path
graph, rotate downstream
credentials, notify affected
teams
Canary token used in
Authorization header → SIEM
alert → automation fetches
repo commit metadata →
auto-revoke OAuth client +
block source IP → create
incident ticket with owner
and snapshot.
Pillar 2 - Proactive controls
●Principle of Least Privilege: Enforce strict scopes. If an
app only needs to read user profiles, don't grant it
Mail.ReadWrite.All.
●Token Configuration:
○Use short-lived access tokens (e.g., 1 hour).
○Enforce refresh token rotation and set sensible
expiration policies.
●Principle of Least Privilege: Enforce strict scopes. If an
app only needs to read user profiles, don't grant it
Mail.ReadWrite.All.
●Token Configuration:
○Use short-lived access tokens (e.g., 1 hour).
○Enforce refresh token rotation and set sensible
expiration policies.
Pillar 2 - Proactive controls
●Conditional Access: Bind token issuance to device state,
location, and risk signals. A token should not be issued to
an unmanaged device in a risky location.
●Attack Path Graph: Visualize how a seemingly
low-privilege or benign token can lead to privilege
escalation, mapping the chain from a basic token to a
high-value or admin token.
●Conditional Access: Bind token issuance to device state,
location, and risk signals. A token should not be issued to
an unmanaged device in a risky location.
●Attack Path Graph: Visualize how a seemingly
low-privilege or benign token can lead to privilege
escalation, mapping the chain from a basic token to a
high-value or admin token.
Conditional Access - Token protection
Source: Microsoft
Source: Microsoft
Microsoft’s Linkable token identifiers (now GA!)
Source: Microsoft
Source: Microsoft
Microsoft’s Linkable token identifiers - Flow diagram
Source: Microsoft
Source: Microsoft
How they are implemented using a Session ID across the logs.
Source: Microsoft
Source: Microsoft
How they are implemented using a Session ID across the logs.
Source: Microsoft
Source: Microsoft
Pillar 2 - Proactive controls - Okta’s response
Source: Okta
Source: Okta
Pillar 2 - Proactive controls - Okta’s response
Source: Okta
Source: Okta
Pillar 2 - Proactive controls - mTLS
Pillar 2 - Proactive controls - DPoP
Pillar 2 - Reducing the blast radius - IPSIE
Two of the fundamental controls that are part of the IPSIE framework are particularly relevant to the
Salesloft Drift incident:
●Shared signals: This allows for real-time communication of security events between
applications. For example, if a user's account is compromised in one application, that
information can be instantly shared with all other connected applications, which can then take
action to protect the user's data.
●Token revocation: This provides a standardized way to revoke access tokens. In the case of the
Salesloft Drift incident, if a token was known to be compromised, it could be instantly revoked
across all integrated applications, severing the attacker's access.
Two of the fundamental controls that are part of the IPSIE framework are particularly relevant to the
Salesloft Drift incident:
●Shared signals: This allows for real-time communication of security events between
applications. For example, if a user's account is compromised in one application, that
information can be instantly shared with all other connected applications, which can then take
action to protect the user's data.
●Token revocation: This provides a standardized way to revoke access tokens. In the case of the
Salesloft Drift incident, if a token was known to be compromised, it could be instantly revoked
across all integrated applications, severing the attacker's access.
Pillar 2 - Reducing the blast radius - CAEP
Advanced: Continuous Access Evaluation Protocol (CAEP)
●CAEP is a IETF standard developed to enable continuous evaluation of
user access in identity and access management (IAM) systems.
●It ensures that access decisions are updated in real time based on
changing risk signals, such as user location, device status, or security
context. CAEP enables real-time access checks that adapt to potential
threats as they emerge, which dramatically reduces an organization’s
risk exposure.
●CAEP plays a critical role in supporting Zero Trust principles by
continuously reassessing a user’s access rights within a dynamic
security framework.
Advanced: Continuous Access Evaluation Protocol (CAEP)
●CAEP is a IETF standard developed to enable continuous evaluation of
user access in identity and access management (IAM) systems.
●It ensures that access decisions are updated in real time based on
changing risk signals, such as user location, device status, or security
context. CAEP enables real-time access checks that adapt to potential
threats as they emerge, which dramatically reduces an organization’s
risk exposure.
●CAEP plays a critical role in supporting Zero Trust principles by
continuously reassessing a user’s access rights within a dynamic
security framework.
Pillar 2 - Reducing the blast radius - Token Binding
Advanced: Token Binding
●Token binding is a technique where tokens are tied to specific client
attributes or communication sessions. This prevents tokens from being
used in contexts where they weren’t originally issued.
●For example, tokens could be bound to a particular client instance (e.g.,
a specific device or IP address). If the token is replayed by a different
device or client, the authorization server can recognize this
inconsistency and reject the request.
Advanced: Token Binding
●Token binding is a technique where tokens are tied to specific client
attributes or communication sessions. This prevents tokens from being
used in contexts where they weren’t originally issued.
●For example, tokens could be bound to a particular client instance (e.g.,
a specific device or IP address). If the token is replayed by a different
device or client, the authorization server can recognize this
inconsistency and reject the request.
Pillar 3 - Incident response playbook
When the alarm rings…
●Step 1: Revoke! Immediately revoke the refresh token in the
IdP. This invalidates all downstream access tokens.
●Step 2: Terminate Sessions: Force a global sign-out for the
affected user.
●Step 3: Investigate: Analyze logs to determine the scope of the
token's access. What APIs were called? What data was
accessed?
●Step 4: Remediate: Address the root cause (e.g., remove the
malicious OAuth app, patch the vulnerable client).
When the alarm rings…
●Step 1: Revoke! Immediately revoke the refresh token in the
IdP. This invalidates all downstream access tokens.
●Step 2: Terminate Sessions: Force a global sign-out for the
affected user.
●Step 3: Investigate: Analyze logs to determine the scope of the
token's access. What APIs were called? What data was
accessed?
●Step 4: Remediate: Address the root cause (e.g., remove the
malicious OAuth app, patch the vulnerable client).
Key takeaways
●Treat OAuth Tokens as crown jewels: They are powerful,
persistent credentials.
●Attackers are targeting them: They actively bypass MFA
and live off the land using stolen tokens.
●Defense requires a new mindset: Shift from perimeter
defense to identity-centric monitoring.
●Start now: Audit your applications, tighten your token
policies, and build your detection rules today.
●Treat OAuth Tokens as crown jewels: They are powerful,
persistent credentials.
●Attackers are targeting them: They actively bypass MFA
and live off the land using stolen tokens.
●Defense requires a new mindset: Shift from perimeter
defense to identity-centric monitoring.
●Start now: Audit your applications, tighten your token
policies, and build your detection rules today.
PortSwigger - Web Security Academy (Free!)
Credits
●Auth0 / Okta
●AppOmni
●SlashID
●Google Threat Intelligence / Mandiant
●WithSecure
●Auth0 / Okta
●AppOmni
●SlashID
●Google Threat Intelligence / Mandiant
●WithSecure
/in/gvarisco
Thank You! Questions?
Thank You! Questions?
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 0
- Slides 71
- Favorites 1
- Age 47 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
45 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
20 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
24 views