Device Code, OAuth, PhaaS:
How Session Token Theft is Breaking the Phishing Playbook

Your user clicked a link, landed on a real Microsoft login page, typed their password, completed MFA, and walked away thinking nothing happened. Somewhere across the internet, an attacker's device just received an authenticated session token. The password is irrelevant. The MFA prompt already fired and passed. With PhaaS platforms now converging on token-theft tradecraft and post-compromise automation executing in seconds, defenders are racing a scripted attacker with a manual playbook.

Join hosts Brandon and John as they discuss:

• How device code phishing uses real authentication infrastructure to capture valid session tokens
• How one campaign hit 35,000+ users across 13,000+ organizations in 26 countries
• Why rogue device registrations complete before the average analyst reads the alert

Two questions your organization should be asking right now:

• Has your Conditional Access policy been reviewed specifically for device code grant flows, not whether CA policies exist, but whether they cover the OAuth flows that session-token theft actually exploits?
• When a phishing confirmation fires, how many manual steps stand between that alert and full token revocation with rogue device deregistration, and is that response faster than the attacker's automation?

Resources: https://linktr.ee/ReliaQuestShadowTalk

Brandon Tirado: Director of GreyMatter Operations for ReliaQuest. A skilled cyber defense professional with a unique combination of management and hands-on experience. With a deep understanding of adversary motives and the tactics, techniques, and procedures (TTPs) they use to achieve their goals, Brandon enjoys operationalizing his knowledge to make it more difficult for adversaries to operate within the environments of ReliaQuest customers. His managerial and hands-on experience enriches ShadowTalk with practical and strategic viewpoints.

John Dilgen: Cyber Threat Intelligence Analyst at ReliaQuest, where he specializes in researching cyber threats impacting ReliaQuest customers. With a strong technical background, he previously served as an Incident Response Analyst and Trainer at ReliaQuest.