2025-12-06 –, Track 3
Scattered Spider kids figured it out. The bears and pandas figured it out. Your red team still dropping Cobalt Strike like it’s 2015?
Modern attackers aren't wasting time on your hardened endpoints anymore - they're walking straight into your cloud. Not AWS, the other cloud: the thousand SaaS apps your company married, divorced, but somehow still pays for.
Hold my beer as we speedrun the entire kill chain - initial access, persistence, lateral movement - across your favorite SaaS platforms. No zero-days. No malware. No "please disable your AV for this demo." No alerts, No logs.
Bring popcorn. Bring questions. Maybe bring your pearls, so you can clutch them.
The traditional kill-chain that targets an endpoint to get a foothold, so you can get on the internal network, so you can pivot through AD to get DA is well trodden, but becoming less relevant in the real world as the critical data in most orgs is moving off the internal network and onto cloud services.
We'll work through initial access attacks like consent phishing (incl. device code phishing), Attacker in the Middle phishing using readily available tools like evilginx, and how you can turn a real Okta tenant into an undetectable phishing payload. Next, persistence techniques using OAuth and the new version of LOLBins = LOTS (Living off Trusted Sites), as well as cross-IdP impersonation and ghost logins. Then look at how you can leverage admin on a no-one cares zero risk SaaS app to total org compromise using samljacking and inbound federation.
The talk will be pretty demo-heavy, and going to leave folks with some resources and links to tools that they can use to try these attacks in their own orgs.
I have hacked some things, written some things and built some things. Google if interested.