BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//pretalx.com//fwd-cloudsec-2026//talk//3QC3VV
BEGIN:VTIMEZONE
TZID:PST
BEGIN:STANDARD
DTSTART:20001029T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20061029T100000Z
TZNAME:PST
TZOFFSETFROM:-0700
TZOFFSETTO:-0800
END:STANDARD
BEGIN:STANDARD
DTSTART:20071104T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=11
TZNAME:PST
TZOFFSETFROM:-0700
TZOFFSETTO:-0800
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000402T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060402T110000Z
TZNAME:PDT
TZOFFSETFROM:-0800
TZOFFSETTO:-0700
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:20070311T030000
RRULE:FREQ=YEARLY;BYDAY=2SU;BYMONTH=3
TZNAME:PDT
TZOFFSETFROM:-0800
TZOFFSETTO:-0700
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-fwd-cloudsec-2026-3QC3VV@pretalx.com
DTSTART;TZID=PST:20260602T100000
DTEND;TZID=PST:20260602T102000
DESCRIPTION:What began as a simple search for an OAuth application named 
 “0365” quickly uncovered a broader threat: three distinct malicious OA
 uth application campaigns abusing the relationship between Azure applicati
 ons and service principals. Using a pivoting methodology and detection mod
 el\, we expanded beyond known indicators to map the full scope of these ca
 mpaigns\, identifying activity across more than 20 organizations.\nThe tal
 k opens by outlining the OAuth application attack surface in Azure AD (Ent
 ra ID)\, explaining how attackers abuse consent flows\, permissions\, and 
 application registrations\, and why traditional security controls often fa
 il to detect this activity. We then introduce our “Next Campaign Finder\
 ,” a structured detection approach built on four components: establishin
 g baselines of legitimate OAuth applications\, identifying recurring malic
 ious traits\, correlating metadata such as ownership\, naming conventions\
 , and reply URLs across tenants\, and applying a weighted scoring model to
  prioritize high-risk applications.\nUsing this model\, we reveal a malici
 ous OAuth campaign impersonating trusted services such as Adobe and DocuSi
 gn\, highlighting its defining characteristics. We then compare this activ
 ity with an earlier OAuth campaign discovered by the model dating back to 
 2019 and examine how attackers' tradecraft has evolved over time.\nA key f
 ocus of the talk is practical pivoting. We demonstrate how defenders can e
 xpand from a single known malicious app to a broader set of indicators. Al
 l techniques are presented in a way that allows any attendee to implement 
 them directly in their own environment using standard identity and audit l
 ogs\, without relying on vendor-exclusive telemetry.\nWe conclude with act
 ionable defensive guidance\, including detection strategies and mitigation
 s enterprise defenders can apply today\, lessons learned from the research
  process\, and our perspective on how OAuth-based attacks are likely to ev
 olve.
DTSTAMP:20260502T124500Z
LOCATION:Room 1
SUMMARY:Do Apps Have Imposter Syndrome? Unmasking Token Theft Campaigns - S
 hahar Dorfman\, Sapir Federovsky
URL:https://pretalx.com/fwd-cloudsec-2026/talk/3QC3VV/
END:VEVENT
END:VCALENDAR