Oauth
The OAuth Pivot: How SaaS-to-SaaS Trust Became the 2026 Supply Chain Attack
Salesloft Drift industrialized it. UNC6040 weaponized vishing into it. Vercel and Context.ai proved it pivots through Google Workspace. The pattern is the same: a third-party SaaS gets popped, the attacker inherits its OAuth grants, and your password reset does absolutely nothing.
Vercel Breach: Context.ai OAuth Pivot Exposes Customer Environment Variables
A Lumma Stealer infection at Context.ai gave attackers an OAuth path into a Vercel employee's Google Workspace, then into customer environment variables. ShinyHunters is now selling the data for $2M.
ShinyHunters Dumps 3M Cisco Salesforce Records as UNC6040 Vishing Campaign Expands
ShinyHunters leaks 3M+ Cisco Salesforce CRM records tied to the UNC6040 vishing/OAuth-abuse campaign, exposing federal procurement data, AWS resource references, and GitHub repo names.
APT28's FrostArmada Hijacked 18,000 SOHO Routers to Steal Microsoft 365 Credentials — FBI Disrupts Operation
Russia-linked APT28 compromised 18,000 MikroTik and TP-Link routers across 120 countries to hijack DNS and steal Microsoft 365 OAuth tokens. FBI disrupts the operation.
Device Code Phishing Attacks Surge 37x as EvilTokens PhaaS Fuels OAuth Abuse Against Microsoft 365
Device code phishing attacks exploiting the OAuth 2.0 Device Authorization Grant have surged 37x in 2026, driven by turnkey PhaaS kits like EvilTokens that bypass MFA and compromise enterprise M365 tenants.