BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//cfp.troopers.de//tr26-cfp//speaker//UDN83T
BEGIN:VTIMEZONE
TZID:CET
BEGIN:STANDARD
DTSTART:20001029T040000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10
TZNAME:CET
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000326T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3
TZNAME:CEST
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-tr26-cfp-XAZWFC@cfp.troopers.de
DTSTART;TZID=CET:20260624T164500
DTEND;TZID=CET:20260624T174500
DESCRIPTION:What began as a simple search for an OAuth application named 
 “0365” quickly uncovered a broader threat: three distinct malicious OA
 uth application campaigns abusing the relationship between Azure applicati
 ons and service principals. Using a pivoting methodology and detection mod
 el\, we expanded beyond known indicators to map the full scope of these ca
 mpaigns\, identifying activity across more than 20 organizations.\nThe tal
 k opens by outlining the OAuth application attack surface in Azure AD (Ent
 ra ID)\, explaining how attackers abuse consent flows\, permissions\, and 
 application registrations\, and why traditional security controls often fa
 il to detect this activity. We then introduce our “Next Campaign Finder\
 ,” a structured detection approach built on four components: establishin
 g baselines of legitimate OAuth applications\, identifying recurring malic
 ious traits\, correlating metadata such as ownership\, naming conventions\
 , and reply URLs across tenants\, and applying a weighted scoring model to
  prioritize high-risk applications.\nUsing this model\, we reveal a malici
 ous OAuth campaign impersonating trusted services such as Adobe and DocuSi
 gn\, highlighting its defining characteristics. We then compare this activ
 ity with an earlier OAuth campaign discovered by the model dating back to 
 2019 and examine how attackers' tradecraft has evolved over time.\nA key f
 ocus of the talk is practical pivoting. We demonstrate how defenders can e
 xpand from a single known malicious app to a broader set of indicators. Al
 l techniques are presented in a way that allows any attendee to implement 
 them directly in their own environment using standard identity and audit l
 ogs\, without relying on vendor-exclusive telemetry.\nWe conclude with act
 ionable defensive guidance\, including detection strategies and mitigation
 s enterprise defenders can apply today\, lessons learned from the research
  process\, and our perspective on how OAuth-based attacks are likely to ev
 olve.
DTSTAMP:20260510T025815Z
LOCATION:Track 2
SUMMARY:Do Apps Have Imposter Syndrome? Unmasking Token Theft Campaigns - S
 apir Federovsky\, Shahar Dorfman
URL:https://cfp.troopers.de/tr26-cfp/talk/XAZWFC/
END:VEVENT
END:VCALENDAR