Weekly Security Roundup: Token Replay, DevSecOps, Trust Boundaries

by TechHub

This week's security thread ranged from incident-response lessons (token replay, device-code phishing, router-based AiTM) to the quieter work of hardening identity, CI/CD, and data platforms. The common pattern is reducing ambient privilege, tightening trust boundaries, and improving automation so teams can respond faster without adding long-lived secrets or brittle owner-based dependencies. It extends last week's identity-first framing: tactics shift, but control points stay consistent (phishing-resistant auth, tighter Conditional Access, shorter-lived tokens, and strong revocation/runbooks).

Identity- and token-centric attacks: AiTM, device-code phishing, and the edge as the new MITM

Storm-2755's “payroll pirate” activity shows session theft beating password theft. DART describes adversary-in-the-middle phishing that proxies Microsoft 365 sign-in, captures session cookies/OAuth tokens, and replays them to bypass MFA that is not phishing-resistant. It continues last week's AiTM thread: tokens often matter more than passwords, and detections frequently come from sign-in telemetry. Hunting signals include an Entra sign-in interrupt error 50199 right before a successful sign-in, plus a user-agent shift to Axios (often axios/1.7.9) while the session ID stays consistent, which can indicate replay. The response playbook is clear: revoke sessions/tokens, remove malicious Exchange inbox rules hiding HR/payroll messages, then harden with FIDO2/WebAuthn, stricter Conditional Access (device compliance, session controls), and Continuous Access Evaluation (CAE) to reduce replay windows. Microsoft Defender also covered an AI-assisted OAuth device code phishing campaign that generates device codes on demand only after a victim clicks, which preserves the 15-minute validity window and improves success rates. It reinforces last week's point that automation can raise the tempo of older attack flows. The detection anatomy includes tenant recon via GetCredentialType, multi-hop redirects using compromised domains and serverless infrastructure (Vercel, Cloudflare Workers, AWS Lambda), and a backend that requests device codes live then polls every 3-5 seconds. Post-compromise behavior (device registration for longer-lived access, Graph recon, inbox-rule persistence) ties to mitigation: block device-code flow where unnecessary via Conditional Access “block authentication flows,” enforce Entra ID Protection risk policies, and use Graph session revocation to invalidate stolen refresh tokens. Forest Blizzard / Storm-2754 broadens the AiTM story with SOHO router compromises where DNS hijacking becomes the MITM stepping stone. The identity outcome is the same (token/session abuse) but achieved by shifting interception to edge devices enterprises often do not monitor closely. By altering router DHCP/DNS settings (likely via dnsmasq), the actor can proxy most DNS traffic and selectively spoof responses for target domains. In higher-priority cases, victims are redirected to infrastructure with invalid TLS certificates. If users click through, sessions can be intercepted. Defenses focus on limiting blast radius: enforce trusted DNS resolution on endpoints (Windows Zero Trust DNS), enable Defender for Endpoint web/network protection, tighten Conditional Access and CAE, and hunt for downstream Entra/M365 anomalies rather than expecting to detect the router compromise directly.

DevSecOps and supply chain workflow updates: prioritize what’s deployed, reduce secrets, and streamline fixes

GitHub's updates continued to move security closer to developer workflows while adding automation and governance for platform teams. It continues last week's shift from “turn it on” to “operate it well,” with better triage signals, better reporting, and less reliance on long-lived secrets. GitHub Advanced Security can now ingest Dynatrace runtime context to prioritize code scanning and Dependabot alerts based on what is actually deployed and observed at runtime. Instead of treating all alerts equally, teams can filter to findings affecting production artifacts that are internet-exposed or touch sensitive data (for example, has:deployment AND runtime-risk:internet-exposed). This aligns with last week's theme of making security signals match delivery reality so teams spend less time on noise. GitHub code scanning now supports batch-applying multiple fix suggestions in a PR from the “Files changed” tab. The benefit is fewer commits and fewer repeated scans: apply multiple low-risk fixes together, commit once, and validate with one scanning run. It complements last week's faster PR feedback focus by reducing fix-step friction, not only detection friction. Secret Scanning's REST/webhook updates improve scale operations and auditability, building on last week's detector/push-protection expansion. exclude_secret_types on list endpoints makes scripts more resilient as new secret types appear. Location payloads add html_url to reduce extra API calls for dashboards/tickets. Delegated workflows gained clearer lifecycle visibility (expiration windows, confirmation emails) plus closure fields (closure_request_comment, reviewer metadata) so external systems can track why alerts were dismissed and who approved it. npm Trusted Publishing also added CircleCI as an OIDC provider, extending tokenless publishing beyond GitHub Actions and GitLab CI/CD. After last week's supply-chain push toward short-lived workload identity, this makes it easier for CircleCI pipelines to publish without stored npm tokens through npm trust.

Platform identity, data governance, and agent runtime controls: shrinking blast radius across Azure, Fabric, and agent stacks

Several posts converged on a practical point: shared identities and default execution contexts create hidden coupling, and over-sharing can turn a normal incident into cross-environment impact. This matches last week's “guardrails on default paths” theme. Put controls at natural choke points (identity issuance, admission, label APIs) so protections still hold when workflows drift. In Azure, guidance on User Assigned Managed Identities (UAMI) calls out a common enterprise anti-pattern: reusing one UAMI across DEV/UAT/PROD and across compute types (Functions, App Service, VMs, AKS). Since any attached workload can use IMDS to get Entra tokens for that UAMI, a lower-environment compromise can become lateral access into production if RBAC is broad (especially at subscription scope). The recommendation is straightforward: separate UAMIs per environment, scope RBAC to resource group/resource, and prefer narrow data-plane roles (Key Vault Secrets User, Storage Blob Data Reader) over broad management roles. Fabric shipped two identity/encryption-related previews that target similar coupling. Last week's Fabric governance work emphasized operability (labels in REST APIs, CMK options, recovery). This week reduces owner-dependency and improves enterprise transport security. Associated identities for items lets Lakehouse and certain Eventstream items run under a specified identity (user, service principal, or managed identity) rather than the creator/owner. That avoids breakage when owners leave or credentials expire and aligns with CI/CD through Fabric REST APIs (.../identities/default/assign?beta=true, plus include=defaultIdentity in GET). Fabric Eventstream Kafka connectors also gained custom CA chains and mTLS support, with certs stored in Azure Key Vault and fetched at runtime. For private deployments, that implies a concrete prerequisite: if you are using Eventstream VNet injection, you may need a Key Vault private endpoint to keep cert retrieval off public paths. At the AI runtime layer, the open-source Agent Governance Toolkit v3.0.0 (Public Preview) outlines how to run autonomous agents with policy, identity, isolation, and SRE guardrails. It follows last week's agent governance framing by shifting from “agents are risky” to “here is how to enforce boundaries and kill switches.” The core risk is that agents can behave like “root” when calling tools/APIs, and the toolkit maps that to controls. Agent OS acts as a stateless pre-execution policy interceptor (YAML/OPA Rego/Cedar), classifies intent (for example, DESTRUCTIVE_DATA, DATA_EXFILTRATION), and supports enforcement modes (block, require approval, downgrade trust). Agent Mesh adds cryptographic identity/inter-agent trust using DIDs, Ed25519 signing, and delegation chains that only allow scope narrowing. Agent Hypervisor adds privilege-ring-style isolation tied to trust scores (Ring 0-3) with resource limits and saga orchestration for compensating actions. Agent SRE adds SLOs/error budgets, circuit breakers, chaos templates, and observability via OpenTelemetry/Prometheus and incident tooling. The result is a blueprint for running agents in Kubernetes/Azure without treating every tool call as implicitly allowed.

Other Security News

Ransomware activity reinforced how little time can exist between disclosure and exploitation for web-facing systems. Storm-1175's Medusa intrusions show fast-moving playbooks exploiting newly disclosed edge vulnerabilities (Exchange, Ivanti, ScreenConnect, TeamCity, GoAnywhere MFT, and others), then moving quickly into credential theft (LSASS dumping, Mimikatz), lateral movement (PsExec/Impacket/RDP), and exfiltration (Rclone) before encryption. The operational implication is straightforward: asset inventory, patch pipelines, and hardening controls like Defender tamper protection/ASR rules and WAF/reverse proxy placement are ongoing engineering work. It also echoes last week's “default paths” theme: internet-facing management and file-transfer planes are predictable entry points, so inventory and patch SLAs function as guardrails.