Do Apps Have Imposter Syndrome? Unmasking Token Theft Campaigns
Shahar Dorfman, Sapir Federovsky
fwd:cloudsec North America 2026 · Day 1
In an era where identity is the new perimeter, the security of applications and their interactions within cloud environments is paramount. This talk, "Do Apps Have Imposter Syndrome? Unmasking Token Theft Campaigns," by Shahar Dorfman and Sapir Federovsky of Whiz, delves into a critical and often overlooked attack vector: the abuse of OAuth applications in Azure environments. The speakers illuminate how attackers exploit the trust model inherent in multi-tenant applications to conduct sophisticated token theft campaigns, leading to persistence, privilege escalation, and even supply chain compromises.
AI review
Competent, well-structured threat research on OAuth app impersonation in Azure/Entra that covers a real and underappreciated attack vector. The detection pipeline is the most interesting contribution, but the talk stays at a level that practitioners can follow without breaking much new ground — the core abuse pattern is known, and the LLM integration feels bolted on rather than deeply motivated.