Skip to content

Red Team

Cloud Identity Federation Attacks: SAML Forgery, OAuth Abuse & Cross-Tenant Pivoting

Identity federation was designed to simplify access across organizational boundaries — SSO, B2B collaboration, cross-cloud workload authentication. But in 2026, federation trust relationships have become one of the most exploitable attack surfaces in cloud environments. A single compromised signing certificate can mint tokens for every federated application. A misconfigured OAuth consent flow grants persistent access that survives password resets. And cross-tenant trust turns one breach into many.

This post dissects four federation attack vectors through the lens of a fictional intrusion by the PHANTOM TRUST threat actor group, provides detection queries in KQL and SPL, and delivers a hardening checklist your team can implement immediately.

Active Directory Certificate Services Under Siege: Attack Vectors & Defense Playbook

Certificate Services was never designed to be an attack surface — but in 2026, it is one of the most reliable privilege escalation paths in enterprise Active Directory environments. Misconfigured templates, weak ACLs, and overlooked relay vectors turn ADCS into a golden ticket factory. This post maps the full spectrum of ESC vulnerabilities, walks through a fictional intrusion by the GOLDEN CIPHER threat actor, and delivers a hardening checklist your team can execute this week.