By NHI Mgmt Group Editorial TeamDomain: Breaches & IncidentsSource: SentinelOnePublished July 10, 2026

TL;DR: A global crackdown on fraud networks led to 5,811 arrests and $293 million in seized assets, while Forg365 used device-code phishing and a persistence extension to keep Microsoft 365 access alive without reauthentication, according to SentinelOne. The pattern shows that identity abuse now spans fraud, human account takeover, and espionage, not just one threat class.


At a glance

What this is: This is a multi-topic threat roundup showing how fraud syndicates, phishing-as-a-service, and espionage campaigns all exploit identity and access weaknesses.

Why it matters: It matters because IAM, PAM, and NHI teams are dealing with the same underlying problem in different forms: abused trust, over-broad access, and access that survives too long.

By the numbers:

👉 Read SentinelOne's analysis of fraud networks, Forg365 phishing, and espionage activity


Context

Identity compromise is the common thread across the article's three cases. Fraud networks abuse trust and payment rails, phishing-as-a-service abuses human authentication flows, and espionage actors abuse exposed systems and internal access to collect intelligence. For security teams, that means identity governance is no longer only about account hygiene, but about controlling how trust is gained, retained, and laundered across user, system, and workflow layers.

The Microsoft 365 phishing section is the clearest IAM lesson in the piece. Device-code abuse, OAuth grant persistence, and hidden session renewal show how a valid authentication event can become a durable foothold. The police-network espionage segment then shows the same pattern at infrastructure level, where compromised web servers and appliances become access points into sensitive operational data.

These examples are typical of today's attack economy rather than edge cases. Attackers are combining social engineering, persistence, and access reuse because those paths are cheaper and more reliable than pure exploit chains.


Key questions

Q: How should security teams reduce device code phishing risk in Microsoft 365 environments?

A: Security teams should limit device-code authentication to approved use cases, pair it with compliant-device requirements, and add sign-in detections for unusual polling, consent, and post-login mailbox activity. User education still matters, but it cannot be the primary control because the login happens on a trusted portal. Stronger conditional access and session monitoring are the practical controls.

Q: Why do OAuth grants create persistence even after a password is changed?

A: OAuth grants and refresh tokens can remain valid independently of the original password, which means an attacker can keep accessing services without reusing the stolen credential. That is why password resets alone do not close the access path. Teams need grant review and token revocation as part of the response.

Q: What breaks when attackers use trusted authentication flows for initial access?

A: Traditional password-centric controls break because the login itself is no longer the malicious act. A valid user action can become attacker access if the workflow is designed to be easy to approve and hard to distinguish from normal use. Detection has to focus on flow anomalies, not just failed logins.

Q: Who is accountable when a compromised identity is used for intrusion and exfiltration?

A: Accountability sits with the teams that own identity lifecycle, access governance, and incident response, because they control the evidence needed to confirm abuse and the controls needed to limit it. Frameworks such as MITRE ATT&CK, NIST incident handling guidance, and zero trust principles all assume identity events can be observed and acted on.


Technical breakdown

Device-code phishing turns legitimate login flows into attacker-controlled access

OAuth 2.0 device code flows were designed for devices that cannot easily type credentials, such as TVs or consoles. In a phishing campaign, the attacker uses that same flow to trick a user into approving an attacker-controlled session, which means the initial access comes from a valid authentication path rather than a password theft event. Once the token is issued, the attacker can operate as the user until the grant is revoked or expires. The article also shows how browser extensions can sustain that access by requesting fresh tokens and clearing traces, which makes the compromise harder to notice in normal sign-in review.

Practical implication: monitor device-code events and restrict device-code flows where they are not operationally required.

OAuth grants and session tokens create persistence after the password is safe

The ForgCookie component demonstrates a common identity failure mode: the password is no longer the main control boundary once tokens exist. Refresh tokens, OAuth grants, and session cookies can keep access alive even after a user changes their password, because the attacker is not reusing the password at all. That shifts the defensive problem from authentication to grant governance and session revocation. This is a human identity case, but the lesson extends to NHI programmes: any long-lived bearer credential can behave like a standing access path if it is not continuously governed.

Practical implication: pair password resets with OAuth grant review, token revocation, and session containment.

Compromised public-facing systems become intelligence platforms, not just entry points

The espionage cases against Pakistani law enforcement show how threat actors move from initial compromise to durable intelligence collection. Once a web application or network appliance is reached, malware can be staged as a routine update, then used to maintain persistent access and surveil both internal users and external civilians. That pattern matters because the value of the compromise is not only the foothold, but the data exhaust and operational visibility it creates. For identity teams, this is a reminder that access to shared platforms needs the same scrutiny as direct user authentication paths.

Practical implication: treat public-facing administrative systems as identity assets and apply hardening, segmentation, and continuous review.


Threat narrative

Attacker objective: The objective is to preserve trusted access long enough to monetise it through fraud, surveillance, credential reuse, or intelligence collection.

  1. Entry begins with deceptive authentication or compromise of exposed systems, including device-code phishing for Microsoft accounts and intrusion into law-enforcement web portals and appliances.
  2. Escalation occurs when attackers convert that access into durable control through OAuth grants, malicious browser extensions, or implanted malware that keeps returning fresh access.
  3. Impact follows when the access is used for fraud, espionage, surveillance, or laundering, turning identity abuse into monetisation and intelligence collection.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Identity abuse is now the common operating layer across fraud, phishing, and espionage. The article is not really about three separate problems. It is about how attackers keep finding ways to convert trust into durable access, whether the target is money, credentials, or intelligence. For practitioners, the conclusion is that identity controls must be designed around abuse of valid access, not only blocked logins.

Device-code phishing is a governance problem, not just a user-training problem. The Forg365 case shows that a legitimate authentication flow can be redirected into attacker control without stealing a password. That means MFA presence alone is not enough if the organisation allows flows that can be socially engineered into attacker-approved grants. The practitioner conclusion is that authentication policy has to follow flow risk, not just factor count.

Bearer tokens behave like non-human identities once they outlive the session that created them. OAuth grants, refresh tokens, and session cookies can persist access after the user believes the event is over. That is the same structural issue NHI teams see with long-lived API keys and service account secrets. The practitioner conclusion is that lifecycle ownership matters more than whether the subject is human or machine.

Compromised shared platforms expand the identity blast radius beyond the initial victim. When law-enforcement portals and infrastructure appliances are used for persistence, the access path becomes a surveillance layer over many users, systems, and records. This is where identity governance intersects with platform security: a single foothold can expose operational visibility across an entire environment. The practitioner conclusion is to treat shared portals as high-value identity infrastructure, not ordinary web assets.

Fraud disruption data should not be misread as control maturity. The seizure of assets and arrests shows law-enforcement success, not that the underlying identity abuse patterns have weakened. Attackers will simply reuse whichever identity path remains cheapest, whether that is a social-engineered login, an over-broad grant, or an unmanaged operational account. The practitioner conclusion is to measure resilience by abuse resistance, not by incident headlines.

From our research:

  • Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption, according to the 2026 Infrastructure Identity Survey.
  • 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems.
  • For the deeper identity governance lens, see Top 10 NHI Issues for the recurring control gaps that keep turning trust into exposure.

What this signals

Trust abuse is becoming the shared failure mode across human and machine identity. The practical implication is that teams should stop separating phishing defence, IAM governance, and NHI lifecycle controls into different programmes. When attackers can turn valid access into persistent control, the programme boundary has to move with them, not after the breach.

Bearer-token persistence is the clearest bridge between human IAM and NHI governance. A refresh token, OAuth grant, or API key can all outlive the event that created them. That means identity teams should review revocation coverage and session lifecycle ownership together, because the same management gap appears whether the subject is a person, service account, or AI workflow.

Access that can be reused quietly is the real risk signal. In practice, that means organisations should look for identity paths that remain valid after the user thinks the action is finished, then trace which logs, revocation points, and ownership models actually close them. For teams building toward autonomous systems, that insight will matter even more as access becomes more dynamic and less visible.


For practitioners

  • Restrict high-risk authentication flows Disable device-code authentication unless a business process genuinely requires it, and monitor for unexpected device-code approvals in Entra sign-in logs.
  • Review token persistence after compromise When an account is suspected of compromise, revoke OAuth grants, refresh tokens, and active sessions together instead of relying on password resets alone.
  • Treat browser-based persistence as an access control issue Look for malicious extensions, hidden OAuth prompts, and other client-side mechanisms that keep reissuing access after the initial phishing event.
  • Classify shared portals as identity infrastructure Apply segmentation, hardening, and admin review to web portals and appliances that can expose internal users, operational data, or surveillance paths.
  • Build controls around abuse of valid access Update threat models so IAM, PAM, and NHI teams test for token reuse, grant abuse, and persistence after legitimate authentication rather than only failed login attempts.

Key takeaways

  • Identity abuse now spans fraud, phishing, and espionage, which means security teams need one governance model for trusted access rather than three disconnected ones.
  • Device-code phishing and token persistence show that a successful login is not the end of the risk; it can be the start of durable access.
  • The controls that matter most are flow restriction, grant revocation, and lifecycle ownership, because those are the points where trusted access can be taken back.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AA-1Authentication and access flow abuse are central in the phishing and fraud sections.
NIST SP 800-53 Rev 5IA-5Token and authenticator management are directly implicated by OAuth persistence.
NIST Zero Trust (SP 800-207)section 2.3Zero trust applies because valid access can be abused after initial authentication.
MITRE ATT&CKTA0006 , Credential Access; TA0003 , PersistenceThe article shows credential abuse and token persistence as the core attacker methods.

Map risky auth flows and token governance to PR.AA-1, then restrict device-code use and review grants.


Key terms

  • Device code phishing: An identity attack that abuses the device authorization flow by tricking a user into entering a code on a legitimate login page while the attacker completes the flow elsewhere. It is effective because it relies on a real authentication protocol and can bypass password theft and familiar MFA prompts.
  • OAuth Grant: An OAuth grant is the delegated permission an application receives to act on a user's behalf without storing the user's password. In NHI governance, it should be treated as a standing identity relationship with scope, ownership, and revocation requirements, not as a one-time setup detail.
  • OAuth Token Persistence: OAuth token persistence is the tendency for delegated access to remain usable after the original user action is over. In practice, refresh tokens and long-lived access tokens can keep an application connected until someone revokes them, which makes lifecycle control central to security.
  • Identity Blast Radius: The amount of damage a compromised identity can cause across systems, data, and infrastructure. In NHI environments, it is shaped by permissions, network reach, and administrative capability rather than by the credential alone. Reducing blast radius is a containment strategy that limits lateral movement and data exposure.

What's in the full analysis

SentinelOne's full article covers the operational detail this post intentionally leaves for the source:

  • The full fraud section includes the breakdown of Operation First Light 2026, including the coordinated law-enforcement structure and recovery actions.
  • The Microsoft 365 section includes the Forg365 workflow, device-code abuse sequence, and the session-persistence mechanics behind ForgCookie.
  • The espionage section includes the named malware families, the compromised systems, and the indicators tied to the Pakistani law-enforcement intrusions.
  • The source article also adds the operational context behind the arrests, frozen wallets, and cross-border enforcement coordination.

👉 SentinelOne's full article covers the fraud crackdown details, the Microsoft 365 hijacking sequence, and the law-enforcement intrusion context.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org