🚨 Vercel OAuth Attack | How AI Is Breaking Cloud Security (What CISOs Must Do Now)

Hello from the Cloud-verse!

This week’s Cloud Security Newsletter topic: Agentic Cloud Security: Why the CNAPP Must Evolve Before Your Adversaries Do (continue reading) 

Incase, this is your 1st Cloud Security Newsletter! You are in good company!
You are reading this issue along with your friends and colleagues from companies like Netflix, Citi, JP Morgan, Linkedin, Reddit, Github, Gitlab, CapitalOne, Robinhood, HSBC, British Airways, Airbnb, Block, Booking Inc & more who subscribe to this newsletter, who like you want to learn what’s new with Cloud Security each week from their industry peers like many others who listen to Cloud Security Podcast & AI Security Podcast every week.

Welcome to this week’s Cloud Security Newsletter

This week’s uncomfortable truth:

Attackers are no longer breaking into your systems.
They are operating inside them using your tools, your APIs, and your trust relationships.

• APT41 is stealing IAM credentials using cloud metadata APIs

• Vercel was breached without a vulnerability - just OAuth trust abuse

• Microsoft Teams is being used to impersonate IT helpdesks

• Cisco ISE can now be taken over with read-only credentials

And according to Palo Alto Networks Research: It’s taking ~25 minutes from breach to data exfiltration. [Listen to the episode]

⚡ TL;DR for Busy Readers

This week’s attacks didn’t break systems — they used them


🔴 APT41 cloud credential theft: 
Winnti backdoor harvesting AWS/Azure/GCP tokens via SMTP (zero detections). Block outbound SMTP from non-mail workloads NOW  

🔑 SaaS tokens = your weakest link: 
Vercel breached via over-permissioned OAuth — API keys, GitHub & NPM tokens exposed. Audit third-party OAuth access TODAY  

⚠️ Identity isn’t safe: 
Cisco ISE CVSS 9.9 flaws exploitable with read-only credentials. Patch manually — Cisco can’t do this for you  

📦 Third Party Breach risk is live ( 1yr later): 
A 2025 Salesforce compromise is still exposing new victims — including 13.5M user records and SSNs — nearly a year later.  

🤖 CNAPP model is breaking: 
25-minute breach-to-exfiltration window confirmed — human-speed response is no longer viable   

📰 THIS WEEK'S TOP SECURITY HEADLINES

Each story includes why it matters and what to do next — no vendor fluff.

 🚨 1. Microsoft Teams Used for Helpdesk Impersonation Attacks

What’s happening

Microsoft has documented a nine-stage attack chain where Attackers are spinning up fake Microsoft tenants and impersonating internal IT via Teams → convincing employees to start remote sessions → then moving laterally and exfiltrating data.

Why this matters

No malware. No exploit.
Just trusted tools used against you.

Your EDR sees normal activity.
Your users see “IT support”.

This is a living-off-the-land attack that requires no malware, no CVEs, and no phishing emails. It exploits the trust users have placed in a familiar collaboration platform. Because the attacker operates from a Microsoft-issued tenant using Microsoft-sanctioned tools, most endpoint detection stacks will see Zoom-like remote access activity with no signal that anything is wrong. The cross-tenant access feature is enabled by default in most Microsoft 365 deployments and has almost certainly never been reviewed in your environment.

👉 What to do

▶     Audit Teams external access policy immediately.  Most organizations have never restricted cross-tenant chat. Limit it to approved domains, or disable it if not operationally required.

▶     Establish out-of-band helpdesk verification.  Create a verbal authentication phrase that all IT staff use before initiating remote sessions. Include this in your security awareness training.

▶     Hunt for Rclone in your environment.  Rclone has no legitimate enterprise use in most organizations. Its presence on an endpoint is an incident indicator.

▶     Create a detection rule for Quick Assist sessions from external tenants.  This pattern is unusual enough that a well-scoped rule should have near-zero false positives.

Sources:    BleepingComputer  |  CSO Online

🚨 2.  Salesforce Breach Surfaces Downstream: McGraw-Hill 13.5M, OneDigital 28K SSNs

What happened:

A 2025 Salesforce compromise is still exposing new victims — including 13.5M user records and SSNs — nearly a year later. OneDigital confirmed approximately 28,414 individuals had names and SSNs exposed. McGraw-Hill disclosed that ShinyHunters stole and publicly leaked 13.5 million user accounts via the same underlying Salesforce breach. The gap between the original compromise and these disclosures is approaching twelve months for some affected individuals.

Why it matters:

The Salesforce breach itself is not the primary lesson here. The lesson is the blast radius and the disclosure lag

👉 What to do

▶     Treat CRM as tier-1 cloud infrastructure.  Apply the same access controls, anomaly detection, and logging posture to Salesforce that you apply to your data warehouse.

▶     Renegotiate SaaS breach notification SLAs.  If your contracts do not specify a notification timeline for platform-level incidents, you have no contractual floor.

▶     Backdate your investigation window.  When a downstream notification arrives, treat the compromise date   not the notification date as your start point.

Sources: BleepingComputer | Palo Alto Unit 42 | Cybersecurity Dive | Rapid7

☁️ 3. ⚡ APT41 Deploys Zero-Detection Cloud Credential Backdoor to Harvest Credentials Across AWS, Azure, GCP

What happened:

APT41 is harvesting credentials from AWS, Azure, and GCP using metadata APIs and hiding traffic in SMTP.

Zero detections at time of discovery.

Why it matters:
This is the most cloud-native credential theft operation we have seen from a state-sponsored actor. The backdoor does not exploit a vulnerability in your cloud environment it queries the same metadata APIs your applications use legitimately. 

On AWS it hits the IMDS endpoint at 169.254.169.254 for IAM role credentials. On Azure it pulls managed identity tokens. On GCP it requests service account tokens. It also sends periodic UDP broadcast beacons on port 6006 for peer-to-peer lateral coordination between compromised hosts, meaning the C2 infrastructure can go dark while the campaign continues to propagate internally.

This attack:

• Uses legitimate APIs

• Avoids HTTP/DNS monitoring

• Blends into normal cloud behaviour

This bypasses:

• EDR

• Signature detection

• Traditional network monitoring

This is a cloud-native attack on your control plane

👉 What to do

▶     Block or alert on outbound SMTP (port 25) from non-mail workloads.  This is anomalous in cloud compute environments and should have very low false positives.

▶     Alert on unusual reads of cloud credential files  from non-SDK processes: ~/.aws/credentials, ~/.azure/ profile directories, GCP application default credential paths.

▶     Enforce IMDSv2 on AWS and equivalent IMDS hardening on Azure/GCP.  This limits the blast radius of a compromised instance by requiring session-oriented token requests.

▶     Hunt for stripped, statically linked ELF binaries in /tmp and /var/tmp.  These are not characteristic of legitimate cloud workloads.

▶     Alert on UDP broadcast traffic to port 6006 from compute instances.  This is the lateral movement beacon used by this implant.

Sources: Dark Reading  |  SC Media  |  CybersecurityNews

🏥 4. Cisco Patches Four Critical Flaws in Webex and ISE - Including Unauthenticated SSO Impersonation

What happened:

Cisco released patches for 15 vulnerabilities including four critical-severity flaws in Webex Services and Identity Services Engine.

CVE-2026-20184 (CVSS 9.8) in Webex allows an unauthenticated remote attacker to impersonate any user by exploiting improper certificate validation in the SSO integration with Control Hub. Three critical ISE flaws (CVE-2026-20147, CVE-2026-20180, CVE-2026-20186, all CVSS 9.9) enable remote code execution on the underlying OS   critically, CVE-2026-20180 and CVE-2026-20186 are exploitable with nothing more than read-only administrative credentials. No active exploitation has been confirmed at time of disclosure.

Why it matters:
The Webex SSO flaw has a manual remediation step that Cisco cannot complete on your behalf: admins must upload a new IdP SAML certificate to Webex Control Hub. In enterprises where Webex administration is delegated or outsourced, this step is highly likely to be missed. The ISE vulnerabilities carry a more severe operational implication: ISE underpins 802.1X authentication, NAC, and device trust for many large enterprises. An attacker with a compromised read-only monitoring account   a very common post-breach scenario   can achieve root code execution on your network access control infrastructure. CrowdStrike’s 2026 Global Threat Report notes that valid account abuse accounted for 35% of cloud incidents last year. These flaws make that even more dangerous.a

👉 What to do

▶     Upload the new IdP SAML certificate to Webex Control Hub NOW  if SSO is in use. This is your action item, not Cisco’s.

▶     Patch ISE to fixed releases:  3.1 P11 · 3.2 P10 · 3.3 P11 · 3.4 P6 · 3.5 P3. There are no workarounds.

▶     Audit read-only admin account activity in ISE.  Any anomalous activity on these accounts should be treated as a high-priority incident given the low privilege bar for exploitation.

Sources: SecurityWeek  |  CSO Online  |  Cisco Security Advisories

5 — Vercel Breach via OAuth Supply Chain Attack

What happened:

On April 19, Vercel disclosed a security breach that began in February 2026 when a Context.ai employee’s machine was infected with Lumma Stealer malware after downloading a Roblox game exploit. The malware harvested Google Workspace credentials and OAuth tokens, which the attacker used to pivot through Context.ai’s AWS environment into a Vercel employee’s Google Workspace account   gaining access to Vercel’s internal systems and non-sensitive environment variables. A threat actor claiming ShinyHunters affiliation listed the stolen data for $2M on BreachForums, claiming the haul includes API keys, NPM tokens, GitHub tokens, and 580 employee records. Vercel confirmed the incident, published IOCs, and advised all customers to rotate environment variable credentials.

Why it matters:
This breach chain required zero direct vulnerabilities in Vercel’s own code. The attack path was: infostealer → OAuth token theft → SaaS lateral movement → PaaS credential exposure. Every step exploited legitimate trust relationships between sanctioned enterprise applications. The structural problem is that a single developer using a third-party AI tool with overly permissive Google Workspace OAuth grants became the entry point for an incident that potentially affects hundreds of organizations.

👉 What to do

▶     Audit all third-party OAuth authorizations in Google Workspace and Microsoft 365.  Remove any app granted broad read/write access that is not formally inventoried and approved.

▶     Add PaaS deployment platforms to your SBOM and TPRM register.  Vercel, Netlify, Railway, Render   these are tier-1 supply chain dependencies, not external services.

▶     Rotate all Vercel environment variables not marked as ‘sensitive’.  Even without a direct notification, the exposure window spans February–April 2026.

▶     Block or alert on ‘Allow All’ OAuth grants  during enterprise onboarding of AI tools. This single permission pattern is the root cause of this incident.

Sources: TechCrunch  |  BleepingComputer  |  Help Net Security  |  Trend Micro Research  |  Vercel Security Bulletin

🎯 Cloud Security Topic of the Week:

Agentic Cloud Security: Why the CNAPP Must Evolve Before Your Adversaries Do

 For most of the past decade, the cloud security conversation was structured around posture. Know your misconfigurations. Remediate your public S3 buckets. Track your IAM sprawl. The CSPM era gave security teams visibility, and visibility was genuinely the right place to start. But a posture score does not stop an APT41 backdoor that is already running on your Linux workload and querying your metadata API. And a misconfiguration dashboard does not help you when an attacker goes from initial access to data exfiltration in 25 minutes.

 Elad Koren’s framing in this week’s episode is the clearest articulation of this shift we’ve heard: cloud security has moved from “manage your hygiene” to “protect in real time while maintaining hygiene.” The CNAPP of 2026 is not just a visibility platform. It is an autonomous response layer that can make and execute decisions faster than any human analyst can triage a ticket.

 The three structural changes Koren identified as driving this shift are worth examining individually, because each one has a direct implication for how you build or upgrade your cloud security program:

• AI is available to adversaries. Attacks that previously required days of reconnaissance and manual exploitation can now be generated and launched with a prompt. Palo Alto’s telemetry shows a 25-minute window from initial access to data exfiltration in active incidents. You cannot staff a human response team capable of operating inside that window.

• Vibe coding has removed the development friction that security relied on. When the cycle from “ideation to production” collapses to three days   including testing   the traditional shift-left security model breaks. There is no left to shift to. Security must be embedded as a continuous automated layer across the entire pipeline, not a review gate before deployment.

• AI workloads in cloud represent a posture gap most teams cannot close manually. Organizations are deploying experimental AI applications faster than their security teams can inventory, analyze, and control them. The incident Koren described   an internal AI workload accidentally exposed to the internet because the developer had no security context   is not an edge case. It is a pattern.

  Featured Experts This Week 🎤

• Elad Koren - VP, Product Management, Cortex Cloud, Palo Alto Networks

• Ashish Rajan - CISO | Co-Host AI Security Podcast , Host of Cloud Security Podcast

Definitions and Core Concepts 📚

Before diving into our insights, let's clarify some key terms:

• CNAPP (Cloud-Native Application Protection Platform)

  A unified security platform that combines CSPM (posture), CWPP (workload protection), CIEM (entitlements and identity), and increasingly runtime protection and AI workload security into a single data-integrated platform. Elad Koren’s argument is that the CNAPP of 2026 must move beyond posture management into active agentic defense   where AI agents can automatically remediate tier-one issues while surfacing complex attack paths for human analysts.

• Vibe Coding

  A term describing the practice of using AI coding assistants to generate, iterate, and deploy code at dramatically accelerated speeds   often with minimal formal review, design documentation, or security scrutiny. The term captures the intuitive, flow-state nature of AI-assisted development. Its security implication, as Koren described, is that inception-to-production cycles that previously took weeks now take days, collapsing the time window available for security review.

This week's issue is sponsored by Orca Security

Orca Security is hosting Cloud Security LIVE, a half-day virtual summit on Tuesday, May 12th. Join CISOs, security co-founders, and practitioners for unfiltered insight real stories and strategies from people securing the world's most complex cloud environments.

Sessions include:

• The new standard for resilience: zero-breach to zero-impact

• AI on both sides: securing models and APIs while using AI to defend your cloud

• Mastering 3rd-party and supply chain risk

• Security leadership panel on AI, risk, and driving change

  
  Join for a chance to win* a 64GB Beelink AI PC. *US-based attendees only.

Register Today

💡Our Insights from this Practitioner 🔍

1. The 25-Minute Window Has Broken the Traditional Security Model

The most operationally significant data point from Elad Koren’s conversation is also the most alarming: Palo Alto’s telemetry shows that once an organization is susceptible to a particular attack pattern, a threat actor can go from initial access to data exfiltration in 25 minutes. This is not a worst-case scenario. It is a measured median.

"It can be seconds. Our latest report shows that within 25 minutes an organization can have data exfiltrated. You cannot wait for the practitioners to fix the gap."    Elad Koren

The practical implication for cloud security architecture is that any control requiring human decision-making in the response chain   triage ticket, analyst review, change approval   cannot be the first line of defense for high-confidence threat signals. The most experienced analyst in your SOC cannot triage, escalate, approve, and contain an incident in 25 minutes when they are also managing a queue of other alerts. The response to known-pattern attacks must be automated.

2. Three Forces Have Changed the Threat Model Permanently

Elad laid out a clear framework for why the security model that worked three years ago is structurally inadequate today, and it is worth internalizing for board-level conversations:

"There are three fundamental things that changed in the model. AI is there for the adversaries   they can move much faster. Developers are pushing code much faster with vibe coding. And we are seeing more and more AI applications running in cloud that not many organizations know how to analyze the posture of."    Elad Koren

Each of these forces has a distinct security implication that compounds the others. AI-accelerated attacks mean your detection and response must operate at machine speed. Vibe-coded applications mean your code review pipeline will always be behind the deployment pipeline without automation. AI workloads in cloud mean your CSPM and CWPP coverage has gaps in resource types that simply did not exist 18 months ago. Combine all three, and Elad’s conclusion is apt: “combine all three and you have a time bomb basically.”

3. Agentic Cloud Security Is Not a Product Pitch   It Is an Architectural Requirement

The framing of “agentic CNAPP” can sound like vendor positioning, but Elad’s description of what it actually means is grounded in operational reality. The core argument is not that AI agents replace your security team. It is that tier-one triage the routine fixes, the known patterns, the high-confidence remediations   should be handled autonomously, so that your analysts can focus on the cases that genuinely require human judgment.

"A good solution prioritizes making sure that your tier-one analysts   you can take 85, 90% of the things they would do, the regular fixes, automatically. You’ll have AI agents working for you. Because then you’re fighting machines with machines."    Elad Koren

Ashish Rajan’s framing of the shift is equally direct: the agentic security era means the CNAPP must have API-level understanding of how AI agents communicate with cloud platforms, not just posture snapshots of static configurations. 

"It’s no longer enough that you have a CNAPP. Having an understanding of the pathway, API capabilities, and how you can have AI agents communicate with that as a platform will become the more important thing as we move into 2026 and beyond."    Ashish Rajan

4. Visibility and Identity Are the Two Non-Negotiable Foundations

When Elad was asked directly what organizations should focus on for a durable cloud security uplift program, his answer was grounded in a specific real-world example: an experimental AI workload deployed for internal use that was accidentally exposed to the internet because the developer had no security awareness of the infrastructure it was running on.

"That AI workload was open to the world without any need of authentication. The person creating that had little to almost no knowledge or awareness for security. Somebody was able to access it   he was able to exfiltrate data. Inception to production in less than three days, including testing, including everything."    Elad Koren

His prescription: visibility into where your AI workloads run, identity controls with least-privilege and minimal access for anything that touches those workloads, and securing the infrastructure   not just the application. This is not new advice in the abstract, but the AI workload context makes it urgent in a new way. Most organizations’ AI workload inventory is incomplete by definition   developers are spinning up new AI-powered services faster than any centralized inventory process can track them.

5. The “Messy Middle” Is Where We Are   And That Is a Strategic Opportunity

Elad’s most useful framing for security leaders planning multi-year programs is what he calls the “messy middle”: the transition period between where most organizations are today (siloed, posture-focused, human-speed) and where the industry is going (platformized, agentic, machine-speed). This period is messy because no one knows exactly what the equilibrium looks like. But the direction is clear.

The prescription for this period is not to wait for clarity. It is to build the foundations that will matter regardless of how the technology evolves: unified data platforms that eliminate tool silos, trust in AI-driven automation built through experimentation, and upskilling security practitioners to become orchestrators rather than ticket-processors.

"If organizations continue to build things in silos and look at security as siloed different tasks by different practitioners   adversaries will prevail. They’re like water. They’ll just find a path in. You close the door, they look at the window. You close the window, they look at the tunnel. If they don’t have a tunnel, they’ll dig a tunnel."    Elad Koren

📚 RELATED RESOURCES 🎧

• Palo Alto Networks Cortex Cloud   Platform Overview

  The platform Elad Koren describes in this episode. Relevant for teams evaluating agentic CNAPP capabilities.

Podcast Episode

• Cloud Security Podcast -Full Episode with Elad Koren - Complete transcript and audio for this week's featured conversation

Question for you? (Reply to this email)

🤔   Is your AI workload inventory complete enough that you could answer ‘where does our AI run and who can reach it’ in under an hour?

Next week, we'll explore another critical aspect of cloud security. Stay tuned!

📬 Want weekly expert takes on AI & Cloud Security? [Subscribe here]”

We would love to hear from you📢 for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.

Thank you for continuing to subscribe and Welcome to the new members in tis newsletter community💙

Peace!

Shilpi Bhattacharjee

Was this forwarded to you? You can Sign up here, to join our growing readership.

Want to sponsor the next newsletter edition! Lets make it happen

Have you joined our FREE Monthly Cloud Security Bootcamp yet?

checkout our sister podcast AI Security Podcast