📣 𝗔𝗻𝗻𝗼𝘂𝗻𝗰𝗲𝗺𝗲𝗻𝘁 𝗳𝗿𝗼𝗺 𝗞𝗤𝗟𝗪𝗶𝘇𝗮𝗿𝗱 To all the new followers—welcome aboard! 🚀 I’ve published 385 KQL detection codes on https://t.co/1idETEWkcC, all under my profile: 𝗞𝗤𝗟𝗪𝗶𝘇𝗮𝗿𝗱. 🔐 Use invite code Slim2025 to join the community and follow me for

🎣 TOAD attacks via Entra guest invites are on the rise. Wiz has observed active phishing attempts — here’s the KQL to surface them in your environment. https://t.co/aZyRH8nfDX #CyberSecurity #Phishing #EntraGuestInvites #KQL

🚨 Phishing Alert: TOAD Attacks via Entra Guest Invites 📬Here's a Exchange Online Transport Rule to filter those phishing invite emails. https://t.co/aZyRH8mHOp #Cybersecurity #EXO #TransportRule #PhishingEntraGuestInvites

DefenderXDR One-Click Scan for MastaStealer Campaign https://t.co/3g3LBw7qGL

🚨 𝗠𝗮𝘀𝘁𝗮𝗦𝘁𝗲𝗮𝗹𝗲𝗿 𝗔𝗹𝗲𝗿𝘁 A newly identified malware campaign is exploiting 𝗪𝗶𝗻𝗱𝗼𝘄𝘀 𝗟𝗡𝗞 𝘀𝗵𝗼𝗿𝘁𝗰𝘂𝘁 𝗳𝗶𝗹𝗲𝘀 for initial access. Once triggered, it executes 𝗣𝗼𝘄𝗲𝗿𝗦𝗵𝗲𝗹𝗹 𝗰𝗼𝗺𝗺𝗮𝗻𝗱𝘀 to disable security protections and establish a C2

Just watched John Hammond’s breakdown of CVE-2025-33053, where he demonstrated how a simple Windows shortcut (.lnk) could be weaponized for remote code execution. Inspired by his analysis, I revisited and rewrote my earlier detection logic—now it catches his proof-of-concept too

Sentinel analysts do take note of this standardized account entity naming in incidents and alerts update. Update your KQL queries and automation logic to follow the new precedence-aware pattern by 13 Dec 2025.🫡 https://t.co/xiuwbArbgW #Cybersecurity #MicrosoftSentinel

🚀 𝗡𝗲𝘄 𝗶𝗻 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗗𝗲𝗳𝗲𝗻𝗱𝗲𝗿 𝗳𝗼𝗿 𝗢𝗳𝗳𝗶𝗰𝗲 365 Security teams can now trigger key email remediation actions—𝗦𝘂𝗯𝗺𝗶𝘁 𝘁𝗼 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁, 𝗔𝗱𝗱 𝘁𝗼 𝗮𝗹𝗹𝗼𝘄/𝗯𝗹𝗼𝗰𝗸 𝗹𝗶𝘀𝘁, and 𝗜𝗻𝗶𝘁𝗶𝗮𝘁𝗲 𝗮𝘂𝘁𝗼𝗺𝗮𝘁𝗲𝗱

Detect "Microsoft Teams - Chat with anyone with email address" Part II Added more precision in the KQL detection ... 🚨 99.9% your user click on a Teams Email Invite Chat from external domain #Cybersecurity #Phishing #TeamsChat

Detect "Microsoft Teams - Chat with anyone with email address" Suspicious Invite from external domain #Cybersecurity #Phishing #TeamsChat

🤖 Copilot User Prompt Injection Attack (UPIA) Detection Microsoft 365 Copilot includes built-in protections that automatically detect and mitigate user prompt injection attacks (UPIA). When such activity is identified, Copilot either blocks malicious prompts or disregards

🔍 KQL Audit: Defending Against Medusa & DragonForce Ransomware Prompted by Zensec’s analysis of how attackers weaponized SimpleHelp RMM running as SYSTEM, I developed KQL logic to proactively audit systems vulnerable to this abuse vector. 🛡️ The goal: strengthen detection and

Look like the new Microsoft Teams feature allowing chat with anyone via email is enabled on my tenant 🤦‍♂️ #Cybersecurity #Teams #EmailChat

Indicators (Preview) in Defender XDR Microsoft Defender XDR’s threat analytics reports now include a dynamic indicators section that lists all known indicators of compromise (IOCs) tied to a threat. This section helps security teams with remediation and proactive threat hunting

The new Microsoft Teams feature allowing chat with anyone via email—even non-Teams users—introduces several security risks, including an expanded attack surface for phishing and malware and increased potential for data leakage. To disable the feature, set the

Analysis of Beast ransomware from MDE Perspective Beast ransomware evolved from the Monster ransomware strain. They emerged as a Ransomware-as-a-Service (RaaS) in February 2025, and officially launched their Tor-based data leak site in July. As of August 2025, they have publicly

🚨 Fresh from the oven ... 🥐 Fellow MS defenders, MC1183015 just dropped a reminder to update Microsoft Sentinel analytic rules, automation, workbooks, and queries to use the new account entity naming precedence. #Cybersecurity #Sentinel #DefenderXDR

Cracking the Beast👹: Detection Logic for a Modern RaaS Threat A proactive defense and early detection for BEAST Ransomware. Launched in early 2025 as a Ransomware-as-a-Service, Beast spreads via phishing and SMB port scanning, avoids execution in CIS countries, and employs

(KQL Link Below & Invite code: KQLWizard) https://t.co/GM3AHfpB4R

I am sharing the KQL query to parse the 612 Cloudflare phishing domains by whichbuffer from EclecticIQ. You can use that check against your EmailUrlInfo (Email), CloudAppEvent(Teams) and DeviceNetworkEvents (Device) for CloudFlare related phishing activities. let

🔍 Unmasking the Quiet Killer: Detecting SilentButDeadly in Action SilentButDeadly is a stealthy red team tool that abuses Windows Filtering Platform (WFP) to silently sever EDR/AV cloud connectivity—crippling tools like SentinelOne and Defender without killing processes.