🏆 365 Days of KQL. Today marks the completion of my #365DaysOfKQL challenge! 🎉 I hit 365 KQLs in just under a year—starting this journey on August 2, 2024, and wrapping it up on July 28, 2025. It’s been an incredibly rewarding ride, sharing security operations and threat

Found some precious Sentinel Scattered Spider IOC 😂 Enjoy the hunt!. #Cybersecurity #Sentinel #ThreatIntelligence

🚨 Phishing alert: Over 115,000 emails exploited Google Classroom to target 13,500 orgs in just one week. Attackers used fake invites & WhatsApp lures to bypass filters via trusted infrastructure. KQL Check:. EmailEvents.| where Timestamp > ago(30d).|.

🐼 MURKY PANDA exploited trusted cloud relationships by breaching SaaS and cloud providers, then pivoting into downstream customer environments. In one case, they stole an Entra ID app registration secret, authenticated as a service principal, and accessed customer email systems.

🚫 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗖𝗼𝗽𝗶𝗹𝗼𝘁 𝗔𝗴𝗲𝗻𝘁 𝗔𝗰𝗰𝗲𝘀𝘀 𝗣𝗼𝗹𝗶𝗰𝘆 𝗡𝗼𝘁 𝗛𝗼𝗻𝗼𝘂𝗿𝗲𝗱. Since May 2025, a total of 107 Copilot Agents (Microsoft + External Publisher) have been made available in the Copilot Agent Inventory across all Microsoft 365 tenants. Despite

🔥Anonymous Blob Access Detection. This KQL query identifies potentially exposed Azure Blob Storage containers that have been accessed anonymously from known or suspected malicious IP addresses. It helps detect unauthorized access attempts that may indicate data leakage or

Blob Threat Hunting Just Got Interesting. Just spotted the CloudStorageAggregatedEvents table in Microsoft Defender XDR’s advanced hunting schema! 🎯 This new addition provides visibility into storage activity and related events—perfect for digging into potential blob storage

New throttling enforcement of MOERA (Microsoft Online Email Routing Address) domains aka " domain. This would mean it's harder for threat actor to abuse MOERA for phishing campaign. #Cybersecurity #onmicrosoft #enforcement

🚨 SpyVPN Alert. a Chrome extension with 100K+ installs & a “Verified” badge, was caught secretly capturing screens & sending data to its servers. I built a KQL to track screenshot activity via MDE—great for spotting suspicious

Microsoft Defender XDR will support Streaming API for DataSecurityEvents and DataSecurityBehaviors tables starting late August 2025, enabling real-time insider risk alert data delivery via event hubs. This feature is off by default and requires configuration to begin streaming

🚨 NPM supply chain attack alert: eslint-config-prettier (3.5B+ downloads, 12K deps) was hijacked via phishing. Malware injected through postinstall scripts. 🧪 My DefenderXDR analysis shows activity from Jul 18–Aug 4. Defender began blocking the

X@Print3M_ 𝗪𝗲𝗮𝗽𝗼𝗻𝗶𝘇𝗲 𝗗𝗟𝗟 𝗵𝗶𝗷𝗮𝗰𝗸𝗶𝗻𝗴 𝗲𝗮𝘀𝗶𝗹𝘆. 𝗕𝗮𝗰𝗸𝗱𝗼𝗼𝗿 𝗮𝗻𝘆 𝗳𝘂𝗻𝗰𝘁𝗶𝗼𝗻 𝗶𝗻 𝗮𝗻𝘆 𝗗𝗟𝗟. KQL Detection 🫡. DeviceFileEvents.| where ActionType == "FileCreated".| where FileName endswith ".dll".| invoke

𝗛𝘂𝗻𝘁𝗶𝗻𝗴 𝗘𝘅𝗽𝗼𝘀𝗲𝗱 𝗠𝗖𝗣 𝗦𝗲𝗿𝘃𝗲𝗿 🤖. 🚨 Trend Micro found 492 MCP servers exposed online—no auth, no encryption. These act as backdoors to sensitive data like cloud resources, customer info & internal tools. 🔓 90% allow direct read access via natural

A week ago CISA issued an advisory on post-authentication vulnerability (CVE-2025-53786) in Microsoft Exchange hybrid-joined configurations that allows an attacker to move laterally from on-premises Exchange to the M365 cloud environment. This vulnerability poses grave risk to

🚨 New Trustwave report exposes EncryptHub’s latest campaign: social engineering + Brave Support abuse + CVE-2025-26633 (MSC EvilTwin) exploitation. Attackers impersonate IT via Teams, drop dual .msc files, and hijack MMC execution paths. 🛡️ I’ve written

NFS Exposed: The Silent Attack Vector by @akaclandestine. 🚨 Over 1.5M servers globally have exposed NFS services on port 2049. 🔍 ZoomEye’s deep dive into 3,369 samples found 37% vulnerable—many running insecure NFSv3. 🎯 Attack vectors include data exfiltration (92%),

𝗭𝗲𝗿𝗼 𝗖𝗹𝗶𝗰𝗸, 𝗢𝗻𝗲 𝗡𝗧𝗟𝗠: 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗣𝗮𝘁𝗰𝗵 𝗕𝘆𝗽𝗮𝘀𝘀. A newly discovered zero-click vulnerability, CVE-2025-50154, bypasses a Microsoft patch, allowing attackers to steal NTLM hashes without user interaction. Microsoft has issued patch

CISA added CVE-2025-8088 to KEV catalog.

🧵 Red teams are shifting to stealthier AD enumeration via Active Directory Web Services (ADWS) over port 9389. Tools like SOAPHound, SoaPy & ShadowHound wrap LDAP queries in SOAP, bypassing traditional detections. A KQL to detect this type of AD

🛡️ Win-DDoS DefenderXDR Detection. The Win-DDoS attack technique was uncovered by SafeBreach researchers Or Yair and Shahak Morag, and presented at DEF CON 33. Their research highlights a novel method of abusing domain controllers (DCs) to amplify Distributed Denial-of-Service

🔍OSINT trends in abuse of legitimate tunneling services. - Legitimate tunneling services as a core C2 obfuscation layer.- Tunnels appear earlier in the attack chain.- Tunneling is embedded in LOLBin-driven infection chains. KQL threat hunting DNS query events that may involve