Some big personal news: last year I decided to start my own company. Today I'm making it official and announcing Outsider Security (@OutsiderSec). My focus will be on Azure AD and Active Directory security, converting my research experience into in-depth tests and advice.

RT @TEMP43487580: I just started a new blog, and this is my first post. I took a bit of PTO, so this is a little record of some fun I had p….

If you didn't find my Black Hat / Def Con slides yet, they are available on . Also includes the demo videos where I use actor tokens from on-prem to access SharePoint online and get Global Admin.

RT @RedTeamPT: 👀Turns out MS-EVEN can do a lot more than NULL auth:. In addition to leaking environment variables, it is possible to coerce….

This is awesome research and worth a watch!.

RT @NathanMcNulty: Le sigh. This isn't bypassing FIDO auth (it's called passkeys now btw). It's just asking the user to use a weaker met….

Digging through the API definition, it seems the new recommend Microsoft default is just allowing all permissions except file related ones (SharePoint/OneDrive), which is a significantly more risky setting than the middle one which was previously the recommended option. 🤦‍♂️.

While I'm a big fan of secure defaults, imo this new user consent setting is badly executed. There are no docs about what "current guidelines" means. Worse: the new default is now the "recommended" setting, while it's actually LESS secure than the prev recommended middle setting.

More BroCi resources! Great write-up on a few cases where Nested App Authentication is useful 😀.

RT @SpecterOps: PDQ SmartDeploy versions prior to 3.0.2046 used static, hardcoded encryption keys for cred storage. Low-privileged users co….

RT @Wietze: A special shoutout to the many 🇪🇺European cyber researchers presenting their work at #DEFCON, you were awesome. 🇳🇱@_dirkjan @J….

RT @PyroTek3: I am back to posting to in my free time (which I have again). I plan on adding new content relating….

RT @AmberWolfSec: You can read about our overall research project at and learn about a SAML Authentication bypass i….

Dropped some ROADtools stickers at the @cloudvillage_dc CTF room 👀.

RT @olafhartong: Soooo close. Great stuff

RT @olafhartong: Packed room for ⁦@_dirkjan⁩ speaking at ⁦@defcon awesome talk as usual.

At the @msftsecresponse party with @secbughunter (and many others). Collecting all the clippy pins!

If you missed the talk, I will give it at Def Con tomorrow, 13:00 in track 3.

Good article from Bleeping Computer about the Exchange hybrid tradecraft I dropped at Black Hat yesterday, with some of my comments on the techniques:

I'm hyped for this one! Hacking cluster accounts with @unsigned_sh0rt

RT @CISACyber: ⚠️MS Exchange server hybrid deployment elevation of privilege vulnerability CVE-2025-53786 could allow a threat actor with a….