🕵️‍♀️ Looking to escalate privileges with a first-party Microsoft app? How do federated domain backdoors work? And what's an app reg, really? All this and more in our new @datadoghq Security Labs post: https://t.co/slcZAdelZE

My gift for Thanksgiving 💜 I wrote for you the blog post I always wanted to read! Happy holiday!🦃 PLEASE READ IT!!! https://t.co/Pr3P3jOh8s

Some amazing research by @CodyBurkard on Azure API Management and Managed Identity certificates. Go read this right now. I was able to replicate it in my environment and it's so nice to see one of these certs again - https://t.co/V795nz0Wnt

Had a great chat with @merill about all things Entra security! Thanks for having me on. 😁

🎙️ @_sigil has done some amazing research on Entra recently. Here's a recent post she shared about the unique relationship between App Registrations and Service Principals. Here's the full blog post on her app research titled I SPy: Escalating to Entra ID's Global Admin with a

In this post @_wald0 introduces PingOneHound, a BloodHound OpenGraph extension that allows users to visualize, audit, and remediate attack paths in their PingOne environment. The blog post also serves as an introduction to the PingOne architecture. https://t.co/BjD5DPiih1

😈 Copilot Studio agents are great for users... and attackers! Check out our deep-dive on why you should be careful to trust unknown agents, plus background on upcoming app consent changes that will help prevent our demo scenario. https://t.co/fvsL9VoJgL

One of the most insecure defaults is getting less insecure at the end of this month. Microsoft is limiting what permissions a user can consent to. This is very interesting for everyone doing #BEC investigations. Curious to see if this will impact malicious app usage. More info

I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog:

💥 𝐂𝐥𝐨𝐮𝐝 𝐋𝐚𝐛𝐬 𝐢𝐬 𝐥𝐢𝐯𝐞! 🏗️ A hands-on lab environment to practice your cloud incident response skills. https://t.co/Kbjp72CmcG We're also doing a giveaway here, to enter: 1. Like this post 2. Comment why you want to have access (Winners announced Monday

😭 Old and busted: Cloud attackers making noisy List/Describe calls. 🔥 New hotness: Laundering enumeration calls through an AWS service silently. Or at least, that used to work, until @datadoghq partnered with AWS to close this gap. Read more here: https://t.co/Xl1eHohEuX

🎉 Exciting news: The Office 365 Exchange Online SP privilege escalation we documented in "I SPy" is no longer possible! We've updated the post to reflect this. Thanks to Eli Guy for the tip on this one: https://t.co/9y68Kk604i

Why should Microsoft's Nested App Authentication (NAA) should be on your security team's radar? @Icemoonhsv breaks down NAA and shows how attackers can pivot between Azure resources using brokered authentication.

Great seeing everyone at @defcon!! I'll always be in love with seeing so many hackers, villages, and talks from every corner of the world in one place.

Consent & Compromise: Abusing Entra OAuth for Fun and Access to Internal Microsoft Applications

Today, together with Jonathan Elkabas, we're releasing EntraGoat - A Deliberately Vulnerable Entra ID Environment. Your own hands-on Entra lab for identity attack simulation. Built for red teams, blue teams and identity nerds. Check it out here👉 https://t.co/5qlXQiSYHS

If anybody is interested in Azure DevOps and how attackers might go about abusing OIDC connections used in pipelines then check out my colleague’s latest blog! https://t.co/frWo1pad8y

Excited to see folks at DEFCON next week!! Ready to see some great talks and get those conference steps in. 👟

We're looking for a curious AI security researcher to join us! 👀

This is a great point! Ensuring your cloud admins aren't synced users will prevent the federated domain takeover scenario, as only synced users are vulnerable.