RT @_dirkjan: If you want to know how to bring your own IDP in Entra, and abuse OIDC protocols for persistence, my x33fcon talk is now on Y….

RT @fabian_bader: This is big. In #XDR there is now a new table in preview:. GraphApiAuditEvents. It's the "free" version of the Microsoft….

We all love hunting technical indicators, but don’t forget about psychological indicators of an insider threat. We have to remember adversaries does not automatically mean external, they are internal too.

Excited to host a hands-on investigation lab at #DEFCON33 in the #CloudVillage!. Built from the perspective of an opportunistic adversary, this E2E AWS breach simulation leaves footprints for hunters and detection engineers to track across cloud, identity, storage, endpoint &.

RT @cloudvillage_dc: 🔥 Cloud Village Labs schedule for @defcon is live!. The Cloud Village Labs lineup is organized by genre to help you di….

RT @cyb3rops: So apparently the --host option in sudo has been broken since 2013. You could just trick it into accepting remote rules on th….

RT @_sigil: ☁️ My fwd:cloudsec talk, "I SPy: Rethinking Entra ID research for new paths to Global Admin", is up! Learn what a service princ….

RT @MsftSecIntel: Since 2024, Microsoft Threat Intelligence has observed remote IT workers deployed by North Korea leveraging AI to improve….

RT @elasticseclabs: New research from our #ElasticSecurityLabs team: we dive into how infostealers are leveraging a stolen Shellter evasion….

If anything this week, I highly recommend giving this #EntraID research by @fabian_bader and @_dirkjan on CA bypasses a read.

cont'd. Looks like Entra ID's Identity Protection will assign some of the logins from spraying and exfil as suspicious too. Sign-in logs will have a `risk_state` field with `atRisk` which is good for these signals and others. Or if you ingest Identity

TeamFiltration tool abuse - I've been playing around with it today. So far. if at least 10 users are selected for enum with SFA ROPC logins or spraying --> Below is rule that catches some of the enum and spraying. AADSTS50126 is one of the main error codes likely seen.

RT @DrAzureAD: Slides from my @WEareTROOPERS talk are available at

RT @Antonlovesdnb: Coming up on my 1 year anniversary with @HuntressLabs ! . Taking this opportunity to go over some things myself and the….

RT @_dirkjan: Since several people already asked: the slides from @fabian_bader and myself for @WEareTROOPERS are available! "Finding Entra….

RT @BleepinComputer: Microsoft 365 'Direct Send' abused to send phishing as internal users - @LawrenceAbrams. https….

RT @ericonidentity: At @WEareTROOPERS I dropped new research on #nOAuth, an abuse of #EntraID that allows you to spoof users in vulnerable….

RT @fabian_bader: One of the results of the joined research with @_dirkjan is . Basically the yellow pages for Micr….

Did a write-up on OAuth phishing (offense and defense). It's based on phishing campaign's reported by @Volexity earlier this year. - What are OAuth phishing links; what is the workflows behind them.- How to emulate (examples) and use ROADtools for further compromise.-.