At TROOPERS Conference I dropped new research on #nOAuth, an abuse of #EntraID that allows you to spoof users in vulnerable SaaS applications. The attack is still alive and well. You can read all about it here: #Entra #M365 #infosec semperis.com/blog/noauth-ab…

One of the results of the joined research with Dirk-jan is entrascopes.com Basically the yellow pages for Microsoft first party apps. #TROOPERS25

Since several people already asked: the slides from Fabian Bader and myself for TROOPERS Conference are available! "Finding Entra ID CA bypasses-the structured way". We talked about FOCI, BroCI, CA bypasses, scopes and getting tons of tokens. Check it at dirkjanm.io/talks/

When the hotel has a free drink for your panic rehearsals. Looking forward to fwd:cloudsec! 🥂

Thanks for joining!

My talk was published mega quickly as its own video by fwd:cloudsec (thanks btw!) So feel free to check it out if you wanna learn some fun SharePoint research outcomes and learn about a “pre-signed url” equivalent method of accessing SharePoint files! youtu.be/l5lpIF_QZCE

I have a new post out on the NetSPI blog today. This one is on extracting sensitive information from the Azure Load Testing service. netspi.com/blog/technical…

Thank you for a great week, fwd:cloudsec!! So many fantastic conversations and sessions. See you next year!

☁️ My fwd:cloudsec talk, "I SPy: Rethinking Entra ID research for new paths to Global Admin", is up! Learn what a service principal is, how Microsoft's first-party apps could be backdoored, and one weird trick they haven't fixed yet: youtube.com/watch?v=oNpwtt…

This is a great point! Ensuring your cloud admins aren't synced users will prevent the federated domain takeover scenario, as only synced users are vulnerable.

We're looking for a curious AI security researcher to join us! 👀

Excited to see folks at DEFCON next week!! Ready to see some great talks and get those conference steps in. 👟

Today, together with Jonathan Elkabas, we're releasing EntraGoat - A Deliberately Vulnerable Entra ID Environment. Your own hands-on Entra lab for identity attack simulation. Built for red teams, blue teams and identity nerds. Check it out here👉github.com/semperis/entra…

If anybody is interested in Azure DevOps and how attackers might go about abusing OIDC connections used in pipelines then check out my colleague’s latest blog! labs.reversec.com/posts/2025/07/…

Consent & Compromise: Abusing Entra OAuth for Fun and Access to Internal Microsoft Applications research.eye.security/consent-and-co…

Great seeing everyone at DEF CON!! I'll always be in love with seeing so many hackers, villages, and talks from every corner of the world in one place.

Why should Microsoft's Nested App Authentication (NAA) should be on your security team's radar? Hope Walker breaks down NAA and shows how attackers can pivot between Azure resources using brokered authentication. ghst.ly/45h2Zw3

🎉 Exciting news: The Office 365 Exchange Online SP privilege escalation we documented in "I SPy" is no longer possible! We've updated the post to reflect this. Thanks to Eli Guy for the tip on this one: securitylabs.datadoghq.com/articles/i-spy…

😭 Old and busted: Cloud attackers making noisy List/Describe calls. 🔥 New hotness: Laundering enumeration calls through an AWS service silently. Or at least, that used to work, until Datadog, Inc. partnered with AWS to close this gap. Read more here: securitylabs.datadoghq.com/articles/enume…