Two years ago I published a two part series on #MSGraph logs and how to use them for threat hunting. Now comes part 3 and the logs are finally available to the masses. #EntraID #KQL #Security cloudbrothers.info/en/detect-thre…

PipeMagic is a sophisticated malware framework with a modular, stealthy, and highly extensible architecture, giving threat actors granular control over code execution and making detection and analysis challenging. msft.it/6017spj19 Microsoft Threat Intelligence has

Kinda wild how hard it is to spot Direct Send abuse in M365 if you don’t have full headers. Audit + message trace won’t cut it you need the original Received: line with mail[.]protection[.]outlook[.]com. Stuff (from email metadata) I saw when testing (no custom relay): SPF →

😭 Old and busted: Cloud attackers making noisy List/Describe calls. 🔥 New hotness: Laundering enumeration calls through an AWS service silently. Or at least, that used to work, until Datadog, Inc. partnered with AWS to close this gap. Read more here: securitylabs.datadoghq.com/articles/enume…

Token Protection in Microsoft Entra Conditional Access for Windows is now GA! 🎉 #EntraID #Token learn.microsoft.com/en-us/entra/id…

Web browser cookies in Entra ID. Although not new, this remains valid in a few attack scenarios. learn.microsoft.com/en-us/entra/id…

👏GMail audit logs retrievable from Reports API in Google Workspace! I've been looking forward to this for +2 years now lol May be some good hunting queries by correlating `token` and `gmail` activity. #threatdetection #google developers.google.com/workspace/admi…

Cloud security in a nutshell: goal is to decrease risk. In cloud it goes a bit like this: IAM - MFA all the things. If you can swing it with ops, pilot passwordless. Users will love it, I promise! Make sure everyone can't just escalate privileges when they're not admins Make

It seems there now is a BOF implementation of ADSyncDecrypt to dump Entra ID connect creds 👀 github.com/Paradoxis/ADSy…

#ElasticSecurityLabs is monitoring infections deploying #Akira Stealer, a Python stealer rewritten in Golang. Distribution involves packaging a malicious Electron application with the intended application in a .RAR archive. NodeJS Electron App -> Python loader -> Akira Stealer

#ElasticSecurityLabs gets to the root cause of an Authenticode signature error, reverse-engineering an undocumented Microsoft function in the process. Learn how we solved the problem here: go.es.io/3K2vG7u

VIEWSTATE deserialization bugs seem be reoccurring more often in anything ASP.NET based. 🤔 Knowing it can lead to RCE for web servers, I suspect we will see or are already seeing an uptick in poking.

We tested one of the compromised samples. - 0 detections on VirusTotal - Detected by THOR with three different YARA rules Sample: virustotal.com/gui/file/16f6c…

I looked at the inserted JavaScript payload. It’s not novel or sophisticated. The obfuscation was done with a known tool – likely obfuscator.io or something similar. Used in low-effort malware for years. Typical structure: - Hex-encoded strings with a central _0x

#ElasticSecurityLabs saw phishing campaigns deploying LNK files masquerading as PDFs ([.]pdf[.]lnk) to load a Rust-based implant, using Discord C2 via the serenity crate. Bot Token/Server ID were AES-encrypted and Base64-encoded; for our PoC, we used our own.

I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-glob…

Great VSCode extensions for visualizing JSON data. I often find Azure & Entra ID logs can get deeply nested. Extension: JSON Crack

The CVSS score for the CVE has been adjusted to a 10.0 it appears 👀 msrc.microsoft.com/update-guide/v…