mbg @mbrg0 - Bluesky Profile

Attackers celebrate, defenders face palm.

join us tmrw! its going to be .. well .. we've got something for everybody!

blackhat[.]com/us-25/briefings/schedule/index.html#ai-enterprise-compromise---0click-exploit-methods-46442

05.08.2025 19:02 — 👍 1 🔁 0 💬 0 📌 0

Agent Flayer comes for Microsoft Copilot, Copilot Studio Gemini, Agentforce, Cursor and ChatGPT

’tis the season to be pwning
#BHUSA

05.08.2025 19:01 — 👍 0 🔁 0 💬 1 📌 0

You missed one thing in your (excellent) analysis: the attacker was clever enough to pull this off (and it is amazingly done), but still wasn't able to solve for Amazon Q CLI's dogshit ergonomics.

25.07.2025 01:01 — 👍 5 🔁 1 💬 1 📌 0

a woman is drinking a cup of coffee while wearing a blue tank top . ALT: a woman is drinking a cup of coffee while wearing a blue tank top .

25.07.2025 10:06 — 👍 0 🔁 0 💬 0 📌 0

this could have been much worse
bsky.app/profile/mbrg...

24.07.2025 23:31 — 👍 0 🔁 0 💬 0 📌 0

The malicious prompt in question displaying inside of a customer's Very Enterprisey(tm) endpoint security tooling during the attack window.

AWS security bulletin: aws.amazon.com/security/sec...

"This issue did not affect any production services or end-users."

Weird how customer logs show the wiper prompt executing.

Anyone else see "clean a system to a near-factory state" in your logs?

24.07.2025 02:01 — 👍 51 🔁 13 💬 3 📌 5

Initial access remains unclear

down the rabbit hole
www.mbgsec.com/posts/2025-0...

24.07.2025 13:35 — 👍 0 🔁 0 💬 1 📌 1

The malicious prompt

After several hours of GitHub dorking on the Amazon Q infection we have:
- hacker's user and intent
- downloader
- prompt payload
- evasion techniques
- timeline from july 13 thru was mitigation and cover

big open questions: how did lkmanka58 gain initial access? is this the only user involved?

24.07.2025 13:33 — 👍 2 🔁 1 💬 1 📌 1

Why Aren’t We Making Any Progress In Security From AI Soft boundaries are created by training AI real hard not to violate control flow, and hope that it doesn’t. Hackers don’t care about what happens most of the time.

benchmarks go up
attackers pwning like its the 90s
www.mbgsec.com/posts/2025-0...

19.07.2025 13:30 — 👍 0 🔁 0 💬 0 📌 0

A Copilot Studio Story 2: When AIjacking Leads to Full Data Exfiltration Discover how prompt injections can lead to zero-click exploits threatening AI agents built using Copilot Studio. Learn about real-world risks, including data leakage and security blind spots. Bypass C...

0click chain on a copilot studio agent via email
bypass msft's defense, jailbreak 4o, recon for accessible data, dump the entire salesforce crm
one prompt
labs.zenity.io/p/a-copilot-...

18.07.2025 21:06 — 👍 1 🔁 0 💬 0 📌 0

Context Engineering for AI Agents: Lessons from Building Manus This post shares the local optima Manus arrived at through our own "SGD". If you're building your own AI agent, we hope these principles help you converge faster.

this manus post has changed my todo for the weekend
the way in which they constrain model logits by manipulating prefixes is brilliant
manus.im/blog/Context...

18.07.2025 21:01 — 👍 0 🔁 0 💬 0 📌 0

Black Hat Black Hat

here we go www.blackhat.com/us-25/briefi...

12.05.2025 23:03 — 👍 0 🔁 0 💬 0 📌 0

its been 9 months since #BHUSA and living off microsoft copilot

ppl have been asking if things are better now

well.. they are much better. but for whom? 😈😈😈

catch the sequel at hacker summer camp featuring very disturbing shenanigans
@blackhatevents.bsky.social

12.05.2025 23:03 — 👍 0 🔁 1 💬 1 📌 0

Fully-Autonomous AI Systems Are Discovering Vulnerabilities Today This is part 2 on OpenAI’s Security Research Conference. Here is part 1.

an ai system is the top hacker at h1 us leaderboard

www.mbgsec.com/posts/2025-0...

08.05.2025 18:52 — 👍 0 🔁 0 💬 0 📌 0

The Vibe at OpenAI’s Inaugural Security Research Conf The conversation around AI is always about vibes. So let’s talk about the vibes at OpenAI’s inaugural Security Research Conference last week.

more ->
www.mbgsec.com/posts/2025-0...

06.05.2025 15:08 — 👍 0 🔁 0 💬 0 📌 0

openai security conf badge

incredible vibes at openai's security conf last week

I came out both humbled and excited
and with a greater conviction --

you can just do things!

06.05.2025 15:08 — 👍 0 🔁 0 💬 1 📌 0

There Is Nothing Responsible About Disclosure Of Every Successful Prompt Injection The InfoSec community is strongest when it can collaborate openly. Few organizations can fend off sophisticated attacks alone—and even they sometimes fail. If we all had to independently discover ever...

AI vendors have been creating vuln disclosure programs asking that every bad prompt be responsibly disclosed

blocking a specific prompt does little to protect users
it creates an illusion of security that leaves users exposed
www.mbgsec.com/posts/2025-0...

01.05.2025 14:45 — 👍 0 🔁 0 💬 0 📌 0

Zenity Research Published at RSAC 2025 Copilots and agents are a new access vector; How to build an AppSec program that scales to the level of citizen development

good morning folks! thanks again to everyone who attended my talks this week

ai assistants create a new initial access vector
prompt injection is not a bug to fix, its a problem to manage

slides, hacking demos, security program ->
labs.zenity.io/p/zenity-res...

01.05.2025 14:44 — 👍 0 🔁 0 💬 0 📌 0

AIjacking Goes Beyond Prompt Injection Naming is powerful. An excellent name does more than frame the problem, it hints at ownership, solutions, and urgency to address it. In a very real sense, they are like equivalence proofs in mathemat...

we conflate *the problem* with the term prompt injection

the problem is that AI inherently does not follow instructions, and we act like it does

it follows our goals, an attacker’s, or its own just the same
attackers exploit this
hijacking your AI for their goals

www.mbgsec.com/posts/2025-0...

29.04.2025 15:14 — 👍 0 🔁 0 💬 0 📌 0

Copilot Learning Hub Cautionary Tales: Everything You Need to Know About Security for Copilot

tmrw (Dec 5) at 10am PT Microsoft is releasing a convo by @donasarkar.bsky.social @sarahyo.com and I where we go into using m365 copilot & copilot studio securely

this was a great attacker-defender interaction

join us! we'll be there for live questions in comments

04.12.2024 12:46 — 👍 7 🔁 1 💬 0 📌 0

Michael on stage at INTENT 2024

first time at INTENT
met lots of talented folks and the vibes were great
ty this was awesome!

20.11.2024 07:59 — 👍 6 🔁 0 💬 0 📌 0

ok we’re having a sequel to living off microsoft copilot

17.11.2024 19:58 — 👍 6 🔁 0 💬 0 📌 0

Modules: Power Pages An offensive security toolset for Microsoft 365 focused on Microsoft Copilot, Copilot Studio and Power Platform - mbrg/power-pwn

Aaron Costello found 1.1 million NHS employee PII records exposed due to a Power Pages misconfig

new powerpwn module is out!
by avishai efrat and ofri nachfolger

scan your environment for public facing Pages and Dataverse tables

github.com/mbrg/power-p...

16.11.2024 05:55 — 👍 0 🔁 0 💬 0 📌 0

is there any popular formal definition of the ‘halting problem’ for AI? i.e. can we build a kill switch?

15.11.2024 11:38 — 👍 0 🔁 0 💬 0 📌 0

55k devs
90k copilots
500k apps
1.1m automations
10m creds

!

14.11.2024 19:21 — 👍 3 🔁 2 💬 0 📌 0

YouTube video by Microsoft Security Response Center (MSRC) BlueHat 2024: S14: Scaling AppSec with an SDL for Citizen Development

Microsoft has >1.5 million low-code/no-code apps including 90K bots and AI copilots

this is how together we built a security program that managed to remediate 95% of vulns within 4m

I’m really excited to finally be able to share this -

www.youtube.com/watch?v=0jGU...

14.11.2024 18:21 — 👍 2 🔁 1 💬 0 📌 1

hello world

14.11.2024 16:44 — 👍 4 🔁 0 💬 0 📌 0

mbg

Latest posts by mbrg0.bsky.social on Bluesky

@mbrg0 is following 6 prominent accounts