CoPhish: Using Microsoft Copilot Studio as a wrapper for OAuth phishing
securitylabs.datadoghq.com/articles/cop...
by @siigil.bsky.social
CoPhish: Using Microsoft Copilot Studio as a wrapper for OAuth phishing
securitylabs.datadoghq.com/articles/cop...
by @siigil.bsky.social
π Copilot Studio agents are great for users... and attackers! Check out our deep-dive on why you should be careful to trust unknown agents, plus background on upcoming app consent changes that will help prevent our demo scenario.
securitylabs.datadoghq.com/articles/cop...
Old and busted: Cloud attackers making noisy List/Describe calls.
New hotness: Laundering enumeration calls through an AWS service silently.
Or at least, that used to work, until @datadoghq.com partnered with AWS to close this gap. Read more here:
securitylabs.datadoghq.com/articles/enu...
I think @dirkjanm.io may have initiated the extra pressure this one needed. π Still excited about the outcome!
14.08.2025 20:37 β π 3 π 0 π¬ 0 π 0
π Exciting news: The Office 365 Exchange Online SP privilege escalation we documented in "I SPy" is no longer possible! We've updated the post to reflect this. Thanks to Eli Guy for the tip on this one:
securitylabs.datadoghq.com/articles/i-s...
Check out my new blog on nested app authentication.
13.08.2025 16:43 β π 6 π 5 π¬ 0 π 0Excited to see folks at DEFCON next week!! Ready to see some great talks and get those conference steps in. π
31.07.2025 20:59 β π 3 π 0 π¬ 0 π 0Congrats!! Sounds like a fun (& wild!) opportunity.
28.07.2025 12:55 β π 0 π 0 π¬ 0 π 0
π΅οΈββοΈ Looking to escalate privileges with a first-party Microsoft app? How do federated domain backdoors work? And what's an app reg, really? All this and more in our new @securitylabs.datadoghq.com post:
securitylabs.datadoghq.com/articles/i-s...
Join my team! Weβre looking for a Senior Security Researcher specializing in Generative AI. Youβll have the opportunity to be a part of one of the leading security research organizations in the industry and shape Datadogβs security products! A π§΅
careers.datadoghq.com/detail/70312...
βοΈ My fwd:cloudsec talk, "I SPy: Rethinking Entra ID research for new paths to Global Admin", is up! Learn what a service principal is, how Microsoft's first-party apps could be backdoored, and one weird trick they haven't fixed yet:
www.youtube.com/watch?v=oNpw...
At @wearetroopers.bsky.social I dropped new research on #nOAuth, an abuse of #EntraID that allows you to spoof users in vulnerable SaaS applications. The attack is still alive and well.
You can read all about it here:
#Entra #M365 #infosec
www.semperis.com/blog/noauth-...
Enjoy! βοΈ Ignore my drooling over here. :)
25.06.2025 14:51 β π 1 π 0 π¬ 0 π 0
My RSAC virtual session is up! Catch "Persisting Unseen: Attacker Methods of Infesting Entra ID" here: youtu.be/ngSFP-tgupM?...
Companion blog: kknowl.es/posts/defend...
Excited to watch these! roadoidc was great to play with, thank you for adding it. Been eagerly waiting to hear the full story on this, EAM, and FICs. π
24.06.2025 12:43 β π 1 π 0 π¬ 0 π 0
π΅οΈββοΈ I'll be presenting "I SPy: Rethinking Entra ID research for new paths to Global Adminβ at fwd:cloudsec June 30-July 1, alongside some fantastic other speakers: fwdcloudsec.org/conference/n...
If you canβt make it, talks are streamed at: www.youtube.com/@fwdcloudsec
π₯· Detect & defend vs Entra ID persistence! From my RSAC Cloud Summit talk, I've shared how attackers persist through Entra ID roles, applications, and authentication... and how you can stop them: kknowl.es/posts/defend...
05.06.2025 18:54 β π 1 π 1 π¬ 0 π 0
Excited to speak at @fwdcloudsec.org in Denver on June 30 with Anthony Randazzo! Weβll share lessons from a year of cloud threat hunting.
Donβt miss other @securitylabs.datadoghq.com talks from @siigil.bsky.social on EntraID escalation and @sethsec.bsky.social on AMI name confusion as well!
π I'll be speaking at RSA Conference's Virtual Seminar on Cloud Security on June 5, 2025! I'll be sharing a technical overview of Entra persistence techniques for all levels. You can sign up to stop by here: www.rsaconference.com/library/virt...
09.05.2025 19:25 β π 1 π 0 π¬ 0 π 0
The CFP for fwd:cloudsec Europe is now open! We're looking for practitioner-focused cloud security content, and we encourage all practitioners to submit, whatever your role or level of experience.
The CFP is open until July 11th. Read more: fwdcloudsec.org/conference/e...
πΎ It's up!! Everything you ever wanted to know about Entra Administrative Unit (AU) attack paths, from my talk at @specterops.io SO-CON π
www.youtube.com/watch?v=oxD7...
In our latest blog post, @xpnsec.com breaks down how SQL Server Transparent Data Encryption works, shares new methods for brute-forcing database encryption keys, & reveals a default key used by ManageEngine's ADSelfService product backups.
Read more π ghst.ly/4iXFTyF
Had a fantastic time at @specterops.bsky.social SO-CON and Azure training! So much to learn, and so many incredible people to meet. Feeling excited to apply all this knowledge... time to head home. π
06.04.2025 11:23 β π 4 π 0 π¬ 0 π 0
Excited to be at @specterops.bsky.social SO-CON this week!! If you're around, I'll be presenting "Abusing AUs, Confusing the SOC" tomorrow bright & early:
31.03.2025 14:39 β π 15 π 7 π¬ 1 π 0Enjoy that 2m repeater net gossip! Good + weird memories. π₯Ή
28.03.2025 14:54 β π 1 π 0 π¬ 0 π 0
π‘οΈ We found a bug in restricted AUs that let accounts stay restricted (forever!) without an AU, preventing containment. Glad this is fixed now! More details here: securitylabs.datadoghq.com/articles/cre...
25.03.2025 18:09 β π 10 π 5 π¬ 0 π 0Congrats!!
11.03.2025 19:50 β π 1 π 0 π¬ 0 π 0
The Datadog Security Digest is a monthly, practitioner-focused newsletter.
Don't miss our February edition going live tomorrow!
securitylabs.datadoghq.com/newsletters/...
We discovered a pattern in the way many projects retrieve Amazon Machine Images (AMIs), allowing attackers to publish AMIs with specially crafted names and gain code execution within vulnerable accounts.
securitylabs.datadoghq.com/articles/who...
by @sethsec.bsky.social
Oof, the brokerage charge! This is the typical situation in Canada, sorry it's now yours as well. Online shopping in the US was fire without this. D:
11.02.2025 17:15 β π 0 π 0 π¬ 0 π 0