Katie Knowles

CoPhish: Using Microsoft Copilot Studio as a wrapper for OAuth phishing | Datadog Security Labs Copilot Studio links look benign, but they can host content to redirect users to arbitrary URLs. In this post, we document a method by which a Copilot Studio agent's login settings can redirect a user...

CoPhish: Using Microsoft Copilot Studio as a wrapper for OAuth phishing

securitylabs.datadoghq.com/articles/cop...

by @siigil.bsky.social

CoPhish: Using Microsoft Copilot Studio as a wrapper for OAuth phishing | Datadog Security Labs Copilot Studio links look benign, but they can host content to redirect users to arbitrary URLs. In this post, we document a method by which a Copilot Studio agent's login settings can redirect a user...

😈 Copilot Studio agents are great for users... and attackers! Check out our deep-dive on why you should be careful to trust unknown agents, plus background on upcoming app consent changes that will help prevent our demo scenario.
securitylabs.datadoghq.com/articles/cop...

Enumerating AWS the quiet way: CloudTrail-free discovery with Resource Explorer | Datadog Security Labs Discover how attackers could quietly enumerate AWS resources via Resource Explorer, and how Datadog and AWS worked together to close the visibility gap.

Old and busted: Cloud attackers making noisy List/Describe calls.

New hotness: Laundering enumeration calls through an AWS service silently.

Or at least, that used to work, until @datadoghq.com partnered with AWS to close this gap. Read more here:
securitylabs.datadoghq.com/articles/enu...

I think @dirkjanm.io may have initiated the extra pressure this one needed. 😁 Still excited about the outcome!

I SPy: Escalating to Entra ID's Global Admin with a first-party app | Datadog Security Labs Backdooring Microsoft's applications is far from over. Adding service principal credentials to these apps to escalate privileges and obfuscate activities has been seen in nation-state attacks, and led...

🎉 Exciting news: The Office 365 Exchange Online SP privilege escalation we documented in "I SPy" is no longer possible! We've updated the post to reflect this. Thanks to Eli Guy for the tip on this one:
securitylabs.datadoghq.com/articles/i-s...

Check out my new blog on nested app authentication.

Excited to see folks at DEFCON next week!! Ready to see some great talks and get those conference steps in. 👟

Congrats!! Sounds like a fun (& wild!) opportunity.

I SPy: Escalating to Entra ID's Global Admin with a first-party app | Datadog Security Labs Backdooring Microsoft's applications is far from over. Adding service principal credentials to these apps to escalate privileges and obfuscate activities has been seen in nation-state attacks, and led...

🕵️‍♀️ Looking to escalate privileges with a first-party Microsoft app? How do federated domain backdoors work? And what's an app reg, really? All this and more in our new @securitylabs.datadoghq.com post:
securitylabs.datadoghq.com/articles/i-s...

Senior Security Researcher - GenAI | Datadog Careers We're building a platform that engineers love to use. Join us, and help usher in the future.

Join my team! We’re looking for a Senior Security Researcher specializing in Generative AI. You’ll have the opportunity to be a part of one of the leading security research organizations in the industry and shape Datadog’s security products! A 🧵
careers.datadoghq.com/detail/70312...

I SPy: Rethinking Entra ID research for new paths to Global Admin YouTube video by fwd:cloudsec

☁️ My fwd:cloudsec talk, "I SPy: Rethinking Entra ID research for new paths to Global Admin", is up! Learn what a service principal is, how Microsoft's first-party apps could be backdoored, and one weird trick they haven't fixed yet:
www.youtube.com/watch?v=oNpw...

New nOAuth Abuse Alert: Entra Cross-Tenant Saas Apps at Risk Think nOAuth abuse is old news? We wish. Our recent testing shows that nearly 10% of apps in the Microsoft Entra Gallery remain vulnerable.

At @wearetroopers.bsky.social I dropped new research on #nOAuth, an abuse of #EntraID that allows you to spoof users in vulnerable SaaS applications. The attack is still alive and well.

You can read all about it here:

#Entra #M365 #infosec

www.semperis.com/blog/noauth-...

Enjoy! ☀️ Ignore my drooling over here. :)

Traditional Sessions: RSAC Virtual Seminar: Cloud Security YouTube video by RSA Conference

My RSAC virtual session is up! Catch "Persisting Unseen: Attacker Methods of Infesting Entra ID" here: youtu.be/ngSFP-tgupM?...

Companion blog: kknowl.es/posts/defend...

Excited to watch these! roadoidc was great to play with, thank you for adding it. Been eagerly waiting to hear the full story on this, EAM, and FICs. 😁

fwd:cloudsec 2025 Speaker Bios & Abstracts | fwd:cloudsec fwd:cloudsec is a non-profit conference on cloud security. At this conference you can expect discussions about all the major cloud platforms, both attack and defense research, limitations of security...

🕵️‍♀️ I'll be presenting "I SPy: Rethinking Entra ID research for new paths to Global Admin” at fwd:cloudsec June 30-July 1, alongside some fantastic other speakers: fwdcloudsec.org/conference/n...

If you can’t make it, talks are streamed at: www.youtube.com/@fwdcloudsec

Persisting Unseen: Defending against Entra ID persistence I recently presented “Persisting Unseen: Attacker Methods of Infesting Entra ID” at RSAC’s virtual Cloud Security seminar. This session introduced some methods attackers may use now or in the near fut...

🥷 Detect & defend vs Entra ID persistence! From my RSAC Cloud Summit talk, I've shared how attackers persist through Entra ID roles, applications, and authentication... and how you can stop them: kknowl.es/posts/defend...

fwd:cloudsec 2025 Speaker Bios & Abstracts | fwd:cloudsec fwd:cloudsec is a non-profit conference on cloud security. At this conference you can expect discussions about all the major cloud platforms, both attack and defense research, limitations of security...

Excited to speak at @fwdcloudsec.org in Denver on June 30 with Anthony Randazzo! We’ll share lessons from a year of cloud threat hunting.

Don’t miss other @securitylabs.datadoghq.com talks from @siigil.bsky.social on EntraID escalation and @sethsec.bsky.social on AMI name confusion as well!

🌐 I'll be speaking at RSA Conference's Virtual Seminar on Cloud Security on June 5, 2025! I'll be sharing a technical overview of Entra persistence techniques for all levels. You can sign up to stop by here: www.rsaconference.com/library/virt...

CFP | EU 2025 | fwd:cloudsec fwd:cloudsec is a non-profit conference on cloud security. At this conference you can expect discussions about all the major cloud platforms, both attack and defense research, limitations of security...

The CFP for fwd:cloudsec Europe is now open! We're looking for practitioner-focused cloud security content, and we encourage all practitioners to submit, whatever your role or level of experience.

The CFP is open until July 11th. Read more: fwdcloudsec.org/conference/e...

Abusing AUs, Confusing the SOC: Entra ID's Administrative Unit Attack Paths | SO-CON 2025 YouTube video by SpecterOps

👾 It's up!! Everything you ever wanted to know about Entra Administrative Unit (AU) attack paths, from my talk at @specterops.io SO-CON 😁
www.youtube.com/watch?v=oxD7...

In our latest blog post, @xpnsec.com breaks down how SQL Server Transparent Data Encryption works, shares new methods for brute-forcing database encryption keys, & reveals a default key used by ManageEngine's ADSelfService product backups.

Read more 👉 ghst.ly/4iXFTyF

Had a fantastic time at @specterops.bsky.social SO-CON and Azure training! So much to learn, and so many incredible people to meet. Feeling excited to apply all this knowledge... time to head home. 😁

Excited to be at @specterops.bsky.social SO-CON this week!! If you're around, I'll be presenting "Abusing AUs, Confusing the SOC" tomorrow bright & early:

Enjoy that 2m repeater net gossip! Good + weird memories. 🥹

Creating immutable users through a bug in Entra ID restricted administrative units | Datadog Security Labs Imagine trying to disable a malicious user in your Azure environment, only to find it can't be modified! We recently identified a timing-based bug in Entra ID's restricted administrative units (AUs) t...

🛡️ We found a bug in restricted AUs that let accounts stay restricted (forever!) without an AU, preventing containment. Glad this is fixed now! More details here: securitylabs.datadoghq.com/articles/cre...

Congrats!!

The Datadog Security Digest is a monthly, practitioner-focused newsletter.

Don't miss our February edition going live tomorrow!

securitylabs.datadoghq.com/newsletters/...

whoAMI: A cloud image name confusion attack | Datadog Security Labs Detailing the discovery and impact of the whoAMI cloud image name confusion attack, which could allow attackers to execute code within AWS accounts due to a vulnerable pattern in AMI retrieval.

We discovered a pattern in the way many projects retrieve Amazon Machine Images (AMIs), allowing attackers to publish AMIs with specially crafted names and gain code execution within vulnerable accounts.

securitylabs.datadoghq.com/articles/who...

by @sethsec.bsky.social

Oof, the brokerage charge! This is the typical situation in Canada, sorry it's now yours as well. Online shopping in the US was fire without this. D: