How to set up Microsoft Authenticator, Windows Hello, or FIDO2 keys in Azure AD admin center. Get more advice and options for your Zero Trust security model here on our Essentials Series. youtu.be/fQZQznIKcGM #IDMGMT

I just read a great blog about hunting in Okta events, so I implemented some of the ideas as Advanced Hunting queries. You can find the queries here: github.com/doredry/Huntin…

NTLM relay is dead and living in AAD. An interesting Black Hat talk by Mor Rubin i.blackhat.com/USA-22/Wednesd… CC: Steve Syfuhs 🥝🏳️‍🌈 Benjamin Delpy #BHUSA2022

Is your Azure subscription being compromised or hijacked? 👀 Check out the new blog I published about how we can hunt for compromised / hijacked Azure subscriptions using M365D & MDCA: techcommunity.microsoft.com/t5/microsoft-3…

Skeleton key attack ported to AD FS. An excellent blog post

Having ARM logs next to the rest of the Cloud Apps Logs is a great way to avoid Subscription Hijacking! How to enable connector: learn.microsoft.com/en-us/defender… The threat: techcommunity.microsoft.com/t5/microsoft-3… #MCAS #M365D #MicrosoftDefenderforCloudAppS

Just published a new blog post 👀 - this time, we joined forces to uncover notorious actor's infrastructure and TTPs. Worth to mention some of them, and learn how the risk can be mitigated 👇🧵 microsoft.com/security/blog/… 1/n

Heather Lake Trail: 740 meter above PNW shoreline

Dr. Nestori Syynimaa Matt Zorich Jan Bakker Jos Lieben rootsecdev In M365D there is detection for risky admins which elevate their access. But ideally, every elevate access operation should be monitored and evaluated by the security team

“It is in the #desert where the creativity and pioneering vigor shall be tested” - DBG

Moving from on-premises to the cloud for further destructive impact is always fascinating. The blog sheds light on this lateral move.

Just learned that Microsoft decided to add a new log source last month while I was suffering flu: 🔥#MicrosoftGraphActivityLogs 🔥 This is easily the most important security feature for years!! Hoping to get this in Preview/Production soon so we can catch those baddies faster

Detecting and Responding to Compromises in Azure AD through AAD Connect #DFIR logpoint.com/en/blog/compro…

If tools are mimikatz or mimikatz-like they’ll stay out of the environment.

Threat actors are misusing OAuth applications commonly used for automating business processes in their financially motivated attacks. Microsoft shares analysis of real-world cases, mitigation steps, detection coverage, and hunting guidance: msft.it/6011ipsUU

Just in time for the holidays: A list of checks to prevent cyber-attacks motivated by financial gain. A comprehensive analysis of real-world cases, effective mitigation steps, thorough detection coverage, and practical hunting guidance.