With the goal of better understanding cloud account takeover (#ATO) attacks, we developed a tool that automates the creation of malicious internal apps within a #compromised #cloud environment. Here, we detail our findings and security implications. ⤵️ brnw.ch/21wWOgL

"Although Direct Send is not new, we have seen a recent surge in threat actors abusing it..." Read more: blackhillsinfosec.com/disabling-m365… Stop Spoofing Yourself! Disabling M365 Direct Send by: @securecake Published: 8/20/2025

Red Team members, have you ever wondered how to extract access tokens from Microsoft Teams? blog.randorisec.fr/ms-teams-acces…

Credential Guard was supposed to end credential dumping. It didn't. Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled. Read for more ⤵️ ghst.ly/4qtl2rm

I have a new NetSPI blog out today that covers the Azure WireServer service. If you're not familiar with it, I'll provide a brief explainer in the thread -🧵 netspi.com/blog/technical…

Dirk-jan found one of the most severe vulnerabilities ever discovered in Microsoft Entra ID. One that could have compromised every tenant in the cloud. In this episode, we unpack the story, the stress, and the mindset behind responsible disclosure. 🔥 We dive deep into his

Just like chocolate and peanut butter, runZero and BloodHound are an amazing combination. Today we are introducing runZeroHound - an open source toolkit for bringing runZero Asset Inventory data into BloodHound attack graphs: runzero.com/blog/introduci…

Tools such as PsExec.py from Impacket are usually flagged for lateral movement due to the pre-built service executable that is dropped on the remote system. However, some vendors also flag Impacket based on its behaviour. With RustPack, you can easily create

I merged a PR from Scoubi that now includes compatibility with BHCE. Thanks Scoubi ! github.com/hausec/Bloodho…

Another day, another tool update. We figured out that the Invoke-AzUADeploymentScript MicroBurst function was missed in the "SecureString" token updates, so tokens weren't being extracted. Casting has been fixed and UA-MI tokens are now extracting again! github.com/NetSPI/MicroBu…

Lateral movement across server room? Steven Flores (Steven) of SpecterOps describes a new fancy WMI class that can be used to move laterally between Windows server boxes. Also, mentions methods of extending this tactic to workstations. Post: specterops.io/blog/2025/09/1…

🔥 CVE-2025-59287 | Splunk Security Content Drop 🔥 🚨 WSUS RCE goes deeper than expected! While digging into telemetry for CVE-2025-59287, we found a twist: 💥 Common chain → wsusservice.exe → cmd.exe or w3wp.exe → cmd.exe ⚙️ Alternate chain → mmc.exe → cmd.exe when an

Can't believe I missed this on Thursday. This is a great, necessary document from NSA, CISA, etc. that provides a pretty comprehensive and updated overview of hardening Exchange Server on-prem. Nicely done. nsa.gov/Portals/75/doc…

If you haven't seen it, go check out the SecOps guide for Entra. It covers the operationalization of security across users, devices, applications and more. If securing Entra is part of your job description, this should be bookmarked. learn.microsoft.com/en-us/entra/ar…

Excited to share my latest write-up on BadZure, a toolkit for provisioning #EntraID & #Azure attack paths so teams can research cloud abuse techniques, run purple-team exercises and validate detection capabilities. 📺 youtube.com/watch?v=NsYRqH… medium.com/@mvelazco/depl…

Nothing better than more cloud labs 😎 medium.com/@mvelazco/depl…

Venom C2 tool drop! 🐍 During a recent red team engagement we needed a simple python agent that needs no dependencies to setup persistence on some exotic boxes we landed on. Some had EDR so we didn't want anything off-the-shelf. The server, agent, and client were made

I just sent out this week's Entra news. Check it out 👇 entra.news

If you are curious about what kind of questions I ask when interviewing for my team, I thought I would share some examples. I usually cover everything identity, whether that is on premises Active Directory, Entra, OAuth and everything in between. In general, I try to ask

👋 Folks, I'm super excited to announce the launch of the Microsoft Zero Trust Assessment! I've been working on this project for the past year at Microsoft with an extended team including our security researchers, product feature teams and docs Here's what it does 🧵👇