🚨 New on Hacking the Cloud: Discover how misconfigured tagBindings.create permissions in GCP can lead to privilege escalation. Learn how attackers can exploit tags to gain elevated access. Stay informed and secure your cloud infrastructure. Read more: hackingthe.cloud/gcp/exploitati…

New on Hacking the Cloud! Did you know that IAM roles can’t be recreated? Even if their ARNs are identical? This can cause a major problem if you delete an IAM role used in SaaS trust relationships 😬 hackingthe.cloud/aws/general-kn…

Want to learn more about Administrative Unit attack paths in Azure? Check out Katie Knowles's talk about it from SpecterOps Con! youtube.com/watch?v=oxD7-U…

👾 It's up!! Everything you ever wanted to know about Entra Administrative Unit attack paths, from my talk at SpecterOps SO-CON: youtube.com/watch?v=oxD7-U…

New on Hacking the Cloud! Tired of well-known enumeration strategies that could get you caught? Why not think outside the box? This article covers enumeration of resources using the AWS Backup service. I have related research on this topic coming soon! hackingthe.cloud/aws/enumeratio…

🤩 I just came across this fascinating talk by Nick Frichette at fwd:cloudsec: “Hidden Among the Cloud: A Look at Undocumented AWS APIs.” youtube.com/watch?v=f7AuDx…

Why does AWS Amplify not use CodeConnections? The latter is a nice way to set up integration with GitHub once and share it across a whole org - except for Amplify 🫠 Is it due to Amplify having extra functionality, maybe?

A little over a year ago I published research on how you could leverage non-production AWS API endpoints to enumerate permissions without logging to CloudTrail. A year later...I'm still finding them. Red Teamers, these can be super useful and really up your game!

If you're looking for a sts:GetCallerIdentity replacement that doesn't log to CloudTrail, I've added a few more APIs that don't log and don't have support for additional logging with Data events. Perfect for a quiet `whoami` in the AWS control plane. hackingthe.cloud/aws/enumeratio…

If you're heading to fwd:cloudsec in a few weeks, we are teaming up with our friends at Tamnoon to host Arcade & Apps. What's better than pizza and arcade games after a long day of conferencing? Space is limited, so reserve your spot by signing up! tamnoon.io/fwd-cloudsec-n…

There is a lot wrong with what happened here, but I’ll complain about the parts in my wheel house. Exposing access keys via an API?! Having logs go to a bucket that could be claimed by anyone?! AHHHH We still have so far to go with cloud security. specterops.io/blog/2025/06/1…

Safe travels to everyone coming to fwd:cloudsec! It’s the densest concentration of cloud security nerds in the world!

It’s a month and a half away but I’m already super excited for fwd:cloudsec EU! If you’ll be there in Berlin, come find me for limited edition, holographic, Hacking the Cloud stickers!

Cloud attackers keep evolving. So should defenses. Enumeration through AWS Resource Explorer used to be invisible. Not anymore. Breakdown from Datadog, Inc.: securitylabs.datadoghq.com/articles/enume…

Great write up from the Cyber Security News on our latest open-source tool, #Inboxfuscation, in their newsletter today. "A new open-source tool named Inboxfuscation can create malicious inbox rules in Microsoft Exchange that are difficult for security tools to detect. Developed by

New on Hacking the Cloud! A great post by Federico Lucini on bypassing AWS Network Firewall egress filtering! hackingthe.cloud/aws/post_explo…

Watch the talk here: youtu.be/APwICrPsTCU?t=… #OBTS

After years of hacking on Azure it feels great to finally get 1st 🥇 Thanks Microsoft Security Response Center ❤️

😈 Copilot Studio agents are great for users... and attackers! Check out our deep-dive on why you should be careful to trust unknown agents, plus background on upcoming app consent changes that will help prevent our demo scenario. securitylabs.datadoghq.com/articles/cophi…

I think isof used a location designator other than an airport? 🤔 ALE airport is in Alpine, TX. That's a remote place to put an AWS partition. There's no military base and barely any population. The domain for the endpoints is us-isof-south-1.csp.hci.ic.gov