Beware of LUCR-3! 🚨 Threat actor that overlaps with Scattered Spider, Oktapus, UNC3944, & STORM-0875, they exploit IDPs for initial access & aim to steal IP for extortion. They use victims' tools and evade detection with expertise. Permiso Security permiso.io/blog/lucr-3-sc…

A Zero Trust initiative is effectively working through a backlog of false assumptions of trust (trust debt). Prioritization is critical for most organizations as they have 30+ years of IT decisions made when security wasn't considered/understood/prioritized/etc.

Conditional Access – Common Microsoft 365 Security Mistakes Series campbell.scot/conditional-ac… #MicrosoftEntra #MicrosoftSecurity #Cybersecurity #Azure #AzureAD #Identity #CloudSecurity

I can only strongly recommend to read #Microsoft Digital Defense Report 2023. It includes also many interesting insights and statistics on identity attacks. For example, methodology and overview of "return on mitigation" scoring. (1/2) microsoft.com/en-us/security…

Looks like a good time for a thread on token theft :) Not all MFA is of the same quality, and anything using OTP (SMS, hardware/software tokens) or Push (MS Authenticator, Duo, etc.) is susceptible to AITM attacks That doesn't mean it's useless, but it's becoming less useful

If you need some help tracking down resources, links, blog posts etc to help address these issues, should you have them in environments you own or manage, I put together a list of the resources I usually share with customers during engagements - github.com/reprise99/mddr…

I love this brave new world where a single leaked or stolen token can significantly impact cloud service providers, their customers, and even their customers' clients #Okta #TokenBinding #DuckingTokens

The financially motivated threat actor tracked by Microsoft as Octo Tempest, whose evolving campaigns leverage tradecraft not seen in typical threat models, represents a growing concern for organizations. Get TTPs and protection info: msft.it/60129Lhkw

We are often engaged with organizations that have lost complete control of their Microsoft Entra ID tenant, I wrote a comprehensive blog post on lessons learned from real world engagements to try to help reduce the risk of the same happening to you microsoft.com/en-us/security…

We’re delighted to announce that Richard Horne has been appointed as the NCSC’s new CEO and will take over in the autumn. Richard will join us from PwC UK, where he currently chairs the Cyber Security Practice. More details here ⬇️ ncsc.gov.uk/news/ncsc-anno…

We are proud to finally share some great research by Arnau Ortega on a 1-click #Azure tenant takeover attack. You can read all about it in our latest blog post. It explains how we could take over any Azure tenant; just by clicking one legitimate link 😨 falconforce.nl/arbitrary-1-cl…

For almost a year, invisible password spraying could be performed against any #Azure tenant due to a vulnerability in #MicrosoftGraph. In our latest blog, nyxgeek walks us through how these attacks could have been carried out. Read it now! hubs.la/Q02vpTlN0

The cost to run a company that has all the right cyber security tools and staff is absolutely obscene. It’s hard to describe the numbers I’ve seen. Even saying this is a gray area. But it is incredible headcount and spend. Non-keystone companies have no chance in normal paradigm.

It's mind blowing that such a highly privileged role hides who is assigned it in the portal by default 🤯 Great article... now I've even more things to monitor :)

Microsoft Incident Response provides a response playbook to empower defenders in tackling the challenges posed by Octo Tempest and evicting the threat actor from cloud and on-premises environments: msft.it/6016Y2DQu

Credential and token theft are impacting nearly every organization. In this video I look at what we can do to try and protect against these threats. youtu.be/toytJf1rmV4 00:00 - Introduction 00:49 - Credential protection 05:46 - Authentication strengths 07:32 - Protection

In the past, you had to: phish a user, drop malware, escalate privileges, pivot to servers, evade EDR, dump creds, move laterally, exfiltrate quietly, clean up, leave a backdoor. Today, you just: phish a user, steal an OAuth token, access everything from anywhere. Cloud

This is a great summary. We (and by we I mean mostly Will Oram) have been using variants of this diagram to describe the inversion of attack paths to identity-based intrusions - a major trend in our incident response cases over the past year.

Reading Microsoft’s new Void Blizzard report, one thing stands out (again): Everything is about credential theft, phishing, and tokens. Initial access comes from buying or stealing creds - often through low-effort phishing. All the real action happens in the cloud, not on

👋 Folks, I'm super excited to announce the launch of the Microsoft Zero Trust Assessment! I've been working on this project for the past year at Microsoft with an extended team including our security researchers, product feature teams and docs Here's what it does 🧵👇