Sean Metcalf

To my black family, friends, and people seeing this: I love you You matter I'm here for you #BlackLivesMatter

Spam emails generated by programs already exceed human written emails

How many sign-in logging bypasses can Azure Entra ID contain? At least 4.

So, Copilot Agents in EDU. Let's figure this out. My first recommendation, until you're sure you are ready, is to go to M365 Admin Center > Agents > Settings > User Access > Specific users or groups > Add a control group with your test users to deny general access.

𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗗𝗲𝗳𝗲𝗻𝗱𝗲𝗿 𝗧𝗵𝗿𝗲𝗮𝘁 𝗜𝗻𝘁𝗲𝗹𝗹𝗶𝗴𝗲𝗻𝗰𝗲: .𝗦𝗩𝗚 𝗣𝗮𝘆𝗹𝗼𝗮𝗱 𝗦𝗽𝗶𝗸𝗲 The latest Threat Analytics Report highlights a sharp rise in phishing campaigns leveraging .SVG files as payloads. In February, SVGs were the most common format used to deliver CAPTCHA‑gated phishing pages, accounting for 38% of all attacks. By raw volume, these campaigns surged by 50% month‑over‑month, driven by three major activity spikes. Between February 23–25, one large, sustained campaign alone delivered over 1.2 million messages targeting users across 53,000 organizations in 23 countries. 𝗘𝘃𝗲𝗻 𝗻𝗼𝘄, 𝗳𝗿𝗲𝘀𝗵 𝘄𝗮𝘃𝗲𝘀 𝗼𝗳 𝗽𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝗲𝗺𝗮𝗶𝗹𝘀 𝘄𝗶𝘁𝗵 𝗦𝗩𝗚 𝗽𝗮𝘆𝗹𝗼𝗮𝗱𝘀—𝗼𝗳𝘁𝗲𝗻 𝘂𝘀𝗶𝗻𝗴 𝗿𝗼𝘁𝗮𝘁𝗶𝗻𝗴 𝗻𝗮𝗺𝗶𝗻𝗴 𝗰𝗼𝗻𝘃𝗲𝗻𝘁𝗶𝗼𝗻𝘀—𝗰𝗼𝗻𝘁𝗶𝗻𝘂𝗲 𝘁𝗼 𝘀𝘂𝗿𝗳𝗮𝗰𝗲 (Some have bypass MDO). To help defenders quickly assess exposure, I’ve prepared a hunting query that can be run against tenant data to identify potential impact from this campaign. KQL Code: github.com/SlimKQL/Detect… #Cybersecurity #SVGPayloadCampaign #Phishing #DefenderXDR

One of our own is taking the stage at @OneRSAC! Next Thursday, don't miss Identity Security Architect @PyroTek3's talk, "Entra the Dragon—Entra ID Attack & Defense". Be sure to reserve your seat if you're attending! hubs.la/Q047BdRS0

Tax season is open 🎯 New blog just dropped on a malvertising campaign targeting W-2/W-9 searches since January 2026 Google Ad -> dual-layer cloaking -> rogue ScreenConnect -> FatMalloc crypter (2GB alloc to choke AV emulators) -> previously undocumented Huawei audio driver killing EDR 60+ rogue SC instances across our customer base 💀 huntress.com/blog/w2-malver…

I've tweeted this a couple times now. I concur

Who knew a really long string could make an Entra ID login disappear from the logs entirely? In our #blog, @nyxgeek breaks down how overflowing #Azure's sign-in logging mechanism allowed access tokens to be issued without a single log entry. Read it now! hubs.la/Q047xTVc0

Remember, a ticket to #BSidesCharm 2026 gets you access to our awesome Hiring Village on Sat 4/25, where you can get career help & talk with companies looking to hire! Details at bsidescharm.org/hiringvillage/

Richard M. Hicks shared some awesome tips to migrate from legacy VPN to Entra Private Access in the latest Entra.Chat episode. Watch the full episode youtu.be/sFAlJxCfZzU Or search for Entra Chat on your favorite podcast player.

Microsoft introduces Backup and Recovery for Microsoft Entra ID! Entra Backup and Recovery solution enables you to quickly recover from malicious attacks or accidental changes by reverting your core tenant objects to any previous state within the last 5 days. With automated backups and granular recovery capabilities, it ensures minimal downtime and supports your business continuity in the face of unexpected disruptions. Entra automatically generates one backup per day, retaining the last 5 days of backup history. You can recover key properties of the following core tenant objects: - Users - Groups - Applications - Conditional access policies - Service principals - Organization - Authentication methods - Authorization policy - Named locations #EntraID #Microsoft365 #Microsoft

Tickets for #BSidesCharm 2026 are now available - go to eventbrite.com/e/bsidescharm-… - 1 ticket gets you in for BOTH days!

👀👽👾🛸

happy st. patrick's day! ☘️

The Microsoft.Graph PowerShell module has been updated to v2.36.0 and it includes some interesting updates for WAM and new sovereign cloud environments. Read my observations from the GitHub release notes here. day3bits.com/2026-03-18-new…

Meta is joining the war against encryption - and funding the war for age verification.

People don't realize how much strength it takes for you to pull your own self out of a dark place mentally. If you've done that, I'm proud of you.

#PowerShell 7.6 is released! Note: It's only available via GitHub or as a .NET tool installation for now. Keep an eye on WinGet and the Microsoft Store 💫 github.com/PowerShell/Pow…

🔒 Secure Bits 💡 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗶𝘀 𝗰𝗵𝗮𝗻𝗴𝗶𝗻𝗴 𝗠𝗫 𝗿𝗲𝗰𝗼𝗿𝗱𝘀 𝗶𝗻 𝗘𝘅𝗰𝗵𝗮𝗻𝗴𝗲 𝗢𝗻𝗹𝗶𝗻𝗲 (𝗝𝘂𝗹𝘆 𝟮𝟬𝟮𝟲) — 𝗮𝗻𝗱 𝗶𝘁 𝘂𝗻𝗹𝗼𝗰𝗸𝘀 𝘀𝘁𝗿𝗼𝗻𝗴𝗲𝗿 𝗲𝗺𝗮𝗶𝗹 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆. A change coming to Exchange Online in 📆 July 2026 will modify how new accepted domains receive their MX records. Instead of the traditional \*.𝘮𝘢𝘪𝘭.𝘱𝘳𝘰𝘵𝘦𝘤𝘵𝘪𝘰𝘯.𝘰𝘶𝘵𝘭𝘰𝘰𝘬.𝘤𝘰𝘮, Microsoft will start provisioning MX records under \*.𝘮𝘹.𝘮𝘪𝘤𝘳𝘰𝘴𝘰𝘧𝘵. At first glance this looks like a simple DNS change. In reality, it’s a foundational step toward 𝗽𝗿𝗼𝗽𝗲𝗿 𝗗𝗡𝗦𝗦𝗘𝗖 𝘁𝗿𝘂𝘀𝘁 𝗰𝗵𝗮𝗶𝗻𝘀 𝗮𝗻𝗱 𝗯𝗿𝗼𝗮𝗱𝗲𝗿 𝗦𝗠𝗧𝗣 𝗗𝗔𝗡𝗘 𝗮𝗱𝗼𝗽𝘁𝗶𝗼𝗻 𝗶𝗻 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝟯𝟲𝟱. 🤔 𝗪𝗵𝘆 𝘁𝗵𝗶𝘀 𝗺𝗮𝘁𝘁𝗲𝗿𝘀 This change is primarily about security architecture, not routing. The legacy MX namespace has historically made it difficult to establish a clean DNSSEC trust chain into Microsoft’s mail infrastructure. With the new namespace, Microsoft can better support 𝗦𝗠𝗧𝗣 𝗗𝗔𝗡𝗘 𝘃𝗮𝗹𝗶𝗱𝗮𝘁𝗶𝗼𝗻 and authenticated TLS between mail servers. In practice this enables: - MX endpoints aligned with DNSSEC-enabled infrastructure - Improved support for TLSA records used by SMTP DANE - Stronger validation of server identity during SMTP TLS negotiation 🛠️ 𝗪𝗵𝗮𝘁 𝗱𝗼𝗲𝘀 𝗶𝘁 𝗱𝗼 Most email on the internet still relies on opportunistic TLS, which encrypts traffic but does not strongly authenticate the destination server. This leaves a gap where DNS manipulation or certificate attacks could theoretically downgrade or intercept mail delivery. Technologies like 𝗗𝗡𝗦𝗦𝗘𝗖 𝗮𝗻𝗱 𝗦𝗠𝗧𝗣 𝗗𝗔𝗡𝗘 help close that gap by: - cryptographically validating DNS responses - publishing TLS expectations via DNS - ensuring mail servers connect only to verified infrastructure 𝗗𝗡𝗦𝗦𝗘𝗖 𝗽𝗿𝗼𝘁𝗲𝗰𝘁𝘀 𝗗𝗡𝗦 𝗿𝗲𝘀𝗽𝗼𝗻𝘀𝗲𝘀 𝗳𝗿𝗼𝗺 𝘀𝗽𝗼𝗼𝗳𝗶𝗻𝗴, while SMTP DANE uses DNSSEC-protected TLSA records to authenticate the receiving server and 𝗽𝗿𝗲𝘃𝗲𝗻𝘁 𝗱𝗼𝘄𝗻𝗴𝗿𝗮𝗱𝗲 𝗼𝗿 𝗺𝗮𝗻-𝗶𝗻-𝘁𝗵𝗲-𝗺𝗶𝗱𝗱𝗹𝗲 𝗮𝘁𝘁𝗮𝗰𝗸𝘀. The new 𝗺𝘅.𝗺𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 namespace makes it easier for Microsoft to build a complete DNSSEC trust chain into Exchange Online, strengthening end-to-end mail transport security. 🛠️ What admins should do Most tenants 𝘥𝘰𝘯’𝘵 𝘯𝘦𝘦𝘥 𝘵𝘰 𝘵𝘢𝘬𝘦 𝘪𝘮𝘮𝘦𝘥𝘪𝘢𝘵𝘦 𝘢𝘤𝘵𝘪𝘰𝘯, but this is a good opportunity to review and strengthen email transport security. 🛡️ 𝗥𝗲𝗰𝗼𝗺𝗺𝗲𝗻𝗱𝗲𝗱 𝗰𝗵𝗲𝗰𝗸𝘀 - Ensure your public DNS zone is DNSSEC-signed. - Confirm that any automated tooling or onboarding scripts do not assume the legacy MX hostname format. - Use DNSSEC and mail connectivity testing tools. ⚠️ 𝗜𝗺𝗽𝗼𝗿𝘁𝗮𝗻𝘁 Existing domains are not expected to break, but environments relying on hard-coded MX validation or automation should verify compatibility. 𝘈𝘶𝘵𝘩𝘰𝘳 𝘰𝘧 𝘵𝘩𝘦 𝘱𝘰𝘴𝘵: Martin Strnad #Microsoft365 #EmailSecurity #ExchangeOnline #CloudSecurity #SecureBits

Here's your #Discord Livestream reminder ⏰ Bring all your #IR questions for our AMA with Incident Response Practice Lead @n0psled and connect with our Discord community. See you tomorrow at 11:00AM—find out how: hubs.la/Q047pLMS0