Hacking the Cloud

The location for AWS’s in-development European Sovereign Cloud (Berlin) is also a hotbed for Luddite action. Fault tolerance there will be extra spicy, especially for a single region partition. theguardian.com/world/2026/jan…

The 2025 Hacking the Cloud: Year in Review is out! We take a look at the growing tide of software supply chain attacks, discuss the most critical cloud vuln discovered to date, and share some stats for the site! hackingthe.cloud/blog/2025_wrap…

We’re off to a great start with macOS telemetry. Big thanks to @OliviaGalluccii for kicking things off and leading the initial work to bring macOS into the EDR Telemetry Project next year. She opened the first PR defining macOS telemetry categories and rationale. Now is the time to share your thoughts, as we’re actively deciding which events and telemetry make it into this first and most important iteration of macOS support! github.com/tsale/EDR-Tele…

New on @HackingthCloud, did you know that attackers can prevent you from kicking them out of your environment in certain situations? @saw_your_packet shares his research on how attackers can nullify containment attempts! hackingthe.cloud/aws/post_explo…

I think isof used a location designator other than an airport? 🤔 ALE airport is in Alpine, TX. That's a remote place to put an AWS partition. There's no military base and barely any population. The domain for the endpoints is us-isof-south-1.csp.hci.ic.gov

😈 Copilot Studio agents are great for users... and attackers! Check out our deep-dive on why you should be careful to trust unknown agents, plus background on upcoming app consent changes that will help prevent our demo scenario. securitylabs.datadoghq.com/articles/cophi…

After years of hacking on Azure it feels great to finally get 1st 🥇 Thanks @msftsecresponse ❤️

Watch the talk here: youtu.be/APwICrPsTCU?t=… #OBTS

Great write up from the @The_Cyber_News on our latest open-source tool, #Inboxfuscation, in their newsletter today. "A new open-source tool named Inboxfuscation can create malicious inbox rules in Microsoft Exchange that are difficult for security tools to detect. Developed by security firm Permiso, the tool uses Unicode-based obfuscation to hide keywords in rules, allowing attackers to maintain persistence and exfiltrate data from compromised mailboxes. This technique can substitute standard characters with visually identical Unicode variants, making the rules appear harmless while functionally matching sensitive terms. While these specific obfuscation methods have not yet been observed in active attacks, their development exposes a critical blind spot in email security postures." #google_vignette" target="_blank" rel="nofollow noopener">cybersecuritynews.com/cybersecurity-…

New on @HackingthCloud! A great post by Federico Lucini on bypassing AWS Network Firewall egress filtering! hackingthe.cloud/aws/post_explo…

Cloud attackers keep evolving. So should defenses. Enumeration through AWS Resource Explorer used to be invisible. Not anymore. Breakdown from @datadoghq: securitylabs.datadoghq.com/articles/enume…

It’s a month and a half away but I’m already super excited for @fwdcloudsec EU! If you’ll be there in Berlin, come find me for limited edition, holographic, @HackingthCloud stickers!

Safe travels to everyone coming to @fwdcloudsec! It’s the densest concentration of cloud security nerds in the world!

There is a lot wrong with what happened here, but I’ll complain about the parts in my wheel house. Exposing access keys via an API?! Having logs go to a bucket that could be claimed by anyone?! AHHHH We still have so far to go with cloud security. specterops.io/blog/2025/06/1…

If you're heading to fwd:cloudsec in a few weeks, we are teaming up with our friends at @tamnoon_io to host Arcade & Apps. What's better than pizza and arcade games after a long day of conferencing? Space is limited, so reserve your spot by signing up! tamnoon.io/fwd-cloudsec-n…

If you're looking for a sts:GetCallerIdentity replacement that doesn't log to CloudTrail, I've added a few more APIs that don't log and don't have support for additional logging with Data events. Perfect for a quiet `whoami` in the AWS control plane. hackingthe.cloud/aws/enumeratio…

Why does AWS Amplify not use CodeConnections? The latter is a nice way to set up integration with GitHub once and share it across a whole org - except for Amplify 🫠 Is it due to Amplify having extra functionality, maybe?

A little over a year ago I published research on how you could leverage non-production AWS API endpoints to enumerate permissions without logging to CloudTrail. A year later...I'm still finding them. Red Teamers, these can be super useful and really up your game!

🤩 I just came across this fascinating talk by @Frichette_n at fwd:cloudsec: “Hidden Among the Cloud: A Look at Undocumented AWS APIs.” youtube.com/watch?v=f7AuDx…