Dirk-jan

I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-glob…

@rootsecdev Should be (hacky) fixed in the latest version.

So if you installed ROADtools fresh with @_dirkjan updates from today you might run into a fun mitm issue with selenium and roadtx. This is a known compatibility issue between selenium-wire (which bundles an old fork of mitmproxy) and modern pyOpenSSL. The bundled mitmproxy code calls X509.get_extension(), which was removed from pyOpenSSL in version 23.3.0+. So in short you are going to have TLS interception issues. Anyway this takes care of it if you are using ubuntu. Happy cloud hacking folks. pip install 'pyOpenSSL<23.3.0'

@sannemaasakkers and @_dirkjan on stage together at @NorthSec_io talking about threat actors using researcher knowledge in cloud attacks

@merill That's a big step! Excited for you!

Hey folks, some personal news. I’m leaving Microsoft. It’s been a privilege to work here, and I’m incredibly grateful for the people I’ve worked with, the customers I’ve learned from, and the support so many of you have shown me along the way. I’m now starting out on my own and chasing a dream I’ve had for a long time: building software that makes security more practical, accessible, and useful for the people doing the work every day. Why now? With all the change happening around us, I feel like new possibilities are opening up. I want to spend this next chapter building things I care deeply about, solving problems that matter, and doing work that brings me joy. I’m excited. Nervous. Grateful. My newsletters, podcast, Maester and other tools will all be part of this next chapter, and I’ll share more in the coming weeks. Thank you for being part of the journey so far. I’m looking forward to building this next chapter with your support.

@mthcht2 Nah it's in my backlog of changes to polish up and push to GitHub.

@_dirkjan Did you commit this arg? I’d like to test it. I think I’m already catching this behavior through request-count anomalies on a specific endpoint uri, in addition to the classic pattern of many distinct endpoints uris queried in a short time window

And now you don't 🙃

@Cyb3rMonk All are possibilities but I don't want my enumeration to take hours. If detection is such a huge concern you're better off requesting small pieces of data by hand.

@_dirkjan Maybe add a delay between each request to slow it down? But it would be difficult to evade the volume based enumeration spread over a few hours. Do we really need to have all the data or can we just expand the enumeration scope slowly starting from the first compromised user?

@olafhartong @Cyb3rMonk

@_dirkjan @Cyb3rMonk Batch?

@Cyb3rMonk Volume based detection still works 😉 but it's 1 endpoint in this mode.

@_dirkjan I just did the same 😅🤣 just 2 or 3 endpoints but I will see you 😉

@_xpn_ Congrats dude, that's huge! 😀

My talk has been accepted to Blackhat USA, hyped for this one!!!! 🎉🎉

@_xpn_ Nice write-up and thanks for the shout-outs! VS legacy was indeed removed as a foci client recently. I do have an updated list but I have a bit of a backlog of work in progress commits that I need to finalize before pushing things to GitHub.

If you came to SOCON, you may have seen the fireside chat on Ouroboros (if you weren't too busy counting my "urm"s 😝). The blog post is now live, detailing how we can use Dev-Tunnels for lateral movement, and allow pivoting from GitHub/Entra ID access. specterops.io/blog/2026/05/0…

@decoder_it The best research motivator!

@_dirkjan it was more frustration 😅

I published a new "security research" post, and for once, it’s not about Windows 😅 This time I took a look at the myAudi connected vehicle platform and its APIs..🤓 Curiosity drives security research, no matter the target Read it here 👇 decoder.cloud/2026/05/08/oh-…

@JonnyJohnson_ Congrats to you both!

Mr. and Mrs. Johnson 04.25.2026

One month to go until the next public edition of my Entra ID course in The Hague. Working on some roadrecon and roadtx updates from my backlog, and new content on agent identities! Tickets are still available via events.outsidersecurity.nl/entra-26-07/

@BertJanCyber 😅 was fun while it lasted

Today is a good day! #AADGraphActivityLogs are finally there! @_dirkjan: We finally get the opportunity to hunt you down 🛡️ Schema: learn.microsoft.com/en-us/azure/az…

🛸 👽 We have published this year's agenda with the talks for the AREA41 security conference 2026 🛸 👽 We are excited - hope you too! ➡️ Check them out at: #schedule" target="_blank" rel="nofollow noopener">a41con.ch/#schedule 📅 June 18-19. 2026, Zürich 🎫 Ticket sale May 5th @ 13:00 pretix.eu/DC4131tickets/…

More talks for the @WEareTROOPERS #TROOPERS26 AD & Entra ID Security Track accepted, featuring @kidtronnix, @LeGuideDuSecOps, @_dirkjan, @DrAzureAD, @al3x_n3ff & others linkedin.com/feed/update/ur…