Katie Knowles

👀 Agents are quickly becoming part of the identity attack surface. Are you keeping an on them? We recently identified an issue where Copilot Studio didn't log key administrative modifications to agents. Details & detections: securitylabs.datadoghq.com/articles/copil…

@msftsecresponse @secbughunter @fromsteph2u @Yanir_ @nmdhkr @dhiralpatel94 @hoangnx99 @niraj1mahajan @adiivascu Have fun!! Looks awesome.

We’re excited to welcome some of the world’s top security researchers to Zero Day Quest 2026 🎉 We kicked off the onsite hacking event with bowling, followed by dinner and drinks with incredible views. It’s the start of a full week of security research, collaboration with Microsoft teams, and social events including a Kraken hockey game, a brunch cruise, and more. We’re grateful to every researcher who qualified and joined us in person, as well as those participating remotely. Their work and partnership with Microsoft help protect customers and communities around the world. #ZeroDayQuest

@DanielatOCN Yes!! This was a surprise to see pop into roles this week.

It looks like there might be a native Microsoft Entra backup solution on the way... ourcloudnetwork.com/microsoft-entr… 👀 If you keep an eye on changes to the Graph API's like me, you may have noticed that the "/roleManagement/directory/roleDefinitions" endpoint started returning two new roles: • Entra Backup Reader & • Entra Backup Administrator Although speculation right now, this could indicate a native Entra Backup solution that tightly integrates with UTCM is on the way! Very exciting! #Entra #Microsoft #Backup

Datadog Security Research continues to push the boundaries of modern cloud security—including AI security! @_sigil shares her finding on logging gaps affecting Copilot Studio, allowing adversaries to evade detection. securitylabs.datadoghq.com/articles/copil…

@OliviaGalluccii @datadoghq You crushed it!! Congrats. 🎉

I'm happy to share that I've been promoted to Security Engineer II (SE2) at @DatadogHQ! 🐶

@Frichette_n Are you saying you *don't* believe in the heart of the cards?

Somehow we got the idea that LLMs aren’t non-deterministic enough.

🤔 Ever wondered what Microsoft Graph's batch requests are doing? I've released a Burp Suite extension to help untangle them here: kknowl.es/posts/untangli…

@stokfredrik Your energy and positivity are an inspiration to me!! The algorithm can get bent on rage, & I'm sorry to hear some of that negativity got aimed at you. :( Excited to see what you create whenever you're ready again, but zero rush.

Comments are back on. A few years ago I wasn’t feeling to good about the comments on my videos, I wasn’t feeling good at all tbh, Some comments became harsh and personal for no reason other that trolling, or being asshats. So I turned them off, all of em. I sucked since I used to love spending time in the comments, But I wasn’t media trained and I created YouTube videos for the fun of it, I loved bounties, I was learning about web hacking and everything related to it. And figured il share that excitement. And I’m A pretty stoner looking adhd energetic kinda guy. Of course that didn’t run well on all People, but the comments that where personal did still hurt, I wasnt ready for it, and with a nice dash of rsd I eventually got so worried about comments and what people thought about my stuff that I eventually stopped creating content. that’s what felt most logical and safe for me at the time. I realize now that I kinda robbed my community from their voice by turning off the comments, the video is yours afterall, I just created it, but the experience of watching it is yours, and you should have the right to comment what you feel on it. So comments are back on (YouTube) Be nice to each other, and Who knows maybe il light a spark and help me start feeling like creating stuff again. I got so much to share and talk about, l m.youtube.com/stokfredrik

@shahardorf & I found a phishing campaign abusing oauth applications in Entra in more than 50 organizations! And i promise you that in this blog we explain how you can do it too! And provide all the IOCs 🤭 It's one of these blogs i would enjoy reading! #tldr-0" target="_blank" rel="nofollow noopener">wiz.io/blog/detecting…

✨ Thrilled to have received Microsoft's MVP award!! I look up to so many in the MVP program, and am excited to continue my contributions to Entra & Azure security. mvp.microsoft.com/en-US/mvp/prof…

"Your 13-year-old could set up a phishing kit in 20 minutes." That's what @ericonidentity, told me about EvilGinx and modern adversary-in-the-middle attacks. Eric is the Chief Identity Architect at Semperis and a Microsoft MVP who just led something remarkable: taking a 600-person company from scattered MFA to 100% phishing-resistant authentication in just three months. I had to get him on Entra.Chat to share how they did it. THE PASSKEY PLAYBOOK The technical part wasn't what kept Eric up at night. Conditional Access policies? Straightforward. Hello for Business, Platform SSO, and passkeys as the only allowed methods? Done. What made this rollout succeed was the people strategy: They built a self-enrollment system using Power Platform. Employees could opt-in early and become internal champions. By the time they flipped the switch for everyone, half the company was already converted. Leadership went first. When the C-suite was using passkeys, middle management resistance evaporated overnight. They ran office hours. Not webinars, not documentation dumps. Actual humans answering actual questions in real-time. THE UGLY PARTS Not everything worked smoothly. Azure VPN client doesn't support passkeys. Some legacy apps were still using old Internet Explorer DLLs. A handful of Android 13 users couldn't use device-bound passkeys at all. Their solution? Surgical CA policy exceptions for about 5 apps, tracked in a dashboard, with vendors being "encouraged" to fix their implementations. For the Android holdouts, synced passkeys came to the rescue. Are they as secure as device-bound? No. Are they still infinitely better than passwords and push notifications? Absolutely. THE ATTACKS THAT STILL WORK Here's the part that should concern everyone: Even with passkeys deployed, downgrade attacks are a real threat. The only defense? 100% phishing-resistant conditional access policies with no fallback methods. nOAuth AND THE DEVELOPER PROBLEM Eric's security research goes deeper. He walked me through nOAuth, a vulnerability pattern where applications use email claims instead of the subject identifier to identify users. The problem? Email addresses in Entra ID aren't immutable. An attacker can set their email to match a victim's, and vulnerable apps will grant them full access to that account's data. Microsoft has guidance to fix this, but developers keep building apps the wrong way. And there's no easy way for admins to detect which apps in their tenant are vulnerable. BOTTOM LINE Passkey rollouts are 80% organizational change management, 20% technical implementation. Your help desk needs training. Your documentation needs to be bulletproof. And you need executive air cover from day one. The full conversation covers way more: consent phishing, clickfix attacks, reply URL hijacking, and why the Zero Trust Assessment tool takes 24+ hours on large tenants. Listen here: entra.chat #Passkeys #ZeroTrust #CyberSecurity #Infosec

📖 CloudSecList Issue 322 is live, with content from @propelauth @wiz_io @praetorianlabs @chainguard_dev @_sigil and more! cloudseclist.com/issues/issue-3…

🤖 Use Copilot Studio? Capturing Copilot interaction logs can be more complex than you'd think! I'm sharing notes from my own experience configuring Copilot Studio's interaction logs below: kknowl.es/posts/wheres-m…

My gift for Thanksgiving 💜 I wrote for you the blog post I always wanted to read! Happy holiday!🦃 PLEASE READ IT!!! wiz.io/blog/recent-oa…

Some amazing research by @CodyBurkard on Azure API Management and Managed Identity certificates. Go read this right now. I was able to replicate it in my environment and it's so nice to see one of these certs again - dazesecurity.io/blog/apimMIVuln

@NathanMcNulty Changing the narrative can take a lot of time, for all the fun that it is. D: Will be curious to see once you're able to get to it!

@_sigil Hahaha, absolutely. I have one I'm sitting on that is "by design" but according to the docs (and logic...) should not be. It needs a redesign, but I need time to make a better justification for them :p

Security is hard because there's intended behavior, documented behavior, and actual behavior - all of which can be different This is why I love @_sigil and other researchers who uncover actual behavior, which is sometimes unintended but with severe consequences Give a listen 👇

@merill So glad you remembered this diagram! @ericonidentity's explanation was the first that helped me grasp this, his work on SPs was incredibly helpful to my own understanding: semperis.com/blog/unoauthor…

🎙️ @_sigil has done some amazing research on Entra recently. Here's a recent post she shared about the unique relationship between App Registrations and Service Principals. Here's the full blog post on her app research titled I SPy: Escalating to Entra ID's Global Admin with a first-party app securitylabs.datadoghq.com/articles/i-spy…

@IAMERICAbooted Thanks for noticing!! ❤️ I'm still adjusting to not being an awkward podcast guest. 😆

look everyone, @_sigil is on Entra Chat!! ❤️ youtube.com/watch?v=cJRYm5…

Had a great chat with @merill about all things Entra security! Thanks for having me on. 😁