LoicM

@Cyb3rMik3 From the documentation, scenario on the left can't be built as a custom rule. You can't create a prefix rule that will match.

𝐎𝐧𝐞 𝐩𝐞𝐫𝐬𝐨𝐧. 𝐌𝐮𝐥𝐭𝐢𝐩𝐥𝐞 𝐚𝐜𝐜𝐨𝐮𝐧𝐭𝐬. 𝐎𝐧𝐞 𝐜𝐥𝐞𝐚𝐫𝐞𝐫 𝐢𝐝𝐞𝐧𝐭𝐢𝐭𝐲 𝐬𝐭𝐨𝐫𝐲. 💡 In real environments, some people don’t show up as a single, neat account. There’s usually a regular user, an admin account, maybe even another one in a different domain. 𝐂𝐮𝐬𝐭𝐨𝐦 𝐀𝐜𝐜𝐨𝐮𝐧𝐭 𝐂𝐨𝐫𝐫𝐞𝐥𝐚𝐭𝐢𝐨𝐧 𝐑𝐮𝐥𝐞𝐬 (now in Preview 👓 ) in Microsoft Defender for Identity help connect those dots which is especially useful when looking at: ➡️ Privileged account abuse ➡️ The same user spread across multiple domains Instead of jumping between disconnected accounts, you can now get a more complete identity view and a much easier investigation flow. 🔗 More info: learn.microsoft.com/en-us/defender… Less guessing. More context. 💪 #MicrosoftSecurity #MicrosoftDefender #DefenderforIdentity

@ANSSI_FR DMARC sans reject, SPF en soft fail, faudra pas faire les supris à la prochaine vague d'email frauduleux. Puis du IDOR sur un site gouvernementale, sérieusement ?

🚨🇫🇷 France's ANTS portal, the government system issuing IDs, passports, and driver's licenses, has been breached. Up to 19 million French citizens may be affected. ANTS has confirmed the breach. Exposed fields include full name, email, address, date and place of birth, phone number, and identity verification data. Confirmed by the Ministry of the Interior.

@tr1ana @IAMERICAbooted @CynicLib @CyberDivergent Adding permanent owner increase attack surface. To know who is in charge use the dedicated field. Each owner to an app is an additional risk of app takeover. It's even more critical on app which have critical graph permissions.

@IAMERICAbooted @CynicLib @CyberDivergent I didn’t mind to offend you. Congratulations on being an expert in Entra. The official recommendation is that there should be at least 2 owners learn.microsoft.com/en-us/entra/id…

I have a bone to pick with PCI and ISO-27001. They both think it's risky to not have 2 owners of app registrations. Who can help me understand the rationale? I'm serious. This adds an enormous amount of post-exploitation attack surface that is stealthy too. What am I missing here?

@IAMERICAbooted For me I see, the full path of files. I also saw sensitivity lavel id returned but I need to validate if it's on the SharePoint files or others.

@loicmitton when I did a keyword search for the files accessed, nothing came up. It does show in XDR though. What I'm really after is the prompt

LOL

@cyb3rops Hey you can't do April fool like that. 🥺

Didn’t have this on my bingo card

"Because everyone else lowered the bar, we decided to join them" is so on-brand...

@fabian_bader @merill do you think attestation may come to hello based containers?

Microsoft just announced official support to store device bound Passkeys for Entra ID in the Windows Hello container. No app, no external hardware key but built in support. Sadly no attestation while in preview. mc.merill.net/message/MC1247… #Passkey #EntraID

@merill And I never seen it ... The group approval was also there before?

@loicmitton Its always been there.

Identity just got a new front door ✨ Microsoft is previewing a new homepage for myaccount.microsoft.com Users can now: 🔔 See expiring groups ⚡ Approve access requests 🔐 Setup MFA 👤 Get personalized recommendations All in one unified portal experience. Big improvement for identity UX.

@RafikSmati Pas d'accord là dessus. On apprends pas au enfants un langage de programmation on apprend de la logique, un si, un or, une boucle. Même si une IA va écrire le code, comprendre la logique d'un programme informatique fais du sens pour appréhender le monde dans lequel on vit.

Il y a 10 ans, on me traitait de fou quand je disais que le code serait bientôt produit par des IA. Aujourd’hui, les sociétés informatiques s’effondrent en bourse, IBM est menacé par Claude, et le travail de millions de développeurs est menacé. Et ce n’est que le début. Je le dis et je le répète : le meilleur service que nous pouvons rendre à nos enfants est de leur apprendre la logique mathématique, qui permet de mieux appréhender le désordre et la complexité du monde. Pas le code, qui n’est désormais plus qu’une commodité.

Can LNK files ever be trusted? ⚡ My latest blog post demonstrates several new LNK abuse methods, allowing you to fully spoof the target shown in Explorer. It also introduces tools to create your own LNKs, and detected spoofed ones yourself. 🐬 wietzebeukema.nl/blog/trust-me-…

Exploited in attack... Patch released in 2024...

👋 Check out this new Microsoft Entra blog post 👇 Upcoming Conditional Access change: Improved enforcement for policies with resource exclusions techcommunity.microsoft.com/t5/microsoft-e…

@0x534c Which file have you used for the sha256 IOC?

🤖 𝗖𝗹𝗮𝘄𝗱𝗯𝗼𝘁 𝗪𝗼𝗿𝗹𝗱𝘄𝗶𝗱𝗲 𝗔𝗻𝗮𝗹𝘆𝘀𝗶𝘀 (𝗠𝗗𝗘) Security teams are increasingly sounding the alarm over internet-facing Clawdbots AI agents exposed via unauthenticated public endpoints, potentially allowing anyone to seize control. Curious about its footprint, I ran a KQL query across Microsoft Defender for Endpoint to estimate global installations since 20 Jan 2026. The result: 𝟭𝟳𝟳 𝘂𝗻𝗶𝗾𝘂𝗲 𝗱𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻𝘀, 𝗮𝘃𝗲𝗿𝗮𝗴𝗶𝗻𝗴 ~𝟮𝟱 𝗻𝗲𝘄 𝗶𝗻𝘀𝘁𝗮𝗹𝗹𝘀 𝗽𝗲𝗿 𝗱𝗮𝘆. This trend deserves attention.🔍 #Cybersecurity #AIAgents #Clawdbot #ThreatHunting

@ruadams In the past we had limitations with V3, I don't find anymore those limitations, do you know if we have feature parity now?

This turned on in my tenant today. Any DC's using the 3.x Microsoft Defender for Identity Sensors will now have all the relevant auditing detection's enabled. Be sure to enable the Unified Sensor RPC Audit to your devices. Settings / Identities / Advanced Features #configure-windows-auditing" target="_blank" rel="nofollow noopener">learn.microsoft.com/en-us/defender… @NathanMcNulty @ITguySoCal

@acjuelich @NathanMcNulty Still exclude them from all cap. Register hardware key for them. Why hardware key? Because it rely on the same platform as password and have no external dependency. learn.microsoft.com/en-us/entra/ar…

We used to exclude EBG accounts from the MFA CAPs, but now since MFA is enforced on the Service Side of most Portals, what is the recommendation to secure those? Tie them to a location? Register it with a hardware key that is locked away? @NathanMcNulty

@0x534c The extension is detected by MDE as ChatGPTStealer since yesterday afternoon.

Chrome Extensions Masquerade as AI Tools to Steal ChatGPT, DeepSeek, and Claude Conversations A new investigation by SOCRadar has uncovered two malicious Chrome extensions—collectively downloaded more than 900,000 times—that impersonated legitimate AI sidebar tools while covertly exfiltrating sensitive user data. After installation, the extensions captured ChatGPT, DeepSeek, and Claude conversations, along with URLs and browsing activity from all open tabs. The stolen data was then transmitted to attacker‑controlled servers at 30‑minute intervals. socradar.io/blog/chrome-ex… Telemetry from DefenderXDR FileProfile linked to the identified SHA‑256 hash indicates that the extension was installed on at least 3,000 devices. VirusTotal results show that Microsoft’s antivirus engine currently flags this SHA‑256 as undetected, highlighting a concerning detection gap. #Cybersecurity #ChromeRiskyExtension