Grégoire Clermont

@jessfraz @merill or @DrAzureAD may be able to route this?

while we are at it, anyone at microsoft gov cloud entra, i submitted a bug there too, its a bit more complex but having someone who gives a shit would be nice

who do i know at github security, we found a bug and i want to make sure it goes to someone who gives a shit and not just an ai bot

By using AI for writing, you’re robbing yourself of the authentic writer’s experience of not writing

From 2020-2024, I tracked the SolarMarker malware, and in 2024, monitored a self-infection for months to learn their actions-on-objectives: on-device fraud. I didn't publish the details of my months long investigation until now. Check the link the the attached comment.

CertCentral is now TheCertGraveyard[.]org & CertGraveyard[.]org. The CertCentral API returns an error directing to use the new domains. Please give me a like or a share to get the word out. Also use the site to report and investigate certificates used to sign malware. :)

@IAMERICAbooted One vector that I'm still worried about is OAuth phishing with first-party Microsoft app (e.g. volexity.com/blog/2025/04/2…). As almost all the CA checks are performed on the victim's side, I've found this technique hard to mitigate. Do you have recommendations?

Do you know why I focused most of time on entra conditional access when I was consulting? Because Jef Kazimer at Microsoft constantly reminded me what you can do with CAPs and how they mitigate almost all M365 initial access. And he was right. However, if you are allowing users to access M365 as BYOD (not phones, we are not talking about MAM-WE here) and you are not forcing authentication contexts requiring phishing resistant authentication that mitigates downgrades (hardly anyone), your CAPs alone will not save you from uploads, and neither will SharePoint settings. There is the forgotten beast called Power Platform. In consulting, I have yet to see any orgs that dont have API gaps due to resource targeting in CAPs. This is why you need exclude by exception and when you do exclude, you need to understand that exclusion is creating an API gap.

@ItsReallyNick Any chance Microsoft might officially document UserAuthenticationMethod at some point? I realize it's not your remit, but if this ever comes up in conversation with the right folks internally, there's definitely interest in the community!

@ItsReallyNick Thanks, Nick! Your tweets and GitHub comments were the only information I could find coming from a Microsoft employee (or anyone, really) about this field! That definitely gave me some confidence that this bitfield interpretation was credible.

The #UserAuthenticationMethod field of the Microsoft 365 sign-in logs contains numeric values (16, 272, 33554432...) that were not documented anywhere. I figured out that it's a bitfield, and recovered the meaning of most of the bits!

Our latest technical deep-dive unravels the mystery behind the opaque numeric codes (16, 272, 33554432, etc.) you see in #Microsoft365 audit logs. buff.ly/w04flj1

@sekoia_io UserAuthenticationMethod 16457, of SolarWinds fame (and that doesn't seem to exist anymore) remains a bit of a mystery to me. I'm not sure if it could be decoded in the same way (bits 0, 3, 6, 14?) x.com/ItsReallyNick/…

The results and methodology are detailed on the @sekoia_io blog: blog.sekoia.io/userauthentica… Several bits remain unmapped (bits 5, 7, 9-17, 22, 26). If you observe these values, please share your findings!

@ZackKorman I have a pet theory that the reason why Kusto got so versatile and powerful is because the Entra/Azure/M365 logs are so convoluted and impractical. Instead of fixing the logs, they built a crazy query language.

I can assure you, Microsoft has never once thought “how do we reduce noise and improve the usability of the audit log”

Consensus view on Reddit is that Microsoft probably decided to not log Copilot events to “reduce noise” and make the audit log “more useful”. And that’s how you know none of them have ever seen an audit log before.

"Uncovering the Chinese Proxy Service Used in APT Campaigns" published by Spur. #Kimsuky, #DPRK, #CTI spur.us/how-spur-uncov…

I love Cloudflare, but the number of phishing sites I find sitting behind Cloudflare or utilizing Turnstile is excessive.

Hey everyone, I’m proud to announce that I'm hosting a new conference called State of Statecraft (🆘) October 28 in Brussels, Belgium. SOS exclusively discusses state-sponsored operations. Speakers! Our CFP closes in 2 weeks!!! -> Apply here: stateofstatecraft.com/cfp

New RE Blog Post: RustyPages-Pt1 the-sequence.com/rustypages-mal… We RE a Rust dropper, that sets persistence and runs the downloaded next stage, queries @patrickwardle's tools, and quiets notifications. We included relevant IOCs as we continue our analysis of the loader for Part 2. :)

New Microsoft Graph based API for response actions in #MDI Disable, Enable, ForcePasswordReset and RevokeAllSessions finally available for your automations. #new-graph-based-api-for-response-actions-preview" target="_blank" rel="nofollow noopener">learn.microsoft.com/en-us/defender…

@Cyb3rMonk Can you expand on the second point?

⚠️ Threat hunting and detection engineering using time series anomaly detection methods is so powerful but quite tricky. Here is why: - Users/endpoints don't have a reliable baseline - First seen activities don't fit time series anomaly logic by default (with some modifications, it can) - Compute resources limit the historical data that can be analyzed, which directly impacts what the logic outputs with default parameters. That's why I have multiple lessons to explain how to develop robust detection logic. #ThreatHunting #DetectionEngineering

A few weeks ago, we published our global analysis of Adversary-in-the-Middle #phishing threats, providing actionable intelligence on multiple #AitM phishing kits. This report includes 11 sheets covering the most widespread #AitM phishing kits as of Q1 2025.

Aaand we (or mostly Fabian) made this cool website where you can explore all these first party apps and their scopes at entrascopes.com x.com/fabian_bader/s…