@SBousseaden and I did some investigations into Tycoon 2FA recently. Focused on the infrastructure, how the kit works for not only M365, but Google Workspace as well. Made a few detections for each platform. Give it a read. Hope you enjoy. #phishing #threatdetection Happy Hunting! elastic.co/security-labs/tyc…

MiniPlasma LPE exploit works perftectly. Elastic Defend behavior protection catches the exploit primitives involved in the chain, providing detection coverage even against fresh public exploit. github.com/Nightmare-Eclipse…

We just posted some additional detection guidance for #CopyFail and #DirtyFrag using EQL, ES|QL and Auditd detection rules/hunts mitigations. Find them below! elastic.co/security-labs/cop…

Detection guidance for CopyFail (CVE-2026-31431) and DirtyFrag (ITW Linux page cache LPE): EQL, ES|QL, and auditd detection rules and hunts included: elastic.co/security-labs/cop…

Yesterday was my last day at @elastic. It was an incredible run. I’m grateful for the opportunity I was given to help build Elastic’s #macOS endpoint agent and endpoint/SIEM detections from the ground up, work that delivered real impact for customers and made life harder for the adversaries. It was truly an honor to work alongside so many talented people, and I’m very proud of everything we built together. Wishing Elastic and everyone there nothing but the best. I’ll be looking for my next adventure soon. Stay tuned!

good to see EXISTING Elastic generic privesc behavior detection/protection triggering on the RedSun LPE exploit with no prior knowledge of the vuln-details. github.com/elastic/protectio…

google workspace logs from reports API... here's a simple query (Elastic) to check for the vercel 3rd-party OAuth app auth event: ``` data_stream.dataset: "google_workspace.token" and event.action: "authorize" and google_workspace.token.client\.id: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent\.com ``` from there, the same app ID shows up in a few other GWS fields/datastreams: - token\.app_name -> human-readable app label - drive.originating_app_id: 110671459871 -> every file the app viewed/downloaded/copied (prefix only, it's typically the GCP project number IIRC) - admin.oauth2.application\.id / .name -> admin-side OAuth approvals domain-wide delegation grants for everything else (gmail, login, meet, chat, calendar, groups, DLP rules) I'd try actor pivot on source.user.\email a time window around the consent event (reports API can lag up to 3 days, so go wide and check ingestion). good luck hunters! #Vercel #GoogleWorkspace #threathunting

Attackers in containers don't leave persistent artifacts. No files on disk. No post-incident logs. Just short-lived runtime behavior. Traditional detection approaches weren't built for this. Defend for Containers is. @RFGroenewoud published a deep-dive on how D4C captures runtime signals inside containerized Linux workloads, and how to build detection logic on top of it. The key things D4C gives you that you don't get elsewhere: - process.interactive flags hands-on-keyboard activity in production containers — rare and high-signal - Linux capability fields (effective permitted) let you assess actual exploit potential, not just process names - Every event enriched with pod name, namespace, cluster, and privilege context - Policy wildcards let you scope detections to specific images, namespaces, or directory trees go.es.io/48sPCtC

You are going to want to check out this awesome new research write-up from the team. Very interesting and somewhat creative initial access method. Includes a @macos piece as well. Shout out to @soolidsnakee, @SBousseaden and team working hard to get this out.

New #research together with @SBousseaden and @DanielStepanic at @elasticseclabs. We uncovered a campaign abusing Obsidian plugins and vault feature to deliver multi-platform payloads targeting both #Windows and #macOS. The final stage is #PHANTOMPULSE, an AI-built RAT that resolves its #C2 from Ethereum blockchain transactions and its loader #PHANTOMPULL A deep dive into the RAT internals is coming next. Stay tuned. elastic.co/security-labs/pha…

We have identified a novel social engineering campaign abusing Obsidian, the popular note taking app, to deliver a previously undocumented RAT #PHANTOMPULSE and it’s loader #PHANTOMPULL targeting individuals in finance and crypto. The attack never exploits a vulnerability. It abuses Obsidian's own plugin ecosystem to execute code the moment a victim opens a shared vault. Full analysis: go.es.io/4cld0dB

Not every “old” GitHub repo is actually old. I break down DPRK-linked repo tradecraft abusing commit-date spoofing to fake legitimacy, while hiding obfuscated loaders in trusted config files. One sample had 100 stars. Research: kl4r10n.tech/blog/when-git-h… Thanks @pcaversaccio for recreating the spoofed commit and helping validate the technique.

It seems possible that clickfix malware is already switching tactics to evade the new Terminal copy/paste security feature in macOS 26.4.

New research by @JamfThreatLabs around evolving ClickFix techniques using Script Editor, perhaps they have a reason to move away from Terminal recently!

Follow our research with the new @JamfThreatLabs handle! We may also share some additional intel on the macOS threat landscape from time to time!

Hello World!

One of our researchers built an AI powered supply chain monitoring tool on a Friday afternoon. The following Monday night it caught the Axios npm compromise before most people knew it existed. Elastic Security Labs is open sourcing the tool. Full story by @dez_ here: go.es.io/4bOfsuq