@SysBehr profile picture
Colin Wilkins @SysBehr

Security Engineer. Ex-MEM and Jamf Pro admin. Passionate about empowering and reducing friction for end users.

Joined December 2017
  • Tweets 1,041
  • Following 683
  • Followers 851
98 Photos and videos
LinkedIn
Grummz
@Grummz
Jan 30
I don't mean to alarm anyone, but there is now a social media site for bots. They are already talking and posting. Humans welcome.
1
1
91
Anyone else seeing the macOS office auto update helper call /bin/test against office patch files hundreds of thousands of times related to 16.105.1 installing???
1
3
133
@MSFT365Status our mac fleet is only 1/12th of our environment but in the last 24 hours has produced more process create events than our entire windows estate has in the same time period. For the love of God please terminate office patching for macOS from yesterday’s release.
3
73
learn.microsoft.com/en-us/en… Requiring new sessions for Medium Risk Sign-ins does nothing to stop Session Token Replay attacks in practice according to live tests. What is the deal? How does this protect anything if Anomalous Token EIDIP alerts only flag the sign-in risk as Medium?

Microsoft-Managed Conditional Access Policies for Enhanced Security - Microsoft Entra ID

Secure your resources with Microsoft-managed Conditional Access policies. Require multifactor authentication to reduce compromise risks.

learn.microsoft.com
2
1
14
1,103
Colin Wilkins@SysBehr
30 May 2025
Yeah so turns out this is working as intended. Sessions need to be revoked for re-prompt. Guess what isn’t available as an automatic response/control feature for sign-in risk? Revocation. Even if you’re leveraging a SIEM/SOAR action to revoke via API, it’s coming 15 min delayed.
2
83
Colin Wilkins@SysBehr
28 May 2025
Really would be swell to have a Token Revocation action on Conditional Access policies for risk mitigation. Built-in policy/manual sign-in risk policies don’t work to re-auth risky sign-ins at any level. Sign-in frequency and persistent browser session controls just don’t work…
1
2
155
more replies
Colin Wilkins@SysBehr
28 May 2025
I mean heck - even changing a password doesn’t revoke tokens on its own. What’s the point without automatic revocation? Sure, CAE-aware apps can supposedly kill sessions but what does that matter when nothing stops the attacker at the door? Or at least makes them re-auth?
1
2
84
Colin Wilkins@SysBehr
28 May 2025
*Disgruntled Notes from the Field. Bah.* Inb4 device compliance and passwordless purists enter the chat. Defense in Depth is *Key* but not when you have to play politics despite demonstrating the facts.
1
77
techcommunity.microsoft.com/… This is exactly what we're seeing. Love that the MVP response just ignores the fact that this doesn't work.

Issues with setting up AiTM phish prevention using conditional access | Microsoft Community Hub

We are a managed IT company and AiTM phishes (the ones that reverse proxy the true sign in page and steal session cookies) have been everywhere. We've...

techcommunity.microsoft.com
1
96
Authentication strength is great but the problem is a new session is never interactively prompted and sign-in logs indicate it's stil being satisfied by the replayed token.
1
90
Colin Wilkins@SysBehr
14 Apr 2025
I love that gardening has been made a life threatening activity since moving to Texas. 🕷️🩸💀
2
2
94
Colin Wilkins@SysBehr
14 Apr 2025
Narrator: he did not actually love that Good thing their webs are distinguishable.
1
59
Colin Wilkins@SysBehr
13 Mar 2025
Lol... Microsoft Viva Engage (Yammer) activity notifications inject CSS/HTML that overwite/bypass Exchange Transport Rule External Sender banners on Outlook Mobile. Switch to the native Outlook External tag to eliminate external sender banner bypasses. techcommunity.microsoft.com/…

Native external sender callouts on email in Outlook | Microsoft Community Hub

We know that some of our customers leverage Exchange transport rules to prepend subject line or insert the message body to show the email is from external...

techcommunity.microsoft.com
1
137
Colin Wilkins@SysBehr
13 Mar 2025
Reminder that HTML banners are not bulletproof: whynotsecurity.com/blog/exte…

External Email Warning Bypass

External Email Warning Bypass for Office365 & Outlook

whynotsecurity.com
41
Are there any security vendors out there that provide macOS installers that aren't completely convoluted/impossible to get working at Enterpise scale? How hard is it to provide a single .pkg with settings defined by config profiles??
1
2
156
Colin Wilkins retweeted
Wiz
@wiz_io
29 Jan 2025
BREAKING: Internal #DeepSeek database publicly exposed 🚨 Wiz Research has discovered "DeepLeak" - a publicly accessible ClickHouse database belonging to DeepSeek, exposing highly sensitive information, including secret keys, plain-text chat messages, backend details, and logs.
119
778
2,861
877,918
Colin Wilkins retweeted
Richard Hicks
@richardhicks
27 Jan 2025
Are you ready? In just a few weeks, #Microsoft will turn on full enforcement of strong certificate mapping on domain controllers. For those unprepared, there will be outages! Wi-Fi and #VPN, most likely. #mobility #security #PKI #aovpn rmhci.co/42tr9lO

8
76
308
24,522
Colin Wilkins retweeted
Colin Wilkins@SysBehr
28 Jan 2025
Fun Fact!!! Going "Passwordless" doesn't protect against this Phishing attack exploiting Device Code Authorization Token theft :) aadinternals.com/post/phishi… Implement CA policies to block Device Auth Flows ASAP. Only make exceptions when required. learn.microsoft.com/en-us/en…
2
1
1
130
Load more