🤖 Entra Agent ID can have a larger blast radius than you think. Join us for a new series on all things agent identity! Check out part 1 on Agent ID fundamentals here: securitylabs.datadoghq.com/a…

New research from @_sigil on Entra Agent ID! The first in a series, this time covering cross-tenant abuses. Follow the series at Datadog Security Labs. securitylabs.datadoghq.com/a…

Seeing new attributes pop-up is a strong signal that something is brewing in Entra ID. Ever wish this could be surfaced in an automated way? Enter changes.entra.ms - An automated system that scrapes #Entra for changes on a daily basis. #EntraID #infosec #mvpbuzz

This BlueHat talk from Dylan Ryan-Zilavy and Cameron Vincent (@SecretlyHidden1) is an awesome watch! Fantastic bug and explanation of overlooked OAuth 'aud' claim validation: youtube.com/watch?v=oqq37nAt…

Malicious skills are evolving, and attackers are finding ways to execute them before model-level defenses even activate. In the first post of our new series, I’ll show you how dynamic context in coding agents can introduce new supply chain risks: securitylabs.datadoghq.com/a…

CFP is open!! Submit your cool talks about AI hacking/defense/core tech. Gonna be awesome!! ☺️

Launching oauthsentry.github.io Look up any OAuth app ID and find out what it actually is across thousands of legitimate, risky, and malicious apps (Entra, Google, GitHub). Multiple feeds, API, detection ideas and remediation guidance. Still improving the detections a bit 🦾

🚨 Hey!! Have you checked out Stratus Red Team lately? We've been busy adding new techniques in Azure/Entra and GCP! Full lists below: GCP: stratus-red-team.cloud/attac… Azure: stratus-red-team.cloud/attac… Entra: stratus-red-team.cloud/attac…

A fantastic example on how "invisible" preview features can impact your Entra tenant by @chrispy_sec!

Datadog Security Research continues to push the boundaries of modern cloud security—including AI security! @_sigil shares her finding on logging gaps affecting Copilot Studio, allowing adversaries to evade detection. securitylabs.datadoghq.com/a…

👀 Agents are quickly becoming part of the identity attack surface. Are you keeping an on them? We recently identified an issue where Copilot Studio didn't log key administrative modifications to agents. Details & detections: securitylabs.datadoghq.com/a…

🤔 Ever wondered what Microsoft Graph's batch requests are doing? I've released a Burp Suite extension to help untangle them here: kknowl.es/posts/untangling-m…

@shahardorf & I found a phishing campaign abusing oauth applications in Entra in more than 50 organizations! And i promise you that in this blog we explain how you can do it too! And provide all the IOCs 🤭 It's one of these blogs i would enjoy reading! wiz.io/blog/detecting-malici…

✨ Thrilled to have received Microsoft's MVP award!! I look up to so many in the MVP program, and am excited to continue my contributions to Entra & Azure security. mvp.microsoft.com/en-US/mvp/…

"Your 13-year-old could set up a phishing kit in 20 minutes." That's what @ericonidentity, told me about EvilGinx and modern adversary-in-the-middle attacks. Eric is the Chief Identity Architect at Semperis and a Microsoft MVP who just led something remarkable: taking a 600-person company from scattered MFA to 100% phishing-resistant authentication in just three months. I had to get him on Entra.Chat to share how they did it. THE PASSKEY PLAYBOOK The technical part wasn't what kept Eric up at night. Conditional Access policies? Straightforward. Hello for Business, Platform SSO, and passkeys as the only allowed methods? Done. What made this rollout succeed was the people strategy: They built a self-enrollment system using Power Platform. Employees could opt-in early and become internal champions. By the time they flipped the switch for everyone, half the company was already converted. Leadership went first. When the C-suite was using passkeys, middle management resistance evaporated overnight. They ran office hours. Not webinars, not documentation dumps. Actual humans answering actual questions in real-time. THE UGLY PARTS Not everything worked smoothly. Azure VPN client doesn't support passkeys. Some legacy apps were still using old Internet Explorer DLLs. A handful of Android 13 users couldn't use device-bound passkeys at all. Their solution? Surgical CA policy exceptions for about 5 apps, tracked in a dashboard, with vendors being "encouraged" to fix their implementations. For the Android holdouts, synced passkeys came to the rescue. Are they as secure as device-bound? No. Are they still infinitely better than passwords and push notifications? Absolutely. THE ATTACKS THAT STILL WORK Here's the part that should concern everyone: Even with passkeys deployed, downgrade attacks are a real threat. The only defense? 100% phishing-resistant conditional access policies with no fallback methods. nOAuth AND THE DEVELOPER PROBLEM Eric's security research goes deeper. He walked me through nOAuth, a vulnerability pattern where applications use email claims instead of the subject identifier to identify users. The problem? Email addresses in Entra ID aren't immutable. An attacker can set their email to match a victim's, and vulnerable apps will grant them full access to that account's data. Microsoft has guidance to fix this, but developers keep building apps the wrong way. And there's no easy way for admins to detect which apps in their tenant are vulnerable. BOTTOM LINE Passkey rollouts are 80% organizational change management, 20% technical implementation. Your help desk needs training. Your documentation needs to be bulletproof. And you need executive air cover from day one. The full conversation covers way more: consent phishing, clickfix attacks, reply URL hijacking, and why the Zero Trust Assessment tool takes 24 hours on large tenants. Listen here: entra.chat #Passkeys #ZeroTrust #CyberSecurity #Infosec

📖 CloudSecList Issue 322 is live, with content from @propelauth @wiz_io @praetorianlabs @chainguard_dev @_sigil and more! cloudseclist.com/issues/issu…

🤖 Use Copilot Studio? Capturing Copilot interaction logs can be more complex than you'd think! I'm sharing notes from my own experience configuring Copilot Studio's interaction logs below: kknowl.es/posts/wheres-my-co…

My gift for Thanksgiving 💜 I wrote for you the blog post I always wanted to read! Happy holiday!🦃 PLEASE READ IT!!! wiz.io/blog/recent-oauth-att…

Some amazing research by @CodyBurkard on Azure API Management and Managed Identity certificates. Go read this right now. I was able to replicate it in my environment and it's so nice to see one of these certs again - dazesecurity.io/blog/apimMIV…

Had a great chat with @merill about all things Entra security! Thanks for having me on. 😁