All Research
Complete archive of all research, including personal projects and external publications.
← Back to PublicationsFilter by Tag
Detecting Tycoon 2FA AiTM attacks across Entra ID and Google Workspace
Detection engineering for the Tycoon 2FA phishing-as-a-service platform, which uses adversary-in-the-middle techniques to steal MFA-protected sessions across Microsoft 365 and Google Workspace.
TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook
Analysis of a Brazilian banking trojan that spreads through trojanized Logitech installers and self-propagating worm modules, abusing WhatsApp and Outlook to target financial institutions.
Illicit Consent Grant: Cross-Tenant OAuth Phishing in Entra ID (Deep Dive)
Personal ResearchAn end-to-end cross-tenant illicit consent grant emulation, looked at from both sides. What decisions the adversary makes and why, what the victim tenant actually sees across Entra audit logs, sign-in logs, Graph Activity, the M365 UAL, and Entra ID Protection, what it doesn't see, and what a real defender workflow looks like when the alert fires.
Azure Monitor Callback Phishing: Abusing Legitimate Alert Notifications
Personal ResearchAttackers abuse Azure Monitor alert rules to send phishing emails from Microsoft's own azure-noreply@microsoft.com, bypassing SPF/DKIM/DMARC. We explore the mechanics, detection challenges, and telemetry signals of this technique.
Microsoft Entra ID OAuth Phishing and Detections
Exploring OAuth phishing and token-based abuse in Microsoft Entra ID through emulation and analysis of tokens, device behavior, and sign-in activity.
Bit ByBit - Emulation of the DPRK's Largest Cryptocurrency Heist
A high-fidelity emulation of the DPRK's largest cryptocurrency heist via a compromised macOS developer and AWS pivots.
AWS SNS Abuse: Data Exfiltration and Phishing
Developed detection capabilities by investigating publicly known SNS abuse attempts for data exfiltration and phishing operations.
Emulating AWS S3 SSE-C Ransom for Threat Detection
Explores how threat actors leverage Amazon S3's Server-Side Encryption with Customer-Provided Keys for ransom and extortion operations.
Exploring AWS STS AssumeRoot
Investigating the implications of AWS STS AssumeRole and its potential for abuse in cloud environments.
Cups Overflow: When your printer spills more than Ink
Dive into threat detection strategies for the CUPS vulnerability.
Elastic releases the Detection Engineering Behavior Maturity Model
Explore the newly released Detection Engineering Behavior Maturity Model (DEBMM) and its implications for security teams.
Globally distributed stealers
Investigating the rise of globally distributed stealers and their impact on organizations.
Invisible miners: unveiling GHOSTENGINE's crypto mining operations
Unveiling the operations of GHOSTENGINE, a sophisticated crypto mining malware.
Monitoring Okta Threats with Elastic Security
Exploring the capabilities of Elastic Security in monitoring and responding to threats targeting Okta.
Starter guide to understanding Okta
A comprehensive guide to understanding Okta's features, capabilities, and security implications.
Google Cloud for Cyber Data Analytics
Exploring the capabilities of Google Cloud for enhancing cyber data analytics.
The Illicit Cryptocurrency Mining Threat
An intermediate guide to understanding the illicit cryptocurrency mining threat.