[01] RESEARCH

Personal Research

Independent security research and technical writeups.

Published

1 entries
Mar 2026
Personal Research10 min

Azure Monitor Callback Phishing: Abusing Legitimate Alert Notifications

Attackers abuse Azure Monitor alert rules to send phishing emails from Microsoft's own azure-noreply@microsoft.com, bypassing SPF/DKIM/DMARC. We explore the mechanics, detection challenges, and telemetry signals of this technique.

Azure MonitorPhishingEmail SecurityThreat EmulationCloud SecurityMicrosoft AzureExchange OnlineLiving-off-the-CloudSocial Engineering

In Progress

2 drafts
Personal Research

Illicit Consent Grant: Cross-Tenant OAuth Phishing in Entra ID

Emulation of a cross-tenant illicit consent grant, from registering a malicious multi-tenant OAuth app through Graph API data access. Covers the raw telemetry across Entra ID audit logs, sign-in logs, Graph Activity Logs, and M365 UAL, with a focus on the detection opportunities at each stage.

Personal Research

Entra ID Default Permissions Exploration

An in-depth look into the default permissions of Entra ID applications and their security implications. Coming soon!