[01] RESEARCH

Personal Research

Independent security research and technical writeups.

Published

2 entries
Apr 2026
Personal Research40 min

Illicit Consent Grant: Cross-Tenant OAuth Phishing in Entra ID (Deep Dive)

An end-to-end cross-tenant illicit consent grant emulation, looked at from both sides. What decisions the adversary makes and why, what the victim tenant actually sees across Entra audit logs, sign-in logs, Graph Activity, the M365 UAL, and Entra ID Protection, what it doesn't see, and what a real defender workflow looks like when the alert fires.

Deep DiveEntra IDOAuthPhishingThreat EmulationCloud SecurityMicrosoft AzureIdentityMITRE ATT&CKDetection EngineeringSocial Engineering
Mar 2026
Personal Research10 min

Azure Monitor Callback Phishing: Abusing Legitimate Alert Notifications

Attackers abuse Azure Monitor alert rules to send phishing emails from Microsoft's own azure-noreply@microsoft.com, bypassing SPF/DKIM/DMARC. We explore the mechanics, detection challenges, and telemetry signals of this technique.

Azure MonitorPhishingEmail SecurityThreat EmulationCloud SecurityMicrosoft AzureExchange OnlineLiving-off-the-CloudSocial Engineering

In Progress

1 drafts
Personal Research

Entra ID Default Permissions Exploration

An in-depth look into the default permissions of Entra ID applications and their security implications. Coming soon!