Microsoft warned about OAuth redirect abuse on March 2, 2026. This isn't credential theft or classic token theft by itself. It weaponizes Entra ID error handling.

An attacker registers an OAuth app with a malicious redirect URI, sends a crafted login.microsoftonline.com link designed to fail, and Entra ID's 302 redirect lands the victim on a phishing page or malware dropper. The sign-in fails and the attacker still wins.

I built a detection and hardening kit you can deploy to an existing Sentinel workspace:

• 4 analytics rules: consent after risky sign-in, suspicious redirect URIs, OAuth error clustering, bulk consent

• 5 hunting queries: permissions baseline, non-corporate IP auth, high-privilege apps, URI inventory, token replay

• 1 workbook: OAuth Security Dashboard
Entra hardening: verified-publisher consent restriction, MFA policy for risky OAuth sign-ins

• OAuth app audit: flags suspicious redirect URIs and overprivileged permissions across app registrations

Blog post: https://nineliveszerotrust.com/blog/oauth-redirect-abuse-sentinel/

Companion lab on GitHub: https://github.com/j-dahl7/oauth-redirect-abuse-sentinel

#MicrosoftSentinel #EntraID #DetectionEngineering #OAuth #IdentitySecurity #BlueTeam

CVE-2026-21902 represents a high-impact infrastructure exposure.

Affected platform: Junos OS Evolved on PTX series routers.

Attack vector: Unauthenticated network access.
Privilege level: Root execution.
Service: On-Box Anomaly Detection, enabled by default.

Strategic risk:
• Traffic interception capability
• Policy manipulation
• Controller redirection
• Lateral pivoting
• Long-term foothold persistence
Although no exploitation has been observed, historically, high-performance routing infrastructure is a prime target due to its control-plane visibility and network centrality.

Recommended actions:
– Immediate patch validation
– Control-plane traffic monitoring
– Service exposure review
– Network segmentation validation
– Threat hunting for anomalous routing behavior
Are infrastructure devices integrated into your continuous detection engineering pipeline?

Source: https://www.securityweek.com/juniper-networks-ptx-routers-affected-by-critical-vulnerability/

Engage below.
Follow TechNadu for high-signal vulnerability intelligence.
Repost to strengthen security awareness.

#Infosec #CVE2026 #Juniper #RouterSecurity #CriticalInfrastructure #ThreatModeling #DetectionEngineering #NetworkDefense #ZeroTrustArchitecture #CyberRisk #SecurityOperations #VulnerabilityManagement

APT37’s Ruby Jumper campaign demonstrates a mature approach to air-gap traversal.

Observed tradecraft includes:
• LNK-based initial execution
• Embedded PowerShell payload extraction
• Ruby interpreter abuse (v3.3.0)
• Scheduled task persistence (5-minute interval)
• USB-based covert bidirectional C2
• Multi-stage backdoor deployment
Toolset: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, BLUELIGHT.

The removable media relay model enables:
– Command staging offline
– Data exfiltration without internet access
– Lateral spread across isolated systems
– Surveillance via Windows spyware
This reinforces a critical point:
Air-gap controls must extend beyond physical disconnection — including USB governance, device auditing, behavioral monitoring, and strict runtime execution policies.

Are critical infrastructure operators prepared for USB-mediated C2 relays?

Source: https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/

Engage below.

Follow TechNadu for high-signal threat intelligence insights.
Repost to elevate awareness.

#Infosec #APT37 #AirGapSecurity #ThreatModeling #MalwareAnalysis #NationStateThreats #USBExfiltration #SOC #DetectionEngineering #CyberDefense #OperationalSecurity #ThreatHunting #ZeroTrustArchitecture

Identity compromise continues to dominate intrusion chains.
From the Sophos Active Adversary Report 2026:
• 67% of initial access attributed to identity abuse
• 3.4-hour median to Active Directory pivot
• 3-day median dwell time
• 88% ransomware deployment off-hours
• 79% data exfiltration off-hours
Directory services remain high-value assets — authentication, authorization, policy control, privilege mapping.
The compressed timeline from credential misuse to directory-level access underscores the need for:
– Continuous identity monitoring
– Behavioral analytics
– After-hours SOC coverage
– Conditional access enforcement
– Least-privilege architecture
Generative AI is functioning as a force multiplier — improving phishing quality and campaign scale - not yet delivering autonomous attack chains.

Is identity governance keeping pace with adversary dwell time compression?
Engage below.

Source: https://www.sophos.com/en-us/press/press-releases/sophos-active-adversary-report-2026-identity-attacks-dominate-as-threat-groups-proliferate

Follow TechNadu for high-signal infosec analysis.

Repost to strengthen industry awareness.

#Infosec #IdentityThreats #RansomwareDefense #ActiveDirectorySecurity #ThreatModeling #GenAI #SecurityOperations #CyberRisk #ZeroTrustArchitecture #DetectionEngineering #EnterpriseSecurity #ThreatHunting

Operational summary:
Threat actor: UAC-0050
Alias: DaVinci Group / Mercenary Akula (per BlueVoyant)
Tooling: RMS (Remote Manipulator System)
Delivery: Spear-phishing, spoofed judicial domain, layered archives
TTP alignment consistent with reporting from CERT-UA.

Strategic overlay:
Russia-nexus actors, including APT29, continue high-confidence trust exploitation campaigns, as outlined by CrowdStrike.

Detection priorities:
- Monitor MSI execution anomalies
- Flag double-extension binaries
- Inspect outbound RMS traffic
- Harden executive email authentication
Follow for tactical intelligence briefings.
Comment with detection engineering recommendations.

#Infosec #ThreatIntel #UAC0050 #APT29 #RMS #SpearPhishing #DetectionEngineering #CyberEspionage #SOC #BlueTeam #SecurityOperations

We’re looking for a Detection Engineer to build and maintain detection rules using the detection-as-code principle (with Sigma!). If you’re into turning threat intelligence data into actionable alerts, we want to hear from you! 🚀

#detectionengineering

https://www.cert.europa.eu/vacancies/it-security-officer-detection-engineer

TrustConnect = RAT disguised as RMM.
Discovered by Proofpoint.
Technical observations:
• Centralized multi-customer C2
• API-driven agent registration (/api/agents/register)
• WebSocket RDP streaming
• EV certificate abuse (revoked Feb 6, 2026)
• Branded payload generation per org token
• Rapid infra pivot → “DocConnect” (SignalR integration)
Subscription model: $300/month via BTC/USDT.
Operators tracked victims across tenants.
This is MaaS evolving toward operational maturity — automation, AI-assisted site generation, and SaaS-style lifecycle management.

How should defenders adjust detection logic when malware is digitally signed and infrastructure rotates quickly?

Source: https://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat

Engage below.
Follow TechNadu for technical threat intelligence coverage.

#ThreatIntelligence #ReverseEngineering #MalwareResearch #RAT #MaaS #SOC #DFIR #CyberOperations #DetectionEngineering

According to Dragos, Volt Typhoon continues active operations inside U.S. utilities, shifting toward direct OT interaction and sensor data theft in 2025.

Notable elements:
• Pre-positioning in ICS environments
• Exploitation of Ivanti & Trimble Cityworks vulnerabilities
• GIS data harvesting for infrastructure mapping
• Access broker activity attributed to SYLVANITE
• Long-term persistence objectives
CEO Rob Lee stated some compromised sites may never be identified.

Technical question:
If adversaries maintain low-and-slow OT access, how should defenders adapt detection engineering?
– Network baselining?
– Sensor telemetry validation?
– Asset-level anomaly detection?
– Zero trust for OT?

Drop your technical analysis below.
Follow @technadu for advanced threat coverage.

#ICSsecurity #OTsecurity #ThreatHunting #DetectionEngineering #VoltTyphoon #InfrastructureDefense #CyberResilience #EnergyGrid #WaterUtilities #NationalSecurity #BlueTeam #CyberThreatIntel

The UK is moving toward mandatory proactive detection of nonconsensual intimate images.

Under proposals backed by Keir Starmer, platforms must:
• Remove flagged content within 48 hours
• Prevent reuploads using hash matching
• Deploy proactive detection “at source”
• Face fines up to 10% of global revenue

Regulator Ofcom is accelerating its decision on requiring technical enforcement mechanisms.
Technical considerations:
- Hash collision and false-positive risks
- Cross-platform hash database coordination
- Encryption vs scanning tradeoffs
- Abuse-report automation workflows
- AI-generated image detection accuracy
Is mandatory proactive scanning the future of online content governance?

Source: https://therecord.media/united-kingdom-noncensual-images-fines

Drop your technical analysis below.

Follow @technadu for advanced cybersecurity and policy reporting.

#Infosec #DetectionEngineering #AIsecurity #HashMatching #ContentModeration #DigitalForensics #CyberPolicy #OnlineSafety #DeepfakeDetection #PrivacyEngineering #ThreatModeling #SecurityArchitecture