Jerrad Dahlager4h ago

After a suspicious service principal incident, one of the first triage questions is what else this identity can reach.

I published a new blog on how I used Microsoft Sentinel data federation and custom graphs to investigate hidden privilege paths without moving all of the supporting access context into the analytics tier.

In this example, I traced a rogue service principal to two high-value resources, a Key Vault and a storage account, using federated context that remained in ADLS Gen2.

My biggest takeaway is that a small number of well-structured context tables can go a long way in an investigation. That is not to say large-scale ingestion does not have its place, but when the goal is faster triage and clearer decision-making, the investigation question should help guide the design.

Microsoft is making it easier to work this way, and I’m excited to see where data federation and custom graphs go from here.

https://nineliveszerotrust.com/blog/sentinel-data-federation-custom-graphs/

#MicrosoftSentinel #MicrosoftSecurity #MicrosoftDefender #KQL #CloudSecurity

OTX Bot20h ago

Inside an AIenabled device code phishing campaign

Microsoft Defender Security Research has observed a widespread phishing campaign leveraging the Device Code Authentication flow to compromise organizational accounts at scale. While traditional device code attacks are typically narrow in scope, this campaign demonstrated a higher success rate, driven by automation and dynamic code generation that circumvented the standard 15-minute expiration window for device codes. This activity aligns with the emergence of EvilToken, a Phishing-as-a-Service (PhaaS) toolkit identified as a key driver of large-scale device code abuse.

Pulse ID: 69d4175ab0f5278eae91f1cf
Pulse Link: https://otx.alienvault.com/pulse/69d4175ab0f5278eae91f1cf
Pulse Author: AlienVault
Created: 2026-04-06 20:28:10

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Microsoft #MicrosoftDefender #OTX #OpenThreatExchange #Phishing #RAT #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
Bluewall 5d ago
Weird Intune/MDE issue 🧵
ASR policy (Block PSExec/WMI) shows 38 Succeeded in Intune, but Get-MpPreference returns empty on endpoints and registry key doesn't exist.
AttackSurfaceReductionRules_ProviderSet = 1 in PolicyManager but no actual rule values written anywhere.
Cloud-only, no SCCM. Anyone seen this? #MicrosoftDefender #Intune #MDE
OTX BotMar 25

Guidance for detecting, investigating, and defending against the Trivy supply chain compromise

On March 19, 2026, Trivy, an open-source vulnerability scanner, was compromised in a sophisticated CI/CD supply chain attack. Threat actors, identified as TeamPCP, injected credential-stealing malware into official Trivy releases, affecting the core binary and GitHub Actions. The attack exploited mutable tags and commit identity spoofing on GitHub. The malware performed extensive credential harvesting, targeting cloud providers, Kubernetes secrets, and various application credentials. Microsoft Defender provides detection and investigation capabilities for this threat. Recommended mitigations include updating to safe versions, hardening CI/CD pipelines, enforcing least privilege, protecting secrets, and leveraging attack path analysis to reduce lateral movement risks.

Pulse ID: 69c363a17209fdf0cea99e8a
Pulse Link: https://otx.alienvault.com/pulse/69c363a17209fdf0cea99e8a
Pulse Author: AlienVault
Created: 2026-03-25 04:25:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CredentialHarvesting #CyberSecurity #GitHub #InfoSec #Malware #Microsoft #MicrosoftDefender #OTX #OpenThreatExchange #RCE #SupplyChain #Vulnerability #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
Andrew ArmstrongMar 25
How to Audit Microsoft Defender Antivirus Exclusions with PowerShell and Identify Their Source | #Guide #Microsoft #Powershell #Security #MicrosoftDefender #PowerShell #WindowsSecurity #CyberSecurity #InfoSec 
https://techygeekshome.info/how-to-audit-microsoft-defender-antivirus-exclusions-with-powershell-and-identify-their-source/?fsp_sid=29524
0xCDEMar 23

New threat hunting queries on the github repo! Happy hunting

https://github.com/0x-cde/Threat-Hunting-with-KQL

#threatintel #threathunting #kql #azure #defender_xdr #microsoftdefender

GitHub - 0x-cde/Threat-Hunting-with-KQL: This repository contains battle-tested and proven KQL (Kusto) queries that can be used for Threat Hunting

This repository contains battle-tested and proven KQL (Kusto) queries that can be used for Threat Hunting - 0x-cde/Threat-Hunting-with-KQL

GitHub
KillBaitMar 19

Canonical colabora con Microsoft para integrar Defender en Ubuntu Pro y reforzar la seguridad en Linux

📰 Título original: Microsoft Defender llega a Ubuntu: así protegerá tu Linux este antivirus

🤖 IA: No es clickbait ✅
👥 Usuarios: No es clickbait ✅

Ver resumen IA completo: https://killbait.com/es/canonical-colabora-con-microsoft-para-integrar-defender-en-ubuntu-pro-y-reforzar-la-seguridad-en-linux/?redirpost=dadc5f34-7012-4192-af7b-03b51f16f32f

#tecnología #ubuntu #microsoftdefender #s...

Canonical colabora con Microsoft para integrar Defender en Ubuntu Pro y reforzar la seguridad en Linux

Canonical, la empresa detrás de Ubuntu, ha anunciado una colaboración estratégica con Microsoft para mejorar la seguridad de los sistemas Linux, especialmente en entornos Ubuntu.

Hemeroteca KillBait
KillBait NoticiasMar 19

Canonical colabora con Microsoft para integrar Defender en Ubuntu Pro y reforzar la seguridad en Linux

📰 Título original: Microsoft Defender llega a Ubuntu: así protegerá tu Linux este antivirus

🤖 IA: No es clickbait ✅
👥 Usuarios: No es clickbait ✅

Ver resumen IA completo: https://killbait.com/es/canonical-colabora-con-microsoft-para-integrar-defender-en-ubuntu-pro-y-reforzar-la-seguridad-en-linux/?redirpost=dadc5f34-7012-4192-af7b-03b51f16f32f

#tecnología #ubuntu #microsoftdefender #s...

Canonical colabora con Microsoft para integrar Defender en Ubuntu Pro y reforzar la seguridad en Linux

Canonical, la empresa detrás de Ubuntu, ha anunciado una colaboración estratégica con Microsoft para mejorar la seguridad de los sistemas Linux, especialmente en entornos Ubuntu.

Hemeroteca KillBait
NERDS.xyz – Real Tech News for Real NerdsMar 18

Canonical and Microsoft team up to push Ubuntu Pro security deeper into enterprise Linux environments

https://fed.brid.gy/r/https://nerds.xyz/2026/03/canonical-microsoft-ubuntu-pro-defender/

Canonical and Microsoft team up to push Ubuntu Pro security deeper into enterprise Linux environments

Canonical is tying Ubuntu Pro into Microsoft Defender, giving enterprises a unified way to secure Linux and Windows systems. Convenient, sure, but it also raises questions about how closely Linux should align with proprietary ecosystems.

NERDS.xyz
Andrew cooperMar 6

How AI in Microsoft Defender XDR Detects and Blocks Cyber Threats.

Explore how Microsoft Defender XDR leverages AI and machine learning to identify threats, correlate security signals, and automatically disrupt cyber attacks. This guide explains how modern XDR solutions protect organizations from advanced security threats.

#DefenderXDR #CyberSecurity #AISecurity #ThreatDetection #MicrosoftDefender #MicrosoftDefenderXDR

https://star-knowledge.com/blog/microsoft-defender-xdr-uses-ai-to-stop-cyber-attacks/

How Microsoft Defender XDR Uses AI to Stop Cyber Attacks

Understand how Microsoft Defender XDR uses behavioral analytics, AI detection, and automated response to defend organizations from cyber threats.