Anthropic - AI can do cyber without much human.
Me - AI can you help me with this research:
| Blog | https://ericonidentity.com |
| https://twitter.com/msft_hiker | |
| https://www.linkedin.com/in/msfthiker | |
| Linktree | https://linktr.ee/ericonidentity |
Eric Woodruff [MS MVP] 
- 234 Followers
- 111 Following
- 102 Posts
#Entra nerd, Microsoft Security MVP, CIDPro certified, ex-MSFT, identity and security enthusiast, part time hiker, full time dad. All opinions expressed are from my cat.
I’ve been finding the #Entra Usage & Insights report useless lately when it comes to #passkey reporting.
Why? It’s broken.
It’s concerning that this seems to be an ongoing issue that isn’t tenant specific and Microsoft hasn’t caught it.
https://ericonidentity.com/2025/09/02/entra-useless-insights-report/
Going right from @WEareTROOPERS in Heidelberg to @fwdcloudsec in Denver ✈️ - from one excellent conference to another!
I’m looking forward to speaking Monday @ 2:00pm in track 1 on the dangers of #nOAuth, with some new and tweaked slides and talking points!
At @WEareTROOPERS I dropped new research on #nOAuth, an abuse of #EntraID that allows you to spoof users in vulnerable SaaS applications.
The attack is still alive and well.
You can read all about it here:
https://www.semperis.com/blog/noauth-abuse-alert-full-account-takeover
Nishant KaushikReally good analysis by @ericonidentity on a fascinating new scam approach that leverages legitimate emails from service providers in a novel (to me at least) way. Read it to learn how it works.
#TheWorkNeverEnds #NewThreatModels #Fraud
https://ericonidentity.com/2025/02/20/an-interesting-m365-billing-scam/
#TheWorkNeverEnds #NewThreatModels #Fraud
https://ericonidentity.com/2025/02/20/an-interesting-m365-billing-scam/
Haven’t been highly active on the socials lately… trying to change that a bit.
En route to #HIPConf24, where I’ll be presenting on #UnOauthorized tomorrow, as well as joining a panel with Thomas Naunheim on workload identities, and having some good hallway conversations. Looking forward to seeing folks!
I've been quiet on here for a while, but wanted to share the blog that details much of UnOAuthorized from my #bhusa talk yesterday.
#blackhat #blackhat2024 #EntraID #azure #microsoft365 #microsoft #infosec
https://www.semperis.com/blog/unoauthorized-privilege-elevation-through-microsoft-applications/
Blue Team Con📣 Blue Team Con 2024 Speaker Highlight 📣
Eric Woodruff
Talk Title: Death By A Thousand Control Planes: The Reality Of Modern Privileged Access
View abstract: https://blueteamcon.com/directory/the-reality-of-modern-privileged-access/
The obligatory starting my journey to the MVP Summit picture 😜😎
Thought of the day - when you spend a lot of personal time and effort to speak at a conference in a vendor-neutral spot that you had to really put the work in to earn, the conference management team should in turn exclude you from the list of attendees that they give to sponsors.
I get that most conferences need money, and that most sponsors, if they pay enough, get a list of attendee contact information, but I didn't spend several hours working on a presentation for the community to get a bunch of spam from vendors.