#Security #Azure #AAD #MDE #M365 #AD #PKI
Microsoft MVP
Tweets and opinions are my own
| Blog | https://cloudbrothers.info/en/ |
| https://twitter.com/fabian_bader | |
| https://www.linkedin.com/in/fabianbader | |
| Twittodon | https://twittodon.com/share.php?t=fabian_bader&[email protected] |
| AnalyticsRules.Exchange | https://analyticsrules.exchange |
My Disobey talk "Are passkeys as secure as you think" is now available on YouTube
Microsoft just announced official support to store device bound Passkeys for Entra ID in the Windows Hello container. No app, no external hardware key but built in support. Sadly no attestation while in preview.
Microsoft Entra passkeys on Windows enable phishing-resistant, passwordless sign-in using Windows Hello on Entra-protected resources, including unmanaged devices. Public preview starts mid-March 2026. Organizations must opt in and configure policies to enable this feature; no impact occurs without activation.
We found that Wi-Fi client isolation can often be bypassed. This allows an attacker who can connect to a network, either as a malicious insider or by connecting to a co-located open network, to attack others.
NDSS'26 paper: https://www.ndss-symposium.org/wp-content/uploads/2026-f1282-paper.pdf
GitHub: https://github.com/vanhoefm/airsnitch
High-level article on the work by Dan Goodin: https://arstechnica.com/security/2026/02/new-airsnitch-attack-breaks-wi-fi-encryption-in-homes-offices-and-enterprises/ I'd say we bypass Wi-Fi encryption though, in the sense that we can bypass client isolation. We don't break Wi-Fi authentication or encryption. Crypto is often bypassed instead of broken. And we bypass it ;) If you don't rely on client/network isolation, you are safe: we can't just break any Wi-Fi network.
Today at 15:00 CET #YellowHat will start. It's a free live streamed conference around Microsoft Security and we have amazing speakers and topics lined up for you.
Register now to reserve your free spot.
Yellowhat is a cutting-edge cybersecurity event dedicated to Microsoft Security Technology, offering advanced deep-dive sessions (level 400+) for seasoned professionals. It brings together experts and innovators to explore the latest tools, techniques, and strategies in securing digital environments. At Yellowhat, you’ll gain actionable insights, connect with industry leaders, and elevate your cybersecurity expertise to new heights.
With the unified SOC experience there might be some ANRs you want to exclude from XDR correlation. Now you can!
Either using the UI or add #DONT_CORR# at the beginning of the ANR description.
https://learn.microsoft.com/en-us/defender-xdr/exclude-analytics-rules-correlation
So @cyb3rops has made a MongoBleed log detection tool https://github.com/Neo23x0/mongobleed-detector
I’ve tried it and it works on a pwned server.
@_dirkjan and my joint talk at #TROOPERS25 is now available on YouTube.
"Finding Entra ID CA Bypasses - the structured way" @WEareTROOPERS
Custom data collection in Microsoft Defender for Endpoint was just announced in the November release notes.
Documentation is already available
https://learn.microsoft.com/en-us/defender-endpoint/custom-data-collection
Predictive shielding sounds also very interesting...
#MDE #XDR
Microsoft Defender just got the September 2025 update
◽Improved core service startup behavior
◽ Security fixes for missing input validation of RPC services
◽Fixed threat exclusion handling
◽Restored performance optimization for network file access
Mathy Vanhoef
Kevin Beaumont