Threat Detection
Lessons from the field. Always landing on my feet.
Copy Fail in the Cloud: A Defender, Sentinel, and AKS Response Guide for CVE-2026-31431
A Linux local privilege escalation bug is easy to dismiss if you only think in traditional server terms. An attacker already needs local access, so how bad can it be? In cloud environments, that assumption breaks fast. A compromised container, a β¦
Block Device Code Phishing in Entra Without Breaking Legit Workflows
Device code phishing is nasty because the user does not hand over a password. They hand over a session. The lure sends the victim to a legitimate Microsoft device sign-in page. The victim enters a short code. Entra ID issues tokens to the attackerβs β¦
Detecting Infostealer Session Hijacking with Microsoft Sentinel
Nearly 70% of incidents in the Americas now begin with stolen or misused accounts. Infostealers are the engine behind that number β families like Lumma, RedLine, and Vidar export browser cookies and session tokens directly from the victimβs machine, β¦
Building Custom Sentinel Connectors in One Click with CCF Push
Getting custom data into Microsoft Sentinel has traditionally required a lot of moving parts. You need a Data Collection Endpoint, a Data Collection Rule, an Entra app registration with a client secret, RBAC role assignments, a custom table β¦
Detecting OAuth Redirect Abuse with Microsoft Sentinel and Entra ID
On March 2, 2026, Microsoft published an advisory on OAuth redirection abuse enabling phishing and malware delivery. Microsoft described phishing-led campaigns where attackers register OAuth apps with attacker-controlled redirect URIs, then send β¦