Threat-Hunting
Lessons from the field. Always landing on my feet.
From Authorization to Action: Operationalizing CISA's Microsoft Cloud Logs Playbook in Sentinel
CISA originally released the Microsoft Expanded Cloud Logs Implementation Playbook on January 15, 2025. The CISA resource page shown below also has a May 1, 2026 revision date, and the May 2026 DOCX I reviewed is marked as version 1.1 with general β¦
Block Device Code Phishing in Entra Without Breaking Legit Workflows
Device code phishing is nasty because the user does not hand over a password. They hand over a session. The lure sends the victim to a legitimate Microsoft device sign-in page. The victim enters a short code. Entra ID issues tokens to the attackerβs β¦
Detecting Infostealer Session Hijacking with Microsoft Sentinel
Nearly 70% of incidents in the Americas now begin with stolen or misused accounts. Infostealers are the engine behind that number β families like Lumma, RedLine, and Vidar export browser cookies and session tokens directly from the victimβs machine, β¦
Detecting OAuth Redirect Abuse with Microsoft Sentinel and Entra ID
On March 2, 2026, Microsoft published an advisory on OAuth redirection abuse enabling phishing and malware delivery. Microsoft described phishing-led campaigns where attackers register OAuth apps with attacker-controlled redirect URIs, then send β¦