𝗨𝗿𝗴𝗲𝗻𝘁 𝗰𝗮𝗹𝗹 𝗳𝗼𝗿 𝗮𝗹𝗹 𝗖𝗜𝗦𝗢𝘀 𝗮𝗻𝗱 𝗘𝗺𝗽𝗹𝗼𝘆𝗲𝗲𝘀 𝗪𝗵𝗼 𝗨𝘀𝗲 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗧𝗼𝗼𝗹𝘀 I read about a newly identified 𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝘁𝗲𝗰𝗵𝗻𝗶𝗾𝘂𝗲 called "𝗖𝗼𝗣𝗵𝗶𝘀𝗵" and I thought to share. This attack exploits Microsoft’s Copilot Studio agents to steal OAuth (access) tokens. 𝗪𝗵𝗮𝘁 𝗺𝗮𝗸𝗲𝘀 𝗶𝘁 𝘀𝗼 𝗱𝗮𝗻𝗴𝗲𝗿𝗼𝘂𝘀? The link looks perfectly safe ( because it’s a real Microsoft URL) but behind it is a malicious chatbot asking you (or your admin) to "sign in" or "grant access." Once you do, attackers can quietly steal your session token and access company data undetected. 𝗔 𝘀𝘂𝗺𝗺𝗮𝗿𝘆 𝗼𝗳 𝗵𝗼𝘄 𝘁𝗵𝗶𝘀 𝗮𝘁𝘁𝗮𝗰𝗸 𝘄𝗼𝗿𝗸: - Attackers build fake Copilot agents using Microsoft’s Copilot Studio. - These agents live on genuine Microsoft sites, making them appear trustworthy. - When you log in or approve access, your authentication token is sent to the attacker. - Since the URL is a legitimate one, it is easier for a user to fall for the trick and log in thinking it is just another Microsoft Copilot service. - Because the token was sent from Copilot using Microsoft's IP address, the connection to the attacker will not show in the user's web traffic. 𝗪𝗵𝘆 𝘁𝗵𝗶𝘀 𝗺𝗮𝘁𝘁𝗲𝗿𝘀: Phishing isn’t just about fake emails anymore. Trusted platforms are now being abused to bypass traditional defenses. What this means is that, "safe domain" doesn’t always mean "safe page." 𝗥𝗲𝗰𝗼𝗺𝗺𝗲𝗻𝗱𝗮𝘁𝗶𝗼𝗻𝘀: 1. Set up rules in Microsoft Entra ID to ensure users cannot grant permissions to risky or unverified apps without an admin checking them first. 2. Disable default user app creation, preventing regular users from registering or deploying new applications unless necessary. 3. Security teams should closely monitor logs for new Copilot agents or app permission requests. 4. Train your employees to question unexpected consent or sign-in requests. 5. Encourage reporting by making it easy for employees to report anything odd. 6. Finally, review and revoke unused or suspicious OAuth tokens to reduce the attack surface and stop potential misuse of outdated credentials. 📌 Microsoft has confirmed a fix is coming, but awareness is our best defense right now. 📷 Below are images showing the Microsoft-hosted login page and how the CoPhish attack works. 𝗜𝗺𝗮𝗴𝗲 𝗦𝗼𝘂𝗿𝗰𝗲: Datadog Tag every CISO and Security Analyst you know in the comments. #CyberSecurity #Phishing #CoPhish

Damn AI is crazy for this one #dmx piped.video/watch?v=Wr4n6gy4…

A penetration tester got root access to our Kubernetes cluster in 15 minutes. Here's what they exploited. The attack chain: - Found exposed Kubernetes dashboard (our bad) - Dashboard had view-only service account (we thought this was safe) - Service account could list secrets across all namespaces - Found AWS credentials in a secret - Used AWS credentials to access EC2 instance profile - Instance profile had full Kubernetes admin via IAM - Used kubectl to create privileged pod - Escaped to node - Root access to entire cluster What we thought we did right: - Dashboard was read-only - Secrets were encrypted at rest - Network policies were in place - Regular security updates What we missed: - Dashboard shouldn't be exposed at all - Service accounts need principle of least privilege - Secrets shouldn't contain AWS credentials (use IRSA instead) - Pod Security Policies weren't enforced - Node access wasn't hardened The fix took 2 weeks: - Removed Kubernetes dashboard entirely - Implemented IRSA for all pod AWS access - Applied strict PSPs/Pod Security Standards - Audit all RBAC permissions - Regular penetration testing Cost: $24K for the pentest Value: Prevented what could have been a catastrophic breach

🚨 EXCLUSIVE: I took the first known video of the inside of the Antifa safehouse located FEET from ICE Portland, catching leftist militants UNMASKED This is the safehouse where vioIent Antifa terrorists, like @KatieDaviscourt’s attacker, flee after they commit crimes Portland Police allow them to harbor criminals there, and do NOTHING about it. An FBI raid should be the next step here. As well as the storage unit down the street, which houses THOUSANDS of dollars in goods, paid for by unknown sources.

Breakdown of AWS outage in simple words 1. Sunday night, a DNS problem hit AWS - DynamoDB endpoint lost 2. This meant services couldn't find DynamoDB (a database that stores tons of data). 3. AWS fixed the DNS issue in about 3 hours. 4. But then EC2 (the system that creates virtual servers) broke because it needs DynamoDB to work. 5. Then the system that checks if network load balancers are healthy also failed. 6. This crashed Lambda, CloudWatch, SQS, and 75+ other services - everything that needed network connectivity. 7. This created a chain reaction - servers couldn't talk to each other, new servers couldn't start, everything got stuck 8. AWS had to intentionally slow down EC2 launches and Lambda functions to prevent total collapse. 9. Recovery took 15+ hours as they fixed each broken service while clearing massive backlogs of stuck requests. This outage impacted: Snapchat, Roblox, Fortnite, McDonald's app, Ring doorbells, banks, and 1,000+ more websites. This all happened in one AWS region (us-east-1). This is why multi-region architecture isn't optional anymore.

BREAKING - The man who flipped over a TPUSA table and assaulted TPUSA staff on the campus of Illinois State University yesterday has been identified as Derek Lopez, a teaching assistant at the university and a software engineer for State Farm.

My 3 favorite tools for checking sketchy URLs: - urlscan (awesome multi tool) - browserling (sandboxes browser) - virustotal (OG and a staple in any forensic tool kit)

US Marines run up the Rocky Steps in Philadelphia.. 🔥🔥🔥

We Seriously Need to have a National Conversation…

SSO (Single Sign-On) Clearly Explained. SSO can be thought of as a master key to open all different locks. It allows a user to log in to different systems using a single set of credentials. To fully understand the SSO process, let’s take a look at how a user would log into LinkedIn using Google as the identity provider: 𝟭) 𝗨𝘀𝗲𝗿 𝗿𝗲𝗾𝘂𝗲𝘀𝘁𝘀 𝗮𝗰𝗰𝗲𝘀𝘀 First, the user would attempt to access the Service Provider (LinkedIn). At this point, a user would be presented with login options, and in this example, they would select "Sign in with Google". 𝟮) 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗿𝗲𝗾𝘂𝗲𝘀𝘁 From here, the Service Provider (LinkedIn) will redirect the user to the Identity Provider (Google) with an authentication request. 𝟯) 𝗜𝗱𝗣 𝗰𝗵𝗲𝗰𝗸𝘀 𝗳𝗼𝗿 𝗮𝗰𝘁𝗶𝘃𝗲 𝘀𝗲𝘀𝘀𝗶𝗼𝗻 Once the Identity Provider (Google) has received the request, it will check for an active session. If it doesn't find one, authentication will be requested. 𝟰) 𝗨𝘀𝗲𝗿 𝘀𝘂𝗯𝗺𝗶𝘁𝘀 𝗰𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹𝘀 At this stage, the user will submit their login credentials (username and password) to the Identity Provider (IdP). 𝟱) 𝗜𝗱𝗣 𝘃𝗲𝗿𝗶𝗳𝗶𝗲𝘀 𝗰𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹𝘀 The Identity Provider will then verify the submitted credentials against its User Directory (database). If the credentials are correct, the IdP will create an authentication token or assertion. 𝟲) 𝗜𝗱𝗣 𝘀𝗲𝗻𝗱𝘀 𝘁𝗼𝗸𝗲𝗻 𝘁𝗼 𝗦𝗲𝗿𝘃𝗶𝗰𝗲 𝗣𝗿𝗼𝘃𝗶𝗱𝗲𝗿 Once the token or assertion has been created, the IdP sends it back to the Service Provider confirming the user's identity. The user is now authenticated and can access the Service Provier (LinkedIn). 𝟳) 𝗔𝗰𝗰𝗲𝘀𝘀 𝗴𝗿𝗮𝗻𝘁𝗲𝗱 𝘂𝘀𝗶𝗻𝗴 𝗲𝘅𝗶𝘀𝘁𝗶𝗻𝗴 𝘀𝗲𝘀𝘀𝗶𝗼𝗻 Since the Identity Provider has established a session, when the user goes to access a different Service Provider (eg; GitHub), they won't need to re-enter their credentials. Future service providers will request authentication from the Identity Provider, recognize the existing session, and grant access to the user based on the previously authenticated session. SSO workflows like the above operate on SSO protocols, which are a set of rules that govern how the IdP and SP communicate and trust each other. Common protocols include Security Assertion Markup Language (SAML), OpenID Connect, and OAuth. What else would you add? -- Thanks to our partner Atlassian who keeps our content free to the community. 𝗗𝗶𝗱 𝘆𝗼𝘂 𝗵𝗲𝗮𝗿 about Atlassian's Rovo Dev release? Check it out: lucode.co/atlassian-rovo-dev…

😔Most Active Directory misconfigurations aren’t obvious…but they can be exploitable. Here’s how to use ADeleg to find insecure permissions before attackers do. 🧵1/6

Avoid Oura ring 4. They are having issues with defective batteries #oura

Antifa mugshots. Now you know why they all wear masks.

Antifa member accused of pinning girlfriend’s cat to the ground, punching it repeatedly. Fehr faces a charge of aggravated animal cruelty, which is a third-degree felony.

Hey @PortlandPolice: you made a big freaking mistake. You PROVED what we’ve all been saying for years: you’re CORRUPT and CONTROLLED by vioIent Antifa thugs who terrorize the streets You thought arresting me would make me shut up and go away. You couldn’t have been more wrong. Stay tuned.

Orioles notes on clubhouse, attendance, World Series aspirations, farm system and more masnsports.com/blog/entry/or… #orioles

During shutdowns, federal workers are told to “do more with less.” Meanwhile, Congress still cashes paychecks. That’s wrong. I’ve reintroduced an Amendment to end Member pay during shutdowns. Zero. No back pay either!!

After 817 days of cancer treatment Willie finally got to RING THAT BELL 🔔 Way to go Willie !!!!

A baby meets his mother's twin sister for the first time…😄

US Navy SEAL Mike Day survived being shot 27 times by al-Qa£da militants in several parts of his body, he was also hit by a grenade. Despite his injuries, he was able to end all 4 attackers and walked away without help. After serving in the Navy for 21 years, Day retired in 2010. He dedicated his post-service life to supporting veterans through his work with Wounded Warriors. Mike Day passed away in March 2023. Rest easy Hero 🇺🇸