Regular expressions aren't random jumbles of punctuation - they're carefully thought-out jumbles of punctuation!
Starred Articles
We discovered SearchLeak, a critical vulnerability chain in Microsoft 365 Copilot Enterprise that allows an attacker to steal sensitive data - MFA codes, email messages, meeting details, and private organizational files - with a single click.
We investigate an incident involving malicious Network Provider DLL used to steal credentials. The use of legitimate software allowed attackers to remain unnoticed for a long time.
We managed to chain multiple LLM and web-based vulnerabilities to achieve admin account takeover from a low-privileged account. Trusting the LLM turned out to be the first falling domino of a long chain of events that lead to complete compromise. In this article we describe how it went down.
Using Exchange Online (or on-premises exchange in hybrid mode) in combination with an external MX record, such as a third-party email server or spam protection solution, can allow the spoofing of emails from any sender to any recipient in the target tenant.
New Articles
We discovered a new macOS Tahoe 26 forensic artifact that offers a step-by-step record of user actions - from compressing files to emptying the trash - providing critical context for user activity across the operating system. This blog outlines where to find this artifact, how to process it and what stories the data can tell.
We analyze Splunk Enterprise CVE-2026-20253, a pre‑authentication remote‑code‑execution flaw in the PostgreSQL sidecar service, allowing an attacker to create or truncate arbitrary files and ultimately gain RCE - especially exploitable on default Splunk‑on‑AWS installations.
We detail Pack2TheRoot (CVE-2026-41651), a local privilege escalation in Linux systems through a TOCTOU vulnerability in the PackageKit service.
Reading the Wire - Protobuf Without a Map
06/06/2026Protobuf turns up constantly in DFIR work in Google's tooling ecosystem: Android apps, iOS apps, Chrome internals, sync engines, health databases, etc. This post is a deep dive into what Protobuf actually is at the wire level - byte by byte - and what you can and cannot recover from it without access to the original .proto definition.
OpenBSD's sppp_pap_input function uses attacker-controlled length fields as the bcmp comparison length for credential validation. Sending zero-length name and password fields causes bcmp to return 0 unconditionally, bypassing PAP authentication entirely.
Scales - Carving an embedded eBPF rootkit
06/11/2026We delve into scales, an eBPF-based infostealer and rootkit targeting Arch Linux. Statically carving the embedded eBPF object out of the deps loader (Atomic Arch AUR campaign) - no execution, no kernel - and provide relevant IOCs.
The BlueFrag Zero-Click: A System Replay
06/04/2026A technical deepdive into BlueFrag, a zero-click exploit, invisible to the user, that provides the attacker with full access to Android smart phones through a vulnerability in the L2CAP (Logical Link Control and Adaptation Protocol) stack, the higher layer of the Bluetooth stack.
We found hundreds of weak RSA and DSA keys with biased bits that we could quickly factor using a new polynomial-based cryptanalytic technique.
We analyzed LangGraph and uncovered three vulnerabilities in its persistence layer. The first 2 chain into remote code execution: a SQL injection in the SQLite checkpointer (CVE-2025-67644) and an unsafe msgpack deserialization (CVE-2026-28277). The last one (CVE-2026-27022) introduces the same injection class into the Redis checkpointer.
We analyze the attack chain and payloads of OnionDrop based on 645+ DLL samples, deepdiving into a nation-state-grade evasion, and a four-stage unpack chain to Donut shellcode.
Check Point’s "deprecated" IKE‑v1 VPN code has a critical authentication‑bypass (CVE‑2026‑50751, CVSS 9.3) that lets an attacker set a flag via a crafted Vendor‑ID payload, causing the gateway to skip certificate and signature checks and gain access with only a valid username.
A renderer-controlled SharedArrayBuffer(SAB) mutated by a worker thread causes WebAssembly’s bytecode validator and its JIT to disagree about which bytes are being compiled. Since the Wasm JIT compilation pipeline resides outside the V8 heap sandbox, this single bug results in RCE in the renderer without a V8 sandbox bypass.
We explain how DPAPI's CREDHIST file can be used to extract offline-crackable hashes and recover historical password material. We go through new Hashcat modules, updated DPAPISnoop tooling and provide defensive detection guidance.
Jupyter Enterprise Gateway
06/14/2026We detail three critical vulnerabilities in Jupyter Enterprise Gateway allow a notebook user to escalate privileges and fully compromise the underlying Kubernetes cluster.
We identified a network of 152 Chrome live wallpaper extensions hid ad tracking and made extension-driven traffic look like Google search clicks. In this article, we review the technical components and main obfuscation techniques, analyze the underlying infrastructure and monetization mechanisms.
When leveraged properly, ASN data serves as a high-confidence detection mechanism for both clustering threat activity and implementing effective mitigations. This article covers how to analyze and incorporate ASN data into existing security workflows to track and block threats, as well as expand detection coverage.
Investigating suspicious AI workflows in Microsoft Entra Agent ID - Part 3: Assistive agents
06/07/2026We study how an assistive (on‑behalf‑of) AI agent can be coerced to send a malicious email by using the access_agent consent flow, and walk through correlating Entra Agent ID, Graph API, and sign‑in logs to prove malicious agent activities. Finally we provide a quick guide for distinguishing autonomous‑agent, impersonating‑agent, and assistive‑agent sign‑in events in Azure AD logs.
We provide technical analysis of two critical flaws in Ivanti's Sentry gateway: CVE‑2026‑10520, a pre‑authenticated OS command‑injection that lets an unauthenticated attacker execute arbitrary system commands with root privileges, and CVE‑2026‑10523, an authentication bypass that permits creation of admin accounts.
We examine attack scenarios targeting cloud logging services such as AWS and Google Cloud. We review techniques used to evade detection through log system disruption, and the mechanisms used by attackers to get long-term, passive visibility into the victim's cloud infrastructure.
A technical analysis of CVE-2026-5667, an unauthenticated remote control of Mitsubishi MAC-577IF-2E WiFi air conditioner adapters.
In this post I explore what detections you can already use in your SIEM by ingesting Claude Compliance API logs. Then we go even further, introducing a prefilter and LLM judge pipeline which lets you write detections for real AI threats that live inside message content.
AWS Forensics : What you need to know
06/15/2026The purpose of this article is to provide a clear and practical starting point for anyone new to AWS who needs to handle an incident on the platform. We will go through IAM; permissions, services and resources, key artifacts, threats techniques, related events and logs; and tools that facilitate analysis and strengthen overall security.
Windows 11 Input Telemetry
06/14/2026This article deep dives into Windows 11 telemetry and explains why typed passwords appear in LSASS and ctfmon.exe, why Credential Guard does not protect these passwords, why this is expected behavior, and why clipboard data ends up in LSASS and CTFMON.
Still Recent
In this article, we'll explore the fundamentals of SQL injection, the various techniques used to identify these vulnerabilities, and how you can effectively exploit them to demonstrate impact on modern targets.
Investigating suspicious AI workflows in Microsoft Entra Agent ID - Part 2: Agent's user account
05/31/2026In this second part of the series, we investigate how Entra ID agent users can send malicious content to human users via Microsoft Teams.
Technical analysis of a malspam campaign abusing Google's DoubleClick to deliver a loader through a five-stage chain that evades detection and blinds Windows telemetry before persisting.
CVE‑2026‑40369 is a Windows kernel flaw where an unchecked 12‑byte write can be triggered from any user‑mode context, allowing an attacker to overwrite arbitrary kernel memory. By repeatedly using this primitive we can forge a SYSTEM token, achieving a full local‑privilege escalation from a medium‑IL process to NT AUTHORITY\SYSTEM.
A walkthrough of a classic-but-still-effective Active Directory attack: how write access to an SMB share - plus a single .lnk file - lets an attacker capture Net-NTLMv2 hashes from every user who simply browses the folder, with no clicks, no payload execution, and almost no EDR signal.
We investigate some vulnerabilities found in common enterprise AV devices (the Aver PTC320UV2 camera and Crestron TSW‑1060 tablet ): trivial remote‑code‑execution and credential‑leak vulnerabilities due to insecure defaults, hard‑coded secrets, and a lack of monitoring/patching.
Getting the pid from random numbers
05/27/2026In php7.0 the initial seed for the default random number generator, and all functions which use it, is derived from the current time and the pid. If we can time the call of the initialization function, we can brute-force all possible seeds within that time frame. By trying these possible seeds we can eventually find the one which was used to generate our random data and determine its pid.
Oldies but Goodies
Reverse Engineering an ANJIA PTZ IP Camera
01/12/2026A technical reverse-engineering analysis of a low-cost PTZ IP camera, including UART access, firmware extraction, and undocumented backdoors (CVE-2026-31077)