Securing Microsoft Entra ID: Lessons from the Field – Part 1

This multipart blog series is focused on the real-world lessons learned while securing Microsoft Entra ID. Based on hands-on experience across various environments and organizations, we’ll explore the practical, high-impact strategies that work and more importantly, the common misconfigurations, overlooked settings, and pitfalls that can expose your identity perimeter. Throughout the series, we’ll cover both … Continue reading Securing Microsoft Entra ID: Lessons from the Field – Part 1 →

Why Microsoft’s New Sentinel Data Lake Actually Matters

From a Cybersecurity Architect Who's Seen the Struggles Firsthand Over the years, we’ve migrated more than a few SIEM environments to Microsoft Sentinel. And no matter how different the organizations were, the same headaches kept showing up: 🔍 What logs do we really need to keep for detection? 💾 What can we afford to store … Continue reading Why Microsoft’s New Sentinel Data Lake Actually Matters →

Tracking historical IP assignments with Defender for Endpoint logs

A new incident comes in. The CEO’s laptop shows possible Cobalt Strike activity. Your host investigation shows that the attacker likely gained privileged access to her host and the initial activity is from two days ago. You contain the host in your EDR agent. But now you must determine if the attacker moved laterally inside … Continue reading Tracking historical IP assignments with Defender for Endpoint logs →

How to hunt & defend against Business Email Compromise (BEC)

Business email compromise (BEC) remains a commonly utilized tactic that serves as leverage for adversaries to gain access to user resources or company information. Depending on the end goals of the adversaries, and on the compromised user’s business role - the potential impact can vary from simply accessing sensitive information (e.g., from emails, files uploaded … Continue reading How to hunt & defend against Business Email Compromise (BEC) →

Detecting Teams Chat Phishing Attacks (Black Basta)

A person in a suit is overwhelmed by a pile of envelopes while typing on a keyboard, with a computer screen displaying "Help Desk" nearby. Another individual in a hooded jacket is reaching towards the person, symbolizing a phishing threat. The background is filled with binary code.

For quite a while now, there has been a new ongoing threat campaign where the adversaries first bomb a user's mailbox with spam emails and then pose as Help Desk or IT Support on Microsoft Teams to trick their potential victims into providing access. This social engineering tactic is being attributed to the ransomware group "Black Basta".

Microsoft Purview – Evading Data Loss Prevention policies

Introduction Microsoft Purview is a comprehensive solution that helps organizations manage and protect their data across various environments, including on-premises, multi-cloud, and software-as-a-service (SaaS) platforms. It provides a unified data catalog, data classification, and data security capabilities, enabling organizations to gain insights into their data landscape, secure their data accordingly, and ensure compliance with regulatory … Continue reading Microsoft Purview – Evading Data Loss Prevention policies →