How to check for OAuth apps with specific Graph permissions assigned
OAuth apps are still an important target for attackers to misuse in organizations. Since the MFA baseline is improved with number matching and additional controls attackers are finding new ways to gain access to environments/ and collect data. One of…
AiTM/ MFA phishing attacks in combination with “new” Microsoft protections (2025 edition)
Adversary-in-the-middle phishing attacks are still more common in use, in the last year and the start of 2025 there is still a more visible increase in AiTM/ MFA phishing. Since the removal of basic authentication from Exchange Online more and…
How to check and block “malicious” browser extensions with Microsoft Defender and Intune?
In the past years, malicious browser extensions have been on the rise and are more popular to be used as part of cyberattacks. With the use of malicious extensions, it is possible to gain data/ cookies or gain initial access…
How to use Microsoft Security Exposure Management (XSPM)
Microsoft Security Exposure Management is a new product/feature in the Defender XDR suite. This blog will explain more about it and the difference between Vulnerability Management/ Secure Score and XSPM since there is still a difference between the Microsoft Security…
How to check for a healthy Defender for Endpoint environment?
When using Defender for Endpoint it is important to make sure the agent are healthy. I performed many reviews/ configurations in the past years and onboarded around a million devices to Defender for Endpoint for small and larger “enterprise” customers….
How to onboard and getting started with Copilot for Security
Microsoft Copilot for Security is a new tool based on AI, it takes signals from various sources to use the data as additional input and research layer. Microsoft Copilot for Security is integrated into a specialized language model that includes…
Automatic attack disruption in Microsoft Defender XDR and containing users during Human-operated Attacks
Microsoft announced last year a new feature with the name; Automatic Attack Disruption in Defender XDR (Microsoft 365 Defender). Since October last year, Microsoft expanded the Automatic attack disruption feature with the support of human-operated attacks and the ability of…
Pivot via OAuth applications across tenants and how to protect/detect with Microsoft technology? (Midnight blizzard)
Recently threat actors like Midnight Blizzard use the OAuth applications in tenants that they can misuse for malicious activity. Actors use compromised user accounts to create/ modify and grant permissions to OAuth applications in tenants and move across test and…
How to use deception in Microsoft Defender for Endpoint/ Defender XDR
Microsoft Defender XDR is expanding in the full attack stage. With the new Deception capability in Microsoft Defender XDR, it is possible to detect attackers early in the kill chain and disrupt advanced attacks. Deception is a new feature for…
How to use Automatic Attack Disruption in Microsoft 365 Defender (BEC, AiTM & HumOR)
Last year Microsoft announced a new feature called; Automatic attack disruption which uses correlated insights from the Microsoft 365 ecosystem and powerful AI models to stop sophisticated attack techniques while the attack is in progress. Automatic attack disruption supports the…