A follow-up investigation mapping 1,337 phishing URLs across 326 workers.dev hostnames, confirming a PhaaS multi-tenant architecture, encrypted client-side payloads, and new lure variants targeting Adobe, DocuSign, and Outlook branding.
Uncovering a phishing campaign abusing Microsoft Device Code Authentication and Cloudflare Worker Pages, with detection hunts for Entra and Microsoft 365.
A look into automating the hunt for malicious NPM packages, using AI for package review.
A look at a new phishing campaign, ConsentFix which utilises click-fix style techniques to steal auth tokens.
A walkthrough of different Token Theft Scenarios with Detections
Detecting abuse of VSCode Remote Tunnels for C2 and persistence by threat actors
How threat actors abuse Microsoft Dev Tunnels for C2 communication and detection strategies
A practical guide to implementing threat hunting in a SOC environment and moving beyond reactive detection