securityonfire

securityonfire

Sign in Subscribe

Tenant Admin Group

Tenant Admin Group

The tenant admin group is a hidden group in O365 that is only visible in the Exchange portal. All Global Admins are added to this group behind the scenes. This is why you see a number of built-in alerts in Sentinel that look for the "TenantAdmins" group. Check

Responding to a Forwarding Event from SPO Proxy Address

Responding to a Forwarding Event from SPO Proxy Address

If you come across an email address when working in Exchange/M365 that looks something like: "+SPO:SPO_2b4c97nc-eb6c-3e91-8n9z-59bc5e7ab9en@SPO_3159na78-994d-319b-714d-5d61897c12bb" you've found an SPO proxy addresses. The above is based on a real proxy address. If you are responding to a Microsoft Sentinel Incident like

Querying MailItemsAccessed with Sentinel

Querying MailItemsAccessed with Sentinel

This is a quick one today, but wanted to get the information out there. When investigating compromised user accounts, it is important to understand what items were accessed by the attacker. This capability can also be useful when a phishing email comes in and you need to identify whether the

THM{Zero Logon} Walkthrough

THM{Zero Logon} Walkthrough

Summary This room is a beginner-friendly way to start understanding how attackers exploit vulnerabilities in general and the ZeroLogon vulnerability specifically. Note: This room contains updated commands for the AttackBox to install the impacket virtual environment. The Zero Day Angle Read through this section and study the links given. This

THM{Attacktive Directory}

THM{Attacktive Directory}

Recently it was recommended that I take the next step in my cyber journey and start a blog. So I thought for a while, bought a domain name on the edge between kind of cool and kind of cheesy, and started writing. What came out of it was my first