Sensor löst einen Alarm aus: Ein Kunde hat sich in seinem Microsoft-Konto angemeldet, im Kontext einer verdächtigen E-Mail.

Ich prüfe die Quell-IP: Kunden-IP aus dem Nachbarkanton. Passt.

Ich prüfe die verdächtige E-Mail: Der Link führt zum ECHTEN login.microsoftonline.com. Korrekte URL.

Microsoft selbst hat das Anmelderisiko abgewiesen. Ich auch, erst mal.

ABER… (diesen Teil musste ich mir von einer KI erklären lassen)

Device Code Phishing.

Der Angreifer hat im Hintergrund einen OAuth Device Code Flow gegen Microsoft gestartet. Der Kunde erhält per E-Mail einen «Zugangscode», geht brav auf die echte Microsoft-Seite, meldet sich mit seinen Zugangsdaten an, bestätigt MFA – alles nach Lehrbuch. Microsoft sieht eine saubere Anmeldung von einer vertrauenswürdigen IP. Conditional Access wird nicht ausgelöst. Anmelderisiko: niedrig.

Nur: Die Zugangs- und Aktualisierungstoken werden nicht an den Browser des Kunden, sondern an die vom Angreifer gehaltene Device-Code-Sitzung ausgestellt. Mit MFA-Claim. Persistenter Zugriff – bis jemand die Sitzungen explizit widerruft.

Die Benutzerregel «URL prüfen» hilft nicht. Die URL ist echt.

Phishing-resistente MFA hilft nicht. Der Ursprung ist korrekt.

Die übliche Sensorlogik (vertrauenswürdige IP, gültige MFA, korrekter Tenant) hilft nicht. Alles sieht legitim aus.

Wer in meinem Netzwerk kennt diese Technik schon aus der Praxis? Kann mir das jemand von der KI bestätigen?

Für mich der erste dokumentierte Fall dieser Art, heute!

Hello all!

Recently accepted a position to write SSP’s. Typically I’ve sat on the backend of listening into the meetings where one leads and asks the questions, I take the notes and details to write up implementation statements for each control and CE.. this new position calls for me taking the lead on asking the questions and collecting the information/data to again, write out the implementation statement write ups.

Would any of my fellow members here have resources to share that consists of questions to ask to make sure I’m collecting/gathering the right amount/appropriate information?

How realistic is the remote route? remote jobs in cybersecurity specifically. is it actually possible to break in that way or is the competition just as rough there too?im a security analyst with 2 years of experience but since i left my last company i have not got any single interview calls even with rigorous applying for it. can anybody help me land one ???

I’m graduating with a BS in Cybersecurity and Networking in October.

I currently have my A+ and Security+, and Ill have CySA+ and PenTest+ completed before graduation.

I also have 2 CVEs. 6yrs in the Navy and 2 yrs with the Feds

I cannot relocate. I am exclusively targeting remote Vulnerability Management or Threat Intelligence roles in the mid-west.

​What is the most effective way to stand out for remote VM or CTI roles right now? Are hiring managers prioritizing specific enterprise scanner experience (Tenable/Nessus/Qualys) that I should be building out in a homelab??

Any advice on how to successfully bypass the traditional helpdesk pipeline and make a strong case for these specific remote roles would be highly appreciated.

I'm in my early 30s and my options are the the FBI or a decent security role. My wife does NOT want the FBI. Id be open to anything 90k+.

Seeing flock cameras everywhere and having apps that are able to track your every move whilst you are consistently being tracked online for your political beliefs and what you're interested in and then there are door cameras that can detect your face and cross reference it with all the previously mentioned, I feel as if I cannot hide myself anymore.

This is especially concerning due to the number of data breaches that keep happening, and no company is held accountable for said breaches. Like, I will wake up and see Malwarebytes give me a notification about a data breach, and nothing will even happen to get any justice.

There's also the concern of people search services where ordinary people (not megacorporations) can use OSINT software to track you using usernames, then easily recover your information using said information you may have leaked online that can lead to doxxing.

Also, with the way the political climate is right now and seeing people get prosecuted for the things they say online, it feels like free speech is just dead.

Like I want to live a private life away from these corporations, but I don't want to boot up TOR browser every day with a VPN, then every website I visit blocks me because of my private browsing practices (also not mentioning that these private browsers are EXTREMELY SLOW, making the web surfing experience horrendous).

Recently, we decided to reintroduce a TPRM process within our group (the previous process had been abandoned). We set up a very basic process (pre-assessment + security questionnaire), and this ultra-basic process has become incredibly time-consuming. We're now drowning under an absurd number of TPRMs.
Yet I remain convinced that even without a tool, there must be more optimized methods! I'd love to hear your feedback.

I was wondering how things have changed over the years.

It feels like Windows and macOS have improved their built-in security a lot, and most threats now are more about phishing links, fake downloads, and browser-based attacks rather than traditional viruses.

So I’m curious what people actually do now:

• Just use built-in security tools?
• Or still install third-party antivirus for extra protection?
• Or rely mostly on safe browsing habits?

Would be interesting to hear different setups people are using these days.

What are y'all doing for encrypted email phishing protection? We have a ton of legitimate encrypted emails going in and out of our company. Our email tool cannot scan inside the encrypted emails, leaving a huge gap in our phishing protection.

Lately, the bad actors have been sending mostly encrypted phishing emails from legitimate sources and we are having a hard time stopping or evaluating these.

Managed Service Providers & Managed Security Service Providers suck. They may not start off this way but usually after a year (if you’re lucky) the service falls, the fingers starts getting pointed and the next thing you know you’re stuck in a 2-3 years contract with a service which isn’t as sold.

Is this an industry thing? What industries are people finding the outsourced option is failing? I’m in manufacturing and the OT side scares both sets of providers, the round the clock support also drops eventually with every provider we’ve used, and don’t get me started on the false positives.

The company stated on their official X account:

“We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.”

https://x.com/github/status/2056884788179726685?s=46

So before you guys clown on me — I'm new to cybersecurity. I want to use a VM to analyze files for viruses and such, and some people say that Windows Sandbox has a small possibility of letting the virus escape onto my actual PC. I'm not sure if this is true, but if it is, what's the safest VM option then?