Katie Knowles

🕵️‍♀️ Looking to escalate privileges with a first-party Microsoft app? How do federated domain backdoors work? And what's an app reg, really? All this and more in our new @datadoghq Security Labs post: securitylabs.datadoghq.com/articles/i-spy…

We're looking for a curious AI security researcher to join us! 👀

This is a great point! Ensuring your cloud admins aren't synced users will prevent the federated domain takeover scenario, as only synced users are vulnerable.

☁️ My fwd:cloudsec talk, "I SPy: Rethinking Entra ID research for new paths to Global Admin", is up! Learn what a service principal is, how Microsoft's first-party apps could be backdoored, and one weird trick they haven't fixed yet: youtube.com/watch?v=oNpwtt…

Thank you for a great week, @fwdcloudsec!! So many fantastic conversations and sessions. See you next year!

I have a new post out on the @NetSPI blog today. This one is on extracting sensitive information from the Azure Load Testing service. netspi.com/blog/technical…

My talk was published mega quickly as its own video by @fwdcloudsec (thanks btw!) So feel free to check it out if you wanna learn some fun SharePoint research outcomes and learn about a “pre-signed url” equivalent method of accessing SharePoint files! youtu.be/l5lpIF_QZCE

Thanks for joining!

When the hotel has a free drink for your panic rehearsals. Looking forward to @fwdcloudsec! 🥂

Since several people already asked: the slides from @fabian_bader and myself for @WEareTROOPERS are available! "Finding Entra ID CA bypasses-the structured way". We talked about FOCI, BroCI, CA bypasses, scopes and getting tons of tokens. Check it at dirkjanm.io/talks/

One of the results of the joined research with @_dirkjan is entrascopes.com Basically the yellow pages for Microsoft first party apps. #TROOPERS25

At @WEareTROOPERS I dropped new research on #nOAuth, an abuse of #EntraID that allows you to spoof users in vulnerable SaaS applications. The attack is still alive and well. You can read all about it here: #Entra #M365 #infosec semperis.com/blog/noauth-ab…

This overview of OAuth in Entra is fantastic! Highly recommended:

My RSAC virtual session is up! Catch "Persisting Unseen: Attacker Methods of Infesting Entra ID" here: youtu.be/ngSFP-tgupM?si… Companion blog: kknowl.es/posts/defendin…

🕵️‍♀️ I'll be presenting "I SPy: Rethinking Entra ID research for new paths to Global Admin” at fwd:cloudsec June 30-July 1, alongside some fantastic other speakers: fwdcloudsec.org/conference/nor… If you can’t make it, talks are streamed at: youtube.com/@fwdcloudsec

🥷 Detect & defend vs Entra ID persistence! From my RSAC Cloud Summit talk, I've shared how attackers persist through Entra ID roles, applications, and authentication... and how you can stop them: kknowl.es/posts/defendin…

Reminder that the fwd:cloudsec Europe 2025 Call for Papers is open! First time speakers who requested feedback by May 30th and meet the submission criteria will receive feedback on how to improve during the second round. For more: fwdcloudsec.org/conference/eur…

Take a journey in Administrative Unit Attack Paths! Check out @_sigil's #SOCON2025 talk, which starts w/ scoped role assignments for privilege escalation against users & groups and finishes w/ protecting accounts using Restricted Management AUs. 👀: ghst.ly/4ksxiEx

🌐 I'll be speaking at RSA Conference's Virtual Seminar on Cloud Security on June 5, 2025! I'll be sharing a technical overview of Entra persistence techniques for all levels. Sign up to stop by here: rsaconference.com/library/virtua…

My talk from #socon2025 is up, get your “urm” counter ready! youtu.be/RiOtfPM7i3U?si…