Karl
@kfosaaen
VP of Research - @netspi Co-author of “Penetration Testing Azure for Ethical Hackers” (http://amzn.to/3GOvW3A). @kfosaaen on most other platforms
A huge thank you to everyone who came out to my @cloudvillage_dc talk today! Here are my slides for “Identity Theft is not a Joke, Azure!” - notpayloads.blob.core.windows.net/slides/Identit…
New research is wrapping up. Spoilers: Microsoft Teams External Access is enabled in 973,328 out of 1,323,512 domains tested. A whopping 73% of organizations never changed the default setting in Teams which allows anyone to spy on user availability, OOO, and allows messaging.
I finally published final stats from my 3 years of scraping users via OneDrive. I've got data on usernames, domains, and ADFS configs. This is all related to my ShmooCon talk earlier this year. github.com/nyxgeek/azure_…
This one was a fun exploit. Turning a security product against itself to gain C2 like control over all its agents. Updates have been available for a while but only now it has been disclosed. Get patching folks
New Vuln Research: NetSPI Principal Consultant Ceri Coburn exposes how Forescout SecureConnector agents can be hijacked via a named pipe vulnerability (CVE-2025-4660), turning endpoint security tools into attacker-controlled C2 channels. Read more: ow.ly/6hl250WqWrX
🎉 Excited to have @kfosaaen & @thomas_elling presenting “We Know What You Did (in Azure) Last Summer” at #CloudVillage! 🔍☁️ 📍 Room 311, LVCC 🗓️ Aug 8, 2025 | ⏰ 10:10–10:50 AM PT 🔗 Schedule: cloud-village.org/dc33 #Azure #HackerSummerCamp #DEFCON33
I'm very excited to share that Thomas Elling and I will be presenting "We Know What You Did (in Azure) Last Summer" at the DEF CON @cloudvillage_dc this year (Friday - 10 AM). We will go over some techniques that can be used to find the owners of multiple types of Azure resources
🕵️♀️ Looking to escalate privileges with a first-party Microsoft app? How do federated domain backdoors work? And what's an app reg, really? All this and more in our new @datadoghq Security Labs post: securitylabs.datadoghq.com/articles/i-spy…
If you’re using Azure Front Door WAF, make sure you select the correct IP match variable or you’re gonna have a bad time. Here’s a standalone tool you can run from CloudShell to check for insecure Front Door WAF rules that utilize RemoteAddr. github.com/nyxgeek/frontd…
Does your WAF use IP restrictions, or are they more like IP recommendations? @nyxgeek reveals the difference between RemoteAddr and SocketAddr, a distinction that could create a 'sleeper' rule that looks secure but is easily bypassed. trustedsec.com/blog/azures-fr…
NetSPI Principal Security Consultant Jason Juntunen recently published findings on a Remote Code Execution vulnerability in SailPoint's IQService component. 👉 Read the full technical breakdown: ow.ly/GbT150WmgRg #proactivesecurity #VulnerabilityResearch
From MS-DOS to Copilot, we’ve come a long way. This year, in honor of Microsoft’s 50th anniversary, MSRC is throwing it back (way back) with a "Microsoft Through the Decades" security researcher celebration during Black Hat. 🗓 August 7, 2025 📍Skyfall Lounge, W Las Vegas This…
Azure Arc is Microsoft's solution for managing on-premises systems in hybrid environments. My new blog covers how it can it be identified in an enterprise and misconfigurations that could allow it to be used for out-of-band execution and persistence. ibm.com/think/x-force/…
My talk was published mega quickly as its own video by @fwdcloudsec (thanks btw!) So feel free to check it out if you wanna learn some fun SharePoint research outcomes and learn about a “pre-signed url” equivalent method of accessing SharePoint files! youtu.be/l5lpIF_QZCE
While the fix has been out for about a month, Joshua at @NetSPI just released a blog outlining an interesting issue (CVE-2025-26685) that he found with Microsoft Defender for Identity - netspi.com/blog/technical…
Something I've been working on for a few weeks, feels like pushing out one blog post a week at this rate. Azure Arc may be known to a few folks or not, but it appears to be C2 as a service with a few caveats! blog.zsec.uk/azure-arc-c2aa… #RedTeam #BlueTeam #PurpleTeam #CTI #AzureArc
Read the details on how multiple arbitrary SYSTEM file delete flaws (CVE-2025-23009, CVE-2025-23010) can be exploited for privilege escalation. ✅ SonicWall has patched these issues in NetExtender v10.3.2 ow.ly/UxPT50W0xWA
Took @akamai_research's script for BadSuccessor and improved it a bit. - runs from non domain joined systems - works in forests - prints the rights each entity has on a OU - pre-flight check if 2025 DCs are present - code changes here and there github.com/LuemmelSec/Pen…
Got a story that started in the cloud and broke the rules? ☁💥 We’re looking for the unexpected. The bold. The beautifully technical. DEF CON is your stage — but the clock’s ticking. 🗓 CFP closes May 25 → forms.gle/LdDLHoxXUM3ABy… #CloudVillage #DEFCON33 #CFP #CyberSecurity
⚠️ If you are using SAM-R, especially with Defender for Identity, you may be vulnerable to a downgrade attack! ⚠️ This was so dangerous they are disabling SAM-R queries in the coming weeks. Only classic sensor is affected, not XDR agent sensor (3.x). learn.microsoft.com/en-us/defender…