How attackers abuse Microsoft 365 Direct Send to deliver phishing emails and steal credentials
A stealthy password spray campaign is using Virginia-based residential proxies. Here’s what we’re seeing and how to block it.
“Only allow log‑ins from known places” sounds great, but falls apart in practice.
SharePoint is often the real target in business “email” compromises
The quiet side of BEC: how attackers exfiltrate data without leaving a trace
A case study in why anomaly detection isn't enough
Attackers often use hacked accounts to "OneDrive Phish" other companies. This allows them to launder their phishing emails through Microsoft infrastructure. So, how can we detect and stop them?
A case study in how alerting on noise can cause you to miss the real attack
A data center in Tampa is the backbone of a new wave of AitM phishing campaigns we've observed. Here's what you need to know and how to block it.
Why anomalous user agent strings can be misleading
Attachments in Teams chats use OneDrive under the hood, so they actually appear in SharePoint logs. Plus: why this matters for attackers disguising their actions.
Catching an attacker hiding in plain sight with some creative log slicing
Differentiating between real IPs and Microsoft datacenters in SharePoint logs. Hugely important for incident investigations.
We see a lot of attacker-in-the-middle attacks here at Petra. Here's a policy you can use that will block a whole lot of them in your tenant in 5 minutes.
Catching an attacker red-handed across event streams—from a OneDrive phishing lure to an automated AitM toolkit in action.
Detecting a compromise minutes after it happened without a complete record of how the attacker got in
How an attacker accessed a US account from Turkey without triggering Microsoft alerts
When Microsoft's faulty geolocation makes your security controls fail silently
How accurate are Microsoft's native security signals? (Not very.)
One of the most important and least understood factors for building ML systems using Entra ID Login Events
.avif)
