Research

Our research on Microsoft 365 attacker behavior.

Deep dives on how to detect Microsoft account compromises, from the team at Petra Security.

Latest research
Threat Research Apr 30, 2026

Device Code Phishing, Part 1: How the Attackers Get In

A new phishing technique is breaking the assumption that a clean session stays clean. Three real device code phishing cases, from a Railway workload to a Nord VPN exit node landing on the user's own registered device.

Read the research
Threat Research Apr 24, 2026

How Residential Proxy Attacks Defeat Location-Based Detection in Microsoft 365

Why logins alone aren't enough to catch these attackers anymore.
Threat Research Mar 3, 2026

When Attackers Modify Your Mail Flow

How attackers abuse inbound connectors for persistence and internal phishing in M365.

All research

Sorted by most recent
April 30, 2026
Threat Research
Device Code Phishing, Part 1: How the Attackers Get In
Adithya Vellal
A new phishing technique is breaking the assumption that a clean session stays clean.
April 24, 2026
Threat Research
How Residential Proxy Attacks Defeat Location-Based Detection in Microsoft 365
Adithya Vellal
Why logins alone aren't enough to catch these attackers anymore
March 3, 2026
Threat Research
When Attackers Modify Your Mail Flow
Adithya Vellal
How attackers abuse inbound connectors for persistence and internal phishing in M365
February 24, 2026
Threat Research
How Your Client Got an Email from Themself
Adithya Vellal
How attackers abuse Microsoft 365 Direct Send to deliver phishing emails and steal credentials
July 21, 2025
Threat Research
New Password Spray Campaign Using Residential Proxies
Adithya Vellal
A stealthy password spray campaign is using Virginia-based residential proxies. Here’s what we’re seeing and how to block it.
June 29, 2025
Threat Research
Why Travel Allowlists Cause More Pain Than Protection
Adithya Vellal
“Only allow log‑ins from known places” sounds great, but falls apart in practice.
June 16, 2025
Threat Research
BECs Don't Always Target Your Emails
Adithya Vellal
SharePoint is often the real target in business “email” compromises
June 7, 2025
Threat Research
Corporate Espionage in the Cloud
Adithya Vellal
The quiet side of BEC: how attackers exfiltrate data without leaving a trace
May 31, 2025
Threat Research
When A Tesla Looks Like an Attacker
Adithya Vellal
A case study in why anomaly detection isn't enough
May 20, 2025
Threat Research
How Attackers Launder Phishing Emails Through Microsoft Infrastructure
Adithya Vellal
Attackers often use hacked accounts to "OneDrive Phish" other companies. This allows them to launder their phishing emails through Microsoft infrastructure. So, how can we detect and stop them?
May 9, 2025
Threat Research
How "Many Failed Login" Alerts Can Bury the Signal That Matters
Adithya Vellal
A case study in how alerting on noise can cause you to miss the real attack
May 3, 2025
Threat Research
New Data Center Observed in Widespread AitM Attack Campaign
Adithya Vellal
A data center in Tampa is the backbone of a new wave of AitM phishing campaigns we've observed. Here's what you need to know and how to block it.
April 24, 2025
Threat Research
Compromised, then Weaponized: Anatomy of a OneDrive Phishing Campaign
Adithya Vellal
A data center in Tampa is the backbone of a new wave of AitM phishing campaigns we've observed. Here's what you need to know and how to block it.
April 15, 2025
Threat Research
That Android 6 Login? It Was Actually Windows 10.
Adithya Vellal
Why anomalous user agent strings can be misleading
April 4, 2025
Threat Research
Why Does Teams Activity Appear in SharePoint Logs? And Why Does This Matter to Attackers?
Adithya Vellal
Attachments in Teams chats use OneDrive under the hood, so they actually appear in SharePoint logs. Plus: why this matters for attackers disguising their actions.
March 28, 2025
Threat Research
Unmasking A Slow and Steady Password Spray Attack
Adithya Vellal
Catching an attacker hiding in plain sight with some creative log slicing
March 21, 2025
Threat Research
What's up with all that Impossible Travel in SharePoint?
Adithya Vellal
Differentiating between real IPs and Microsoft datacenters in SharePoint logs. Hugely important for incident investigations.
March 17, 2025
Threat Research
An Easy Conditional Access Policy to Block Lots of AitM Attacks
Adithya Vellal
We see a lot of attacker-in-the-middle attacks here at Petra. Here's a policy you can use that will block a whole lot of them in your tenant in 5 minutes.
March 11, 2025
Threat Research
Multi-Stream Tracking an AitM Attack: From Lure to Lockout
Adithya Vellal
Catching an attacker red-handed across event streams—from a OneDrive phishing lure to an automated AitM toolkit in action.
March 4, 2025
Threat Research
Microsoft Logs Missing for Hours After Attack
Adithya Vellal
Detecting a compromise minutes after it happened without a complete record of how the attacker got in
February 24, 2025
Threat Research
Microsoft Misses Impossible Travel in Email Activity
Adithya Vellal
How an attacker accessed a US account from Turkey without triggering Microsoft alerts
February 18, 2025
Threat Research
How Did Singapore Bypass Your US-Only Conditional Access?
Adithya Vellal
When Microsoft's faulty geolocation makes your security controls fail silently
December 20, 2024
Threat Research
Spelunking in the Microsoft API, Part II: The Truth About Risky Sign-in Alerts
Adithya Vellal
How accurate are Microsoft's native security signals? (Not very.)
December 9, 2024
Threat Research
Spelunking in the Microsoft API, Part I: Entra ID Latency
Adithya Vellal
One of the most important and least understood factors for building ML systems using Entra ID Login Events
November 23, 2024
Threat Research
Anatomy of a Sophisticated Multi-Infrastructure Password Spray Campaign
Adithya Vellal
One of the most important and least understood factors for building ML systems using Entra ID Login Events