We’re seeing a clear trend: attackers are bypassing the endpoint entirely. Not just avoiding traditional EDR-monitored systems by pivoting to embedded and edge devices, but now also operating purely in the cloud. No shell, no malware, no persistence on the endpoint. Just an OAuth token and full access to whatever’s in the victim’s Microsoft 365, Google Workspace, or AWS console.
It’s a complete inversion of how things used to be. The endpoint, once the weakest link, is now usually the most monitored, most policy-enforced part of the infrastructure. You’ve got EDRs, SIEM integration, automation, threat hunting - the full stack. But attackers don’t need to touch it anymore.
Instead, they go after the new soft spots:
- Cloud platforms, where logging is limited, expensive, or off by default
- Network devices and appliances, which are practically blind spots - obscure OSes, no EDRs, hard to monitor, hard to forensicate.
- Embedded systems and IoT junk that no one really knows how to secure, but that sit in critical network paths.
Cloud especially is a mess:
- Logging tiers cost extra and the good stuff is behind paywalls.
- Detection content is lacking, both from vendors and the community.
- You don’t get memory dumps or full control like you do on endpoints.
- You’re at the mercy of the provider when it comes to visibility and response.
And that’s the shift: attackers aren’t hacking computers anymore. They’re hacking trust relationships, identities, and APIs. The whole idea of detection and response needs to evolve with that. Otherwise, we’re securing the hell out of endpoints while attackers happily fish through mailboxes and cloud shares from halfway across the planet.
I hacked into a @Bing CMS that allowed me to alter search results and take over millions of @Office365 accounts.
How did I do it? Well, it all started with a simple click in @Azure… 👀
This is the story of #BingBang 🧵⬇️
A PoC that packages payloads into output containers to evade Mark-of-the-Web flag & demonstrate risks associated with container file formats. Supports: ZIP, 7zip, PDF, ISO, IMG, CAB, VHD, VHDX
https://t.co/bRQmNW2M1Z
30 cybersecurity search engines for researchers:
1. Dehashed—View leaked credentials.
2. SecurityTrails—Extensive DNS data.
3. DorkSearch—Really fast Google dorking.
4. ExploitDB—Archive of various exploits.
5. ZoomEye—Gather information about targets.
I finally got ffuf to output to a text file in a decent way for automation:
ffuf -w /tmp/wordlists.txt -u URL/FUZZ -r -ac -v &>> /tmp/output.txt ; sed -i 's/\:\: Progress.*Errors.*\:\://g' /tmp/output.txt ; sed -i 's/\x1B\[[0-9;]\{1,\}[A-Za-z]//g' /tmp/output.txt
#bugbountytips