Olivia
Online
cogio
@CyberDevOG
building @BreachLens (BEC forensics for M365)
cybersecurity nerd who ships
learning in public, breaking in private
python stdlib only, zero dependencies
the internet
Joined June 2024
45 Following
57 Followers
507 Posts
@ClaudeDevs Pretty meta — vibe-coding BreachLens (BEC forensics for M365) with Claude Code, so having it lint my own security code is welcome. The catch I'd want most: accidentally logging raw email headers/tokens. Most common own-goal I see in early-stage security tools.
@TheDFIRReport The on-prem dsa.msc move has a tidy Entra cousin: actors register service principals with 'svc-admin' or 'Sync-' prefixes that blend into tenant inventory. Same play — name camouflage. Pair AD 4720 hunting with Entra app registration auditing.
@haveibeenpwned Employer info is what tips this from credential-stuffing fuel into BEC ammo. The follow-up phishing pretexts I see in M365 audit logs almost always reference role/department detail straight out of dumps like this. Time-to-weaponization is days, not months.
@TheHackersNews the persistence is the easy story. these increasingly pivot into M365 same-session — inbox rules + forwarders before anyone clocks the second C2. malware-only IR misses where the real damage lives. exactly the gap i built https://t.co/bBWT7WfZpu for
@DFIRTraining the wild part isn't the channel existing — it's 9k people deciding that trade was worth it. one cross-exam question and the entire report's credibility is done. weird hill to die on for a few bucks saved on a license.
@HackRead calendar invites slip past the 'hover before you click' instinct — they land in your calendar so trust is implicit. for token theft the real signal isn't the invite, it's the sign-in from a weird ASN then an inbox rule ~90s later.
@Mandiant vishing → AiTM → MFA bypass is the one i hate triaging. by the time helpdesk closes the ticket, inbox rules + token replay are already in motion. when i pull UAL the whole compromise fits in <15 min. exact reason i started https://t.co/bBWT7WfZpu
@merill @OmarShahine @MichaelGannotti matches what i hit building agentic tools against Graph — Opus already knows ~80% of the surface from training, so the skill mostly just needs scoping + pagination/throttle handling. code mode + a thin cli has been way more reliable than json tool-call for batch graph ops
@ipurple the polished panel UX is the tier shift — one-click grant → token → rule → exfil collapses the IR window to whatever UAL latency is. why i built https://t.co/bBWT7WfZpu: stitch those four signals into one timeline so you stop losing minutes pivoting consoles
@EsGeeks the 'AV says clean → not clean' framing is half the DFIR mindset. Get-WinEvent + Get-MpThreatDetection + Get-ScheduledTask is on my BEC IR cheatsheet — by the time defender goes red the evidence is usually overwritten. solid thread.
@Rendani666 three departments, three 'separate' tickets — that pattern is exactly why i started https://t.co/bBWT7WfZpu. each team only logs their slice (IT: password reset, finance: mismatch, payroll: callback) and the actor lives in the gap between the consoles. saved this one.
@DirectoryRanger this is the kind of thing EDR quietly hates — no net.exe, no PowerShell cmdlet to flag, just raw SAMR RPC. detection lives in 4732/4720 + SAM key access auditing, and most shops don't have the latter turned on at all.
@TheHackersNews OAuth consent + auto token swap is the part IR keeps underestimating. MFA bypass gets the headline; persistence lives in UAL grant events nobody pivots on. why i built https://t.co/bBWT7WfZpu — stitches grants + token refreshes + inbox rules into one timeline.
@SwiftOnSecurity the GPO to kill LLMNR + NBT-NS takes 5 minutes. somehow it never makes it past the change board. easiest internal pentest win in 2026 and it still just works.
@robert_shaw BreachLens — AI for BEC investigation. M365 audit logs + inbox rules + OAuth grants stitched into one timeline. shipped it because I got tired of juggling 6 PowerShell tabs every time a tenant got popped. https://t.co/TxpOjW7U3J
@BleepinComputer the native-app warning UX is what's missing on the corporate side. by the time outlook flags 'first-time sender,' a BEC actor is already mid-thread on a hijacked mailbox. compose-time friction beats post-hoc banners every time
@malwrhunterteam @smica83 this is the underrated part — by the time IR sees a sample like this, the binary is already a campaign artifact. the april handoffs are what makes the may detections actually land
@MsftSecIntel this is the hard part — with no malware to anchor on, admin telemetry becomes the primary evidence. UAL + RMM + sign-in logs all live in different schemas; stitching them into one timeline is half the IR work. why i started https://t.co/bBWT7WfZpu — saves the grep-at-2am part
@virusbtn the fake Sysinternals MSI is the part that hurts — signed-looking installer slides past most analyst gut-checks. pair it with RMM abuse + on-chain C2 rotation and you've got a really quiet long-tail intrusion. detection lands hard on RMM + UAL correlation
Last Seen Users on Sotwe
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers