Colin Wilkins

Anyone else seeing the macOS office auto update helper call /bin/test against office patch files hundreds of thousands of times related to 16.105.1 installing???

Yeah so turns out this is working as intended. Sessions need to be revoked for re-prompt. Guess what isn’t available as an automatic response/control feature for sign-in risk? Revocation. Even if you’re leveraging a SIEM/SOAR action to revoke via API, it’s coming 15 min delayed.

https://t.co/uhhJnCNo17 Requiring new sessions for Medium Risk Sign-ins does nothing to stop Session Token Replay attacks in practice according to live tests. What is the deal? How does this protect anything if Anomalous Token EIDIP alerts only flag the sign-in risk as Medium?

*Disgruntled Notes from the Field. Bah.* Inb4 device compliance and passwordless purists enter the chat. Defense in Depth is *Key* but not when you have to play politics despite demonstrating the facts.

Really would be swell to have a Token Revocation action on Conditional Access policies for risk mitigation. Built-in policy/manual sign-in risk policies don’t work to re-auth risky sign-ins at any level. Sign-in frequency and persistent browser session controls just don’t work…

I mean heck - even changing a password doesn’t revoke tokens on its own. What’s the point without automatic revocation? Sure, CAE-aware apps can supposedly kill sessions but what does that matter when nothing stops the attacker at the door? Or at least makes them re-auth?

Authentication strength is great but the problem is a new session is never interactively prompted and sign-in logs indicate it's stil being satisfied by the replayed token.

https://t.co/7r0VwdZ13S This is exactly what we're seeing. Love that the MVP response just ignores the fact that this doesn't work.

Narrator: he did not actually love that Good thing their webs are distinguishable.

Reminder that HTML banners are not bulletproof: https://t.co/01sP3RDSLw

Lol... Microsoft Viva Engage (Yammer) activity notifications inject CSS/HTML that overwite/bypass Exchange Transport Rule External Sender banners on Outlook Mobile. Switch to the native Outlook External tag to eliminate external sender banner bypasses. https://t.co/3vikbT5lrw