Michael Hendrickx

10 months ago

At @defcon 33, George Hughey (@ecthr0s) and Rohit Mothe (@rohitwas), Senior Security Research Managers at MSRC, took us back to the 90s with their talk on the ghost of Internet Explorer in Windows: MapUrlToZone. They uncovered how this legacy API, used by Outlook, Office, Windows Shell, and sandboxes to make security decisions, was vulnerable to manipulation. Their deep dive revealed a dozen CVEs and led to systemic mitigations across Microsoft platforms. Learn how MSRC’s technical investigations drive proactive protection for customers and why legacy code still matters in the slides available here: https://t.co/DSORcAoePz #DEFCON #DEFCON33

msftsecresponse's tweet photo. At @defcon 33, George Hughey (@ecthr0s) and Rohit Mothe (@rohitwas), Senior Security Research Managers at MSRC, took us back to the 90s with their talk on the ghost of Internet Explorer in Windows: MapUrlToZone.

They uncovered how this legacy API, used by Outlook, Office, Windows Shell, and sandboxes to make security decisions, was vulnerable to manipulation. Their deep dive revealed a dozen CVEs and led to systemic mitigations across Microsoft platforms.

Learn how MSRC’s technical investigations drive proactive protection for customers and why legacy code still matters in the slides available here: https://t.co/DSORcAoePz

#DEFCON #DEFCON33

1

38

6

4

7K

ndrix retweeted

I don't know how to search on Google so I do research on my own and tweet about it. Hacking as a life style https://t.co/a05mevChzu

10 months ago

Thank you to everyone who joined us at the MSRC Researcher Celebration during #BHUSA last night. It was incredible to see so many members of the security community come together to share stories and build connections. Special shoutout to our 2025 MSRC MVRs for being part of this amazing event. Here’s to the friendships, the collaborations, and the future we’re shaping together. #MSFTBlackHat

msftsecresponse's tweet photo. Thank you to everyone who joined us at the MSRC Researcher Celebration during #BHUSA last night. It was incredible to see so many members of the security community come together to share stories and build connections. Special shoutout to our 2025 MSRC MVRs for being part of this amazing event.

Here’s to the friendships, the collaborations, and the future we’re shaping together.

#MSFTBlackHat

0

29

4

0

6K

Who to follow

Mr.Un1k0d3r

@MrUn1k0d3r

kmkz

@kmkz_security

Bourbon Offensive Security Services | BOSS

Dawid Czagan

@dawidczagan

Top 10 Hacker at HackerOne | Online Security Courses: https://t.co/LgPeFjhTWr

ndrix retweeted

about 1 year ago

Day 1 of the Zero Day Quest Onsite Hacking Event is in the books and we’ve kicked off Day 2. We welcomed top security researchers from around the world to Microsoft’s Redmond campus for a day of live hacking, collaboration, and connection. Researchers worked side-by-side with Microsoft engineers and product teams to identify vulnerabilities across our AI and cloud platforms. Lots of amazing reports and discussions flowed throughout the day—with MSRC, product teams, and the researchers themselves all driving security forward together. After headshots and hacking, we wrapped the day with a Mariners vs. Tigers game in Seattle (tough loss, but the vibes were strong!). We’re incredibly grateful to the security researcher community. Your work makes a real impact in helping protect customers. #ZeroDayQuest

msftsecresponse's tweet photo. Day 1 of the Zero Day Quest Onsite Hacking Event is in the books and we’ve kicked off Day 2.

We welcomed top security researchers from around the world to Microsoft’s Redmond campus for a day of live hacking, collaboration, and connection.

Researchers worked side-by-side with Microsoft engineers and product teams to identify vulnerabilities across our AI and cloud platforms. Lots of amazing reports and discussions flowed throughout the day—with MSRC, product teams, and the researchers themselves all driving security forward together.

After headshots and hacking, we wrapped the day with a Mariners vs. Tigers game in Seattle (tough loss, but the vibes were strong!).

We’re incredibly grateful to the security researcher community. Your work makes a real impact in helping protect customers.

#ZeroDayQuest

3

36

15

0

6K

ndrix retweeted

over 1 year ago

Cameron Vincent @SecretlyHidden1, Security Researcher at Microsoft, gave a talk about IDOR vulnerabilities to a packed room at @nullcon #Goa. Cameron discussed how broken access control has been the top problem across the ecosystem for a while. Camerons research into IDOR vulnerabilities was manual, without extensions or automation, although he recommends using Burp Suite, which = the golden tool. #NullconGoa2025 #Nullcon

msftsecresponse's tweet photo. Cameron Vincent @SecretlyHidden1, Security Researcher at Microsoft, gave a talk about IDOR vulnerabilities to a packed room at @nullcon #Goa. Cameron discussed how broken access control has been the top problem across the ecosystem for a while. Camerons research into IDOR vulnerabilities was manual, without extensions or automation, although he recommends using Burp Suite, which = the golden tool.

#NullconGoa2025 #Nullcon

0

29

4

2

5K

ndrix retweeted

Theo - t3.gg

@theo

over 1 year ago

This is one of the wildest git diffs I've ever seen

221

17K

2K

917K

ndrix retweeted

over 1 year ago

The MSRC team is excited to be at @nullcon #Goa! Come find us to chat about our bug bounty programs, @MSFTBlueHat India, job opportunities, and more. #NullconGoa2025 #nullcon

msftsecresponse's tweet photo. The MSRC team is excited to be at @nullcon #Goa! Come find us to chat about our bug bounty programs, @MSFTBlueHat India, job opportunities, and more.

#NullconGoa2025 #nullcon https://t.co/ITtEAXwmTO

0

39

4

1

5K

over 1 year ago

@DrAzureAD That's a blanket statement

0

1

0

17

over 1 year ago

@HackenProof You'd have 10 years of more life experience and unique perspectives than a 20 year old. ;) It's never too late.

0

2

0

30

over 1 year ago

huh? Is the response supposed to only include private code?

1

2

0

155

almost 2 years ago

@SravanAkkaram Welcome to Microsoft, looking forward to working together! :)

0

8

almost 2 years ago

Verifying myself: I am ndrix on https://t.co/yNFBc83Y7t. yr9_VIDIPljkPhwlcnkC5xerQbENgrPgjIaQ / https://t.co/VXILUh6IP8

0

159

almost 2 years ago

@stokfredrik but.. hackers without sunglasses... j/k, family time is most important! Enjoy!

0

1

0

43

almost 2 years ago

@bookingcom At least be transparent who you subcontract the a tual work to, so we can expect crappy customer service. You're a USD 130B+ company, invest some in customer service next quarter.

1

0

35

almost 2 years ago

I don't rant much about businesses, but @bookingcom is a pretty crappy experience. Booking.nope from now on.

2

1

0

339