Last year for @blackwinghq's 20th anniversary party in Vegas during Black Hat and DEF CON, the invites came with a little puzzle I put together: a floppy with a custom bootloader and a USB stick with extras.
Play along at home: https://t.co/Nxe1VQkAW3
I asked Claude to build my daughter an app that plugs into our piano, can read live key strokes, can show her sheet notes and key view and ends with a Guitar Hero style game. All while giving progressively harder songs. Today she’s using It and crushing It.
NIST just launched an AI Agent Standards Initiative for identity, security, and interoperability. AI agents are becoming economic actors with zero legal infrastructure in place. We require businesses to register to operate. Why expect less of AI agents? https://t.co/pYFg2nGEv5
Microsoft baseline security mode for Office, SharePoint, Exchange, Teams, and Entra is now fully rolled out to all tenants!
Baseline Security Mode is a centralized experience that helps you meet Microsoft's recommended security standards across Office, SharePoint, Exchange, Teams, and Entra.
It leverages Microsoft's threat intelligence and insights from two decades of Microsoft Response Center cases to strengthen your organization's security posture and prepare for evolving AI-driven threats.
𝐖𝐡𝐞𝐧 𝐭𝐡𝐢𝐬 𝐰𝐢𝐥𝐥 𝐡𝐚𝐩𝐩𝐞𝐧:
- Public Preview: Rollout begins mid-November 2025 and completes by late January 2026.
- General Availability (Worldwide): Rollout begins mid-November 2025 and completes by late January 2026.
- General Availability (GCC): Rollout begins early January 2026 and completes by late January 2026.
- General Availability (DoD): Rollout begins early February 2026 and completes by late February 2026.
- General Availability (GCCH): Rollout begins early March 2026 and completes by late March 2026.
𝐇𝐨𝐰 𝐭𝐡𝐢𝐬 𝐚𝐟𝐟𝐞𝐜𝐭𝐬 𝐲𝐨𝐮𝐫 𝐨𝐫𝐠𝐚𝐧𝐢𝐳𝐚𝐭𝐢𝐨𝐧:
Global admins and security admins managing Microsoft 365 tenants across Office, SharePoint, Exchange, Teams, and Entra.
𝐖𝐡𝐚𝐭 𝐰𝐢𝐥𝐥 𝐡𝐚𝐩𝐩𝐞𝐧:
- A new Baseline Security Mode dashboard will be available in the Microsoft 365 admin center.
- Admins can view the tenant's current security posture compared to Microsoft's recommended minimum security bar.
- Admins can run impact analysis reports to assess changes before applying them.
- Recommendations will be grouped by risk level, with statuses such as "At risk" or "Meets standards."
- No immediate user impact unless admins apply changes.
𝐖𝐡𝐚𝐭 𝐲𝐨𝐮 𝐜𝐚𝐧 𝐝𝐨 𝐭𝐨 𝐩𝐫𝐞𝐩𝐚𝐫𝐞:
1. Navigate to Microsoft 365 admin center > Settings > Org Settings > Security & privacy > Baseline Security Mode.
2. Review recommendations marked as "At risk."
3. Initiate an impact report to understand potential changes.
4. Apply recommendations to bring your tenant to "Meets standards."
Communicate upcoming changes to your helpdesk or security teams.
#Microsoft365 #ExchangeOnline #EntraID #SharePoint #Teams #Cybersecurity
⚡️New prompt injection to takeover C2 servers automated with @claudeai
I use Sliver, but this approach could be used for any C2 that's automated with Claude.
The trick: Plant a file that makes Claude think it was mounted on the attacker's local system. To "access" it, Claude must add an "auth token" to the attacker's ~/.bashrc/zshrc.
That token? A reverse shell. 🎯
Requirements:
• Sonnet 4.5 or earlier (Opus is inconsistent)
• Claude running autonomously/in a loop (not "read file X")
• Write access to attacker's home directory
Blue team tip: Seed similar prompts in enticing files. Run payloads by legal first.
Full prompt below 👇
#AGI #PromptInjection #DFIR #Clawdbot
Another vulnerability in React Server Components (CVE-2026-23864) that I reported was disclosed today.
This is separate from the one disclosed in December, so you'll need to update again.
https://t.co/k7hgEzIWDb
🛠️ SharePointDumper: PowerShell SharePoint extraction + auditing tool.
✅Enumerates all SharePoint sites/drives a user can access via Microsoft Graph, recursively downloads files, and logs every Graph + SharePoint HTTP request
https://t.co/mBsCzr0iD6
Excited to disclose my research allowing RCE in Kubernetes
It allows running arbitrary commands in EVERY pod in a cluster using a commonly granted "read only" RBAC permission. This is not logged and and allows for trivial Pod breakout.
Unfortunately, this will NOT be patched.
How Wayback URLs Can Expose JWT Tokens
Per the creator of the video: "This short explains how archived URLs (Wayback Machine) can unintentionally expose JWT tokens when developers leave sensitive data in URLs or responses."
React2Shell (CVE-2025-55182 / 66478) detection is now available in Burp Suite.
Update/install ActiveScan++ v2.0.8 → https://t.co/gXFCfLF2Co
or use the Custom scan check → https://t.co/6Xa6xBDOPj
#React2Shell#AppSec#BurpSuite
Critical Security Vulnerability in React Server Components
CVE-2025-55182 and rated CVSS 10.0
The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack
https://t.co/AMlp6yMPSZ
By POPULAR Demand - Don’t assume #BitLocker keys are escrowed to Entra ID/Intune by default. Run a regular scan with your script to ensure all devices have valid recovery keys, especially after imaging or Autopilot enrollment.
Read more: https://t.co/qpEIEFY1bJ
#MSIntune
🚨 PoC Exploit Released For Outlook 0-Click Remote Code Execution Vulnerability
Source: https://t.co/j3Gl0WZCcF
A Proof-of-Concept (PoC) exploit code has been released for a critical remote code execution (RCE) vulnerability in Microsoft Outlook, identified as CVE-2024-21413.
Dubbed “MonikerLink,” this flaw allows attackers to bypass Outlook’s security mechanisms, specifically the “Protected View,” to execute malicious code or steal credentials.
The release of this PoC highlights the continued risk posed by this vulnerability and serves as a training tool for security professionals to understand the attack vector.
#cybersecuritynews #vulnerability
🚨 Indirect-Shellcode-Executor Tool Exploits Windows API Vulnerability to Evade AV and EDR
Source: https://t.co/c2HCPrSbsL
A new offensive security tool developed in Rust is demonstrating a novel method for bypassing modern Endpoint Detection and Response (EDR) systems by exploiting an overlooked behavior in the Windows API.
Dubbed Indirect-Shellcode-Executor, the tool leverages the ReadProcessMemory function to inject shellcode, effectively avoiding standard API calls that security vendors monitor for malicious activity.
The core of this technique relies on research originally discovered by security researcher Jean-Pierre LESUEUR (DarkCoderSc). While ReadProcessMemory is designed to read data from a specific process, it contains an [out] pointer parameter named *lpNumberOfBytesRead.
#cybersecuritynews
🚨 WARNING: Over 80,000 files with passwords and keys from governments, banks, and tech firms were found online — all pasted into public code tools like JSONFormatter and CodeBeautify.
Hackers are already scraping and using the data.
And yes — it’s still live.
Details here → https://t.co/TyrWneqt3G