ChrisPy
@chrispy_sec
Principal Security consultant at Reversec. Love doing some Azure/Entra ID research ☁️ Opinions are my own
You might like
Check this out if you wanna read the most wild story of arguably the single most impactful security issue I’ve seen on Entra for the past 5 years. It’s a good thing Dirk-jan is a good guy cause this is like 11/10 on criticality 😂
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-glob…
This is such AI written slop. After reading the original report I'm pretty sure this is a specific tenant misconfig and not something generic
If anybody is interested in Azure DevOps and how attackers might go about abusing OIDC connections used in pipelines then check out my colleague’s latest blog! labs.reversec.com/posts/2025/07/…
Last talk shout out for @nojonesuk and @_Skybound who talked about how to build a new AWS environment. By consultants for consultants and without any extra external consultants! Worth a check out if you’re interested in some of the challenges we faced youtu.be/rai0bTOamG0
youtube.com
YouTube
This Wasn’t in the Job Description: Building a production-ready AWS...
Check out @Thomasbyrne__ ‘s talk as well if you wanna see some more usage of RoadRecon with Microsoft Graph! youtu.be/dTUeAhzmIu8
youtube.com
YouTube
Rebuilding ROADRecon for the Modern Entra Environment
My talk was published mega quickly as its own video by @fwdcloudsec (thanks btw!) So feel free to check it out if you wanna learn some fun SharePoint research outcomes and learn about a “pre-signed url” equivalent method of accessing SharePoint files! youtu.be/l5lpIF_QZCE
youtube.com
YouTube
Staying Sneaky in the Office (365)
It’s a packed house over at @_sigil talk on Azure Service Principals, a history on backdooring them, and more!
Check out @_sigil 's talk on Entra 1st-party service principal abuse currently airing at fwd:cloudsec youtube.com/watch?v=0BTBK3… Deffo a good watch in the current livestream or when the individual talk video drops later on in the channel
youtube.com
YouTube
fwd:cloudsec 2025 North America - Day 2, Breakout 2
Heya got a talk happening later today pretalx.com/fwd-cloudsec-2… where I’m gonna talk about some interesting SharePoint findings! Last one will be particularly interesting to folk 👀 Should be at this live stream youtube.com/live/Vb_MyY3RQ…
This incredible duo of Leonidas Tsaousis (@laripping) & James Henderson are taking the stage at Offensive X to talk about ‘’ There and Back Again: An Attacker's Tale of DCs in AWS’’ #OffensiveX2025 #CyberSecurity #AWS #RedTeam #CloudSecurity #InfoSec #Hacking
Great presentation & next level memes by @LAripping and James Henderson! @TheOffensiveX
Hey @NathanMcNulty gathering some data and wanted to get your thoughts. On the topic of exclusions, what are the best approaches for Conditional Access in Entra and exclusions for endpoints in MDE in the context of a large enterprise? CA policies I'm a fan of Restricted AU sec…
An in-depth look at the recently published EchoLeak vulnerability on M365 Copilot by @Aim_Security_ that could lead to data exfiltration just by sending an email to a user who uses Microsoft Office365 Copilot. youtu.be/Myf1cLsUxsk
I love how when I'm testing CA policies I can just google around a bit and find @NathanMcNulty 's detailed guides around some of the issues😂 P.S Also pro-tip for people playing with attributes remember that there is an Attribute assignment AND definition adm role
Filter for apps was introduced late last year that allows us to leverage custom security attributes within Conditional Access policies Very helpful for microservices architectures with constantly changing appIds, but also, apps not shown in the picker 💡 learn.microsoft.com/en-us/entra/id…
I did a thing. Thanks @CloudSecPod for having me!
🚨 New Episode Alert! How do attackers stay under the radar in Azure? 🤔 This week, we dive into lesser-known APIs, detection gaps & how blue teams can stay ahead. 💬 Guest: @chrispy_sec (@WithSecure ) 🎧 Drops today #CloudSecurity #AzureSecurity
This is truly amazing. The Deputy White House Press Secretary is claiming that I'm wrong, and that the "tariff rates" on Trump's chart were calculated by "literally" measuring every country's tariffs and non-tariff trade barriers. To prove it, he screenshots the formula the USTR…
With a process that began two and a half years ago, I'm very excited to announce that I've written a book with @nostarch! 🎉 "Practical Purple Teaming" tells you all you need to know to get started with collaborative offensive testing. nostarch.com/purple-teaming
United States Trends
- 1. GTA 6 4,344 posts
- 2. GTA VI 6,755 posts
- 3. Rockstar 32.6K posts
- 4. Nancy Pelosi 102K posts
- 5. Paul DePodesta 1,027 posts
- 6. Rockies 2,980 posts
- 7. Ozempic 12.9K posts
- 8. Grand Theft Auto VI 19.1K posts
- 9. GTA 5 4,625 posts
- 10. Marshawn Kneeland 56.8K posts
- 11. RFK Jr 23.7K posts
- 12. Oval Office 35.5K posts
- 13. Jonah Hill 1,336 posts
- 14. Subway 46.4K posts
- 15. Michael Jackson 83.9K posts
- 16. Jaidyn 2,908 posts
- 17. Moneyball N/A
- 18. Sean Dunn 4,199 posts
- 19. Kyrou 1,025 posts
- 20. Sandwich Guy 10K posts
You might like
-
Leo Tsaousis
@LAripping -
Luke Roberts
@rookuu_ -
Marco Lancini
@lancinimarco -
Calum Hall
@_calumhall -
Miłosz Gaczkowski
@cyberMilosz -
Kinnaird McQuade 💻☁️💥
@kmcquade3 -
joshua steinman (🇺🇸,🇺🇸)
@JoshuaSteinman -
Adam Chester 🏴☠️
@_xpn_ -
Karl
@kfosaaen -
Nikhil Mittal
@nikhil_mitt -
Donato Capitella
@dcapitella -
Ken Gannon (伊藤 剣)
@Yogehi -
Mick Douglas 🇺🇦🌻
@bettersafetynet -
KT
@J3lly____ -
Colin Glenn
@4CTGlenn
Something went wrong.
Something went wrong.