https://umbrasec.dev/research/ Independent defensive security research - detection engineering, threat analysis, and open-source tooling. en-us Thu, 11 Jun 2026 00:00:00 +0000 https://umbrasec.dev/research/detecting-oauth-consent-phishing.html https://umbrasec.dev/research/detecting-oauth-consent-phishing.html Thu, 11 Jun 2026 00:00:00 +0000 Detection Engineering The phishing class that never asks for a password and sails through MFA - illicit OAuth consent grants (MITRE ATT&CK T1528) in Microsoft Entra ID, the audit-log artifacts they leave, and KQL detections with tuning notes. https://umbrasec.dev/research/detecting-kerberoasting.html https://umbrasec.dev/research/detecting-kerberoasting.html Wed, 10 Jun 2026 00:00:00 +0000 Detection Engineering How Kerberoasting (MITRE ATT&CK T1558.003) works, why RC4 service tickets give it away, and three layered Sigma detections - RC4 downgrade, request fan-out, and a honeypot SPN - with tuning and false-positive notes you can run against your own logs.