Microsoft Detection Deep Dives

New Password Spray Campaign Using Residential Proxies

A stealthy password spray campaign is using Virginia-based residential proxies. Here’s what we’re seeing and how to block it.

Jul 21 • 

Adithya Vellal

1

June 2025

Why Travel Allowlists Cause More Pain Than Protection

“Only allow log‑ins from known places” sounds great, but falls apart in practice.

Jun 29 • 

Adithya Vellal

4

BECs Don't Always Target Your Emails

SharePoint is often the real target in business “email” compromises

Jun 16 • 

Adithya Vellal

1

Corporate Espionage in the Cloud

What it looks like when attackers conduct a BEC to steal sensitive data

Jun 7 • 

Adithya Vellal

5

May 2025

When A Tesla Looks Like an Attacker

A case study in why anomaly detection isn't enough

May 31 • 

Adithya Vellal

5

How Attackers Launder Phishing Emails Through Microsoft Infrastructure

Attackers often use hacked accounts to "OneDrive Phish" other companies. This allows them to launder their phishing emails through Microsoft…

May 20 • 

Adithya Vellal

1

How "Many Failed Login" Alerts Can Bury the Signal That Matters

A case study in how alerting on noise can cause you to miss the real attack

May 9 • 

Adithya Vellal

3

New Data Center Observed in Widespread AitM Attack Campaign

A data center in Tampa is the backbone of a new wave of AitM phishing campaigns we've observed. Here's what you need to know and how to block it.

May 3 • 

Adithya Vellal

1

April 2025

Compromised, then Weaponized: Anatomy of a OneDrive Phishing Campaign

What it looks like when a compromised M365 account is used to send out OneDrive phishing lures to tons of other victims.

Apr 24 • 

Adithya Vellal

5

That Android 6 Login? It Was Actually Windows 10.

Why anomalous user agent strings can be misleading

Apr 15 • 

Adithya Vellal

Why Does Teams Activity Appear in SharePoint Logs? And Why Does This Matter to Attackers?

Attachments in Teams chats use OneDrive under the hood, so they actually appear in SharePoint logs. Plus: why this matters for attackers disguising…

Apr 4 • 

Adithya Vellal

3

March 2025

Unmasking A Slow and Steady Password Spray Attack

Catching an attacker hiding in plain sight with some creative log slicing

Mar 28 • 

Adithya Vellal

2

4