A big phishing trend abuses the OAuth Device Code Authentication flow against Microsoft 365 tenants. This type of attack consists of abusing Microsoft’s device code flow by coercing targeted users to enter a generated code into Microsoft’s OAuth device authentication portal here, which will then grant API access to the user’s account. A few reasons […]
Disabling Machine Account Creation Since Windows 2000, Microsoft has enabled the ability for all users to create up to 10 machine accounts by default. This is a “feature” implemented by Microsoft that inadvertently introduces potential vulnerabilities within an Active Directory environment. Secure deployment should ensure that Machine Account creation is limited to specific users or […]
Lucid Security Engineers regularly encounter HTTP headers during web application or network penetration testing that reveal potentially sensitive information such as application architecture, server versions, or information about the underlying host system. These types of information disclosure vulnerabilities can be utilized by attackers to quickly determine vulnerable server versions and perform more targeted attacks. As […]
Lucid Security is a Veteran owned cybersecurity solutions company focused on offensive security and penetration testing.