§ Category
Category

IA

AU

Device Code Phishing Lives in the Log Table You Don’t Ingest

Device code phishing produces a clean, MFA-satisfied sign-in on Microsoft’s own infrastructure — and most of the telemetry that betrays it sits in the Entra non-interactive log table teams drop to save money. Here’s where the detection actually lives, how the threshold flips between a Windows shop and a dev-heavy tenant, and the persistence artifacts the closeout always skips.

·
AC

Private-CISA: A Nightwing Contractor, 844 MB of GovCloud Admin Keys on Public GitHub, and the 48-Hour Rotation Window That Stayed Open

A Nightwing contractor with CISA access kept a public GitHub repository called Private-CISA from November 13, 2025 to May 15, 2026 — 184 days of admin credentials to three AWS GovCloud accounts, Entra ID SAML certificates, Artifactory tokens, plaintext passwords in CSV, and the Landing Zone DevSecOps configuration for the agency tasked with everyone else’s vulnerability hygiene. The leak is bad. The thing that should worry defenders more is that the AWS keys remained valid for 48 hours after CISA was notified.

·