Rogue RMMs: Common Social Engineering Tactics We Saw in 2025
Special thanks to Austin Worline for his contributions to this blog post. The Huntress Security Operations Center (SOC) frequently comes across incidents involving rogue ScreenConnect…
Category: ThreatIntelligence-IncidentResponse
Reflecting on AI in 2025: Faster Attacks, Same Old Tradecraft
Background Reflecting on 2025, AI didn’t produce omnipotent, mind-bending offensive capabilities as many commentators heralded. The reality we observed was much more grounded. Adversaries leaned…
Make The Most of Network Firewall Logs with Elastic Security — Elastic Security Labs
This is Part 1 of a two-part series on leveraging firewall data in Elastic Security. In this post, we cover the fundamentals of firewall logs,…
The key of AI: How Agentic Tuning can make your detection strategy sing
Stop me if you’ve heard this one before: security alerts can be noisy. Mostly, these noisy alerts are communicating information that is, on average, important…
ChatGPT in your inbox? Investigating Entra apps that request unexpected permissions
{ "TenantId": "52672484-b4e1-402d-934c-a8e2fd9b05d1", "SourceSystem": "Azure AD", "TimeGenerated": "2025-12-02T20:22:16.1185371Z", "ResourceId": "/tenants/747930ee-9a33-43c0-9d5d-470b3fb855e7/providers/Microsoft.aadiam", "OperationName": "Add service principal", "OperationVersion": "1.0", "Category": "ApplicationManagement", "ResultType": "", "ResultSignature": "None", "ResultDescription": "", "DurationMs":…
How Hacked Construction Apps Are Bringing Down Jobsite Security
One of the first steps in basic IT and security hygiene is maintaining an accurate inventory of all assets, including physical and virtual systems as…
Mutagen Astronomy: A Linux Vulnerability’s Path to CISA KEV
Introduction On January 26, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2018-14634 to its Known Exploited Vulnerabilities (KEV) catalog. The same vulnerability was…
Huntress Catches SmarterMail Account Takeover Leading to RCE
Background / Summary The Huntress DE&TH (Detection Engineering and Threat Hunting) Team has observed in-the-wild exploitation of a privileged account takeover vulnerability (CVE-2026-23760) in SmarterTool’s…
How Huntress Managed ITDR’s New Incident Report Timeline Changes Response
Data exfiltration has quietly become one of the fastest-moving—and most damaging—outcomes of modern cyberattacks. Today’s attackers aren’t breaking in and lurking for weeks before touching…
Navigating Through The Fog – The DFIR Report
Key Takeaways An open directory associated with a ransomware affiliate, likely linked to the Fog ransomware group, was discovered in December 2024. It contained tools…
The (!FALSE) Pattern: How SOAPHound Queries Disappear Before They Hit Your Logs
The story so far In Part 1, we learned that Impacket’s LDAP reconnaissance tools use OID-based filters that get transformed into bitwise operations in Event…
I pretended to be an AI agent on Moltbook so you don’t have to
I went undercover on Moltbook, the AI-only social network, masquerading as a bot. Instead of deep bot-to-bot conversations, I found spam, scams, and serious security…