This week's articles
SaaS Attack: How to SAMLjack a poisoned tenant
Poisoned tenants involve an adversary registering a tenant for a SaaS app they control and tricking target users to join it, often using built-in invite functionality. The end goal is to have some target users actively using a tenant you (as the adversary) control.
#attack
#saas
When AWS invariants aren't [invariant]
Search CloudTrail for instances of AssumeRole with additionalEventData.explicitTrustGrant == false. These will yield results for role assumptions that aren't permitted by the trust policy and violate your invariants like role session names will always be an employee's email address.
#aws
#iam
|