Most people have never heard of it. But when someone opened a suspicious file, deleted emails to cover their tracks, or tried to access an encrypted document they weren't supposed to — Office quietly wrote it all down. --------------------------------------------------------------------------------------------------------- Wait, What Even Is OAlerts? Okay let me start with a question. You know when you're about to close a Word document and it hasn't been saved, and that littl

Intro In previous articles we covered ESEDatabaseView for raw database exploration, and SrumECmd for fast command-line parsing. https://www.cyberengage.org/post/how-to-use-srumecmd-to-parse-and-analyze-srudb-dat-files https://www.cyberengage.org/post/examining-srum-with-esedatabaseview This article introduces a fourth approach: SRUM-DUMP v3. Version 3 is a significant redesign from 2.6. If you waana learn or see how version 2.6 works Check out below article https://www.cybere

A while back I wrote about how Windows uses Alternate Data Streams to tag files downloaded from the internet — that Zone.Identifier trick that quietly labels your files as "came from the web." A lot of people found it interesting because it's one of those Windows features that silently runs in the background and most users never think about. But here's the thing about ADS that I didn't cover in that article, and honestly it's the part that should make defenders a little nerv

Unlike Google-targeted attacks, the Microsoft 365 PhaaS ecosystem is well-documented, heavily researched — and quietly industrialised. Here's the full picture from kit purchase to BEC payout. Business email compromise used to require skill. Attackers needed to understand Exchange internals, craft convincing social engineering at scale, and know how to quietly live inside a compromised tenant without triggering alerts. That skillset still exists — but it's no longer required .

After seeing more than a dozen Gmail account-compromise incidents, a pattern has emerged that is too consistent to be coincidental. The victim receives a legitimate-looking Google MFA prompt on their mobile device, accepts it thinking nothing of it, and their account is silently handed to an attacker sitting on a VPS somewhere overseas. Within hours — sometimes minutes — the hijacked inbox becomes a launchpad, blasting hundreds of phishing emails to the victim's contact list.