#defenseindepth — Public Fediverse posts

🎩💻 Behold the hacker's wet dream: bypassing noexec like it's 1999, because who needs #security when you have a #PoC that screams "I told you so" at sysadmins? 🙄 Spoiler alert: defense in depth is just a bedtime story for the gullible. 😴🔍
https://hardenedlinux.org/blog/2026-04-13-stealthy-rce-on-hardened-linux-noexec--userland-execution-poc/ #hackernews #bypass #sysadmins #defenseindepth #HackerNews #ngated

What is Port Knocking Implementation and Security: A Comprehensive Guide

https://denizhalil.com/2026/04/06/port-knocking-implementation-security-guide

#CyberSecurity #PortKnocking #NetworkSecurity #DefenseInDepth #LinuxSecurity #ServerSecurity

This Punchbowl Phish Is Bypassing 90% Of Email Filters Right Now

997 words, 5 minutes read time.

If you have had three different analysts escalate the exact same email in your ticketing system in the last 72 hours, this one is for you.

This is not a Nigerian prince scam. This is not a fake Amazon order. This is right now, this week, the most successful, most widely distributed phishing campaign running on the internet. And almost nobody is talking about just how good it is.

What this scam actually is

You get an email. It looks exactly like an invitation from Punchbowl, the extremely popular digital invite and greeting card service. There’s no misspelled logo. There’s no broken grammar. There is absolutely nothing that jumps out as fake.

It says someone has invited you to a birthday party, a baby shower, a retirement. At the very bottom, there is one single line that almost everyone misses:

For the best experience, please view this invitation on a desktop or laptop computer.

If you click the link, you do not get an invitation. You get malware. As of this week, the payload is almost always a variant of Remcos RAT, which gives attackers full unrestricted access to your device, full keylogging, and the ability to dump all credentials and move laterally across your network.

And every single mainstream warning about this scam has completely missed the most important detail. That line about the desktop? That is not a throwaway line. That is deliberate, extremely well researched threat actor tradecraft.

Nearly all modern mobile email clients automatically rewrite and sandbox links. Most endpoint protection does almost nothing on desktop by comparison. The attackers know this. They are actively telling you to defeat your own security for them. And it works.

Why this is an absolute nightmare for security teams

Let me give you the numbers that no one is putting in the official advisories:

• As of April 2025, this campaign has a 91% delivery rate against Microsoft 365 E5. The absolute top tier enterprise email filter is stopping less than 1 in 10 of these.
• Most lure domains are less than 12 hours old when they are first used, so they do not appear on any commercial threat feed.
• This is not just targeting consumers. The campaign is now actively being sent to corporate inboxes, targeted at HR, finance and IT teams.
• Proofpoint reported earlier this week that this campaign currently has a 12% click rate. For context, the average phish has a click rate of 0.8%.

I have seen CISOs, SOC managers and professional penetration testers all admit publicly this week that they almost clicked this link. If you look at this and don’t feel even the tiniest urge to click, you are lying to yourself.

This is what good phishing looks like. This is not the garbage you send out in your monthly phishing simulation with the obviously fake logo. This is the stuff that actually works.

How to not get burned

I’m going to split this into two sections: the advice for end users, and the actionable stuff you can implement as a security professional in the next 10 minutes.

For everyone

• Real Punchbowl invites will only ever come from an address ending in @punchbowl.com. There are no exceptions. If it comes from anywhere else, delete it immediately.
• Any email, from any service, that tells you to open it on a specific device is a scam. Full stop. There is no legitimate service on the internet that cares what device you use to open an invitation. This is now the single most reliable red flag for active phishing campaigns.
• Do not go to Punchbowl’s website to “check if the invite is real”. If someone actually invited you to something, they will text you to ask if you got it.

For SOC Analysts and Security Teams

These are the steps you can go and implement right now before you finish reading this post:

1. Add an email detection rule for the exact string for the best experience please view this on a desktop or laptop. At time of writing this rule has a 0% false positive rate.
2. Temporarily increase the reputation score for all newly registered domains for the next 14 days.
3. Add this exact lure to your phishing simulation program immediately. This is now the single best baseline test of how effective your user training actually is.
4. If you get any reports of this being clicked, assume full device compromise immediately. Do not waste time triaging. Isolate the host.

Closing Thought

The worst part about this scam is how predictable it is. We have all been talking for 15 years about how the next big phish won’t have spelling mistakes. We all said it will look perfect. It will be something you actually expect. And now it’s here, and it is running circles around almost every security stack we have built.

If you see this email, report it. If you are on shift right now, go push that detection rule. And for the love of god, stop laughing at people who almost clicked it.

Call to Action

If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.

D. Bryan King

Sources

• Krebs on Security: Fake Punchbowl Invites Are Delivering Malware
• CISA Advisory AA25-086A: Fake Punchbowl Phishing Campaign
• Mandiant: Analysis of the March 2025 Punchbowl Phishing Campaign
• Punchbowl Official Public Warning
• Bleeping Computer: Fake Punchbowl Party Invites Deploy Remcos RAT
• Proofpoint Threat Insight: Punchbowl Phishing Campaign
• MITRE ATT&CK T1566.001: Spearphishing Link
• Verizon DBIR 2025: Phishing Effectiveness

Disclaimer:

The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

Related Posts

Rate this:

This Punchbowl Phish Is Bypassing 90% Of Email Filters Right Now

997 words, 5 minutes read time.

If you have had three different analysts escalate the exact same email in your ticketing system in the last 72 hours, this one is for you.

This is not a Nigerian prince scam. This is not a fake Amazon order. This is right now, this week, the most successful, most widely distributed phishing campaign running on the internet. And almost nobody is talking about just how good it is.

What this scam actually is

You get an email. It looks exactly like an invitation from Punchbowl, the extremely popular digital invite and greeting card service. There’s no misspelled logo. There’s no broken grammar. There is absolutely nothing that jumps out as fake.

It says someone has invited you to a birthday party, a baby shower, a retirement. At the very bottom, there is one single line that almost everyone misses:

For the best experience, please view this invitation on a desktop or laptop computer.

If you click the link, you do not get an invitation. You get malware. As of this week, the payload is almost always a variant of Remcos RAT, which gives attackers full unrestricted access to your device, full keylogging, and the ability to dump all credentials and move laterally across your network.

And every single mainstream warning about this scam has completely missed the most important detail. That line about the desktop? That is not a throwaway line. That is deliberate, extremely well researched threat actor tradecraft.

Nearly all modern mobile email clients automatically rewrite and sandbox links. Most endpoint protection does almost nothing on desktop by comparison. The attackers know this. They are actively telling you to defeat your own security for them. And it works.

Why this is an absolute nightmare for security teams

Let me give you the numbers that no one is putting in the official advisories:

• As of April 2025, this campaign has a 91% delivery rate against Microsoft 365 E5. The absolute top tier enterprise email filter is stopping less than 1 in 10 of these.
• Most lure domains are less than 12 hours old when they are first used, so they do not appear on any commercial threat feed.
• This is not just targeting consumers. The campaign is now actively being sent to corporate inboxes, targeted at HR, finance and IT teams.
• Proofpoint reported earlier this week that this campaign currently has a 12% click rate. For context, the average phish has a click rate of 0.8%.

I have seen CISOs, SOC managers and professional penetration testers all admit publicly this week that they almost clicked this link. If you look at this and don’t feel even the tiniest urge to click, you are lying to yourself.

This is what good phishing looks like. This is not the garbage you send out in your monthly phishing simulation with the obviously fake logo. This is the stuff that actually works.

How to not get burned

I’m going to split this into two sections: the advice for end users, and the actionable stuff you can implement as a security professional in the next 10 minutes.

For everyone

• Real Punchbowl invites will only ever come from an address ending in @punchbowl.com. There are no exceptions. If it comes from anywhere else, delete it immediately.
• Any email, from any service, that tells you to open it on a specific device is a scam. Full stop. There is no legitimate service on the internet that cares what device you use to open an invitation. This is now the single most reliable red flag for active phishing campaigns.
• Do not go to Punchbowl’s website to “check if the invite is real”. If someone actually invited you to something, they will text you to ask if you got it.

For SOC Analysts and Security Teams

These are the steps you can go and implement right now before you finish reading this post:

1. Add an email detection rule for the exact string for the best experience please view this on a desktop or laptop. At time of writing this rule has a 0% false positive rate.
2. Temporarily increase the reputation score for all newly registered domains for the next 14 days.
3. Add this exact lure to your phishing simulation program immediately. This is now the single best baseline test of how effective your user training actually is.
4. If you get any reports of this being clicked, assume full device compromise immediately. Do not waste time triaging. Isolate the host.

Closing Thought

The worst part about this scam is how predictable it is. We have all been talking for 15 years about how the next big phish won’t have spelling mistakes. We all said it will look perfect. It will be something you actually expect. And now it’s here, and it is running circles around almost every security stack we have built.

If you see this email, report it. If you are on shift right now, go push that detection rule. And for the love of god, stop laughing at people who almost clicked it.

Call to Action

If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.

D. Bryan King

Sources

• Krebs on Security: Fake Punchbowl Invites Are Delivering Malware
• CISA Advisory AA25-086A: Fake Punchbowl Phishing Campaign
• Mandiant: Analysis of the March 2025 Punchbowl Phishing Campaign
• Punchbowl Official Public Warning
• Bleeping Computer: Fake Punchbowl Party Invites Deploy Remcos RAT
• Proofpoint Threat Insight: Punchbowl Phishing Campaign
• MITRE ATT&CK T1566.001: Spearphishing Link
• Verizon DBIR 2025: Phishing Effectiveness

Disclaimer:

The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

Related Posts

Rate this:

This Punchbowl Phish Is Bypassing 90% Of Email Filters Right Now

997 words, 5 minutes read time.

If you have had three different analysts escalate the exact same email in your ticketing system in the last 72 hours, this one is for you.

This is not a Nigerian prince scam. This is not a fake Amazon order. This is right now, this week, the most successful, most widely distributed phishing campaign running on the internet. And almost nobody is talking about just how good it is.

What this scam actually is

You get an email. It looks exactly like an invitation from Punchbowl, the extremely popular digital invite and greeting card service. There’s no misspelled logo. There’s no broken grammar. There is absolutely nothing that jumps out as fake.

It says someone has invited you to a birthday party, a baby shower, a retirement. At the very bottom, there is one single line that almost everyone misses:

For the best experience, please view this invitation on a desktop or laptop computer.

If you click the link, you do not get an invitation. You get malware. As of this week, the payload is almost always a variant of Remcos RAT, which gives attackers full unrestricted access to your device, full keylogging, and the ability to dump all credentials and move laterally across your network.

And every single mainstream warning about this scam has completely missed the most important detail. That line about the desktop? That is not a throwaway line. That is deliberate, extremely well researched threat actor tradecraft.

Nearly all modern mobile email clients automatically rewrite and sandbox links. Most endpoint protection does almost nothing on desktop by comparison. The attackers know this. They are actively telling you to defeat your own security for them. And it works.

Why this is an absolute nightmare for security teams

Let me give you the numbers that no one is putting in the official advisories:

• As of April 2025, this campaign has a 91% delivery rate against Microsoft 365 E5. The absolute top tier enterprise email filter is stopping less than 1 in 10 of these.
• Most lure domains are less than 12 hours old when they are first used, so they do not appear on any commercial threat feed.
• This is not just targeting consumers. The campaign is now actively being sent to corporate inboxes, targeted at HR, finance and IT teams.
• Proofpoint reported earlier this week that this campaign currently has a 12% click rate. For context, the average phish has a click rate of 0.8%.

I have seen CISOs, SOC managers and professional penetration testers all admit publicly this week that they almost clicked this link. If you look at this and don’t feel even the tiniest urge to click, you are lying to yourself.

This is what good phishing looks like. This is not the garbage you send out in your monthly phishing simulation with the obviously fake logo. This is the stuff that actually works.

How to not get burned

I’m going to split this into two sections: the advice for end users, and the actionable stuff you can implement as a security professional in the next 10 minutes.

For everyone

• Real Punchbowl invites will only ever come from an address ending in @punchbowl.com. There are no exceptions. If it comes from anywhere else, delete it immediately.
• Any email, from any service, that tells you to open it on a specific device is a scam. Full stop. There is no legitimate service on the internet that cares what device you use to open an invitation. This is now the single most reliable red flag for active phishing campaigns.
• Do not go to Punchbowl’s website to “check if the invite is real”. If someone actually invited you to something, they will text you to ask if you got it.

For SOC Analysts and Security Teams

These are the steps you can go and implement right now before you finish reading this post:

1. Add an email detection rule for the exact string for the best experience please view this on a desktop or laptop. At time of writing this rule has a 0% false positive rate.
2. Temporarily increase the reputation score for all newly registered domains for the next 14 days.
3. Add this exact lure to your phishing simulation program immediately. This is now the single best baseline test of how effective your user training actually is.
4. If you get any reports of this being clicked, assume full device compromise immediately. Do not waste time triaging. Isolate the host.

Closing Thought

The worst part about this scam is how predictable it is. We have all been talking for 15 years about how the next big phish won’t have spelling mistakes. We all said it will look perfect. It will be something you actually expect. And now it’s here, and it is running circles around almost every security stack we have built.

If you see this email, report it. If you are on shift right now, go push that detection rule. And for the love of god, stop laughing at people who almost clicked it.

Call to Action

If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.

D. Bryan King

Sources

• Krebs on Security: Fake Punchbowl Invites Are Delivering Malware
• CISA Advisory AA25-086A: Fake Punchbowl Phishing Campaign
• Mandiant: Analysis of the March 2025 Punchbowl Phishing Campaign
• Punchbowl Official Public Warning
• Bleeping Computer: Fake Punchbowl Party Invites Deploy Remcos RAT
• Proofpoint Threat Insight: Punchbowl Phishing Campaign
• MITRE ATT&CK T1566.001: Spearphishing Link
• Verizon DBIR 2025: Phishing Effectiveness

Disclaimer:

The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

Related Posts

Rate this:

Security tools that live outside the operating system can only react. The most effective defenses are the ones built into the OS itself: enforcing integrity, catching tampering, and reducing blast radius in real time.

Prevention beats cleanup. Every time.

#LinuxSecurity #EnterpriseLinux #Linux #SysAdmin #DefenseInDepth

Application-Level Cascading Cipher

https://positive-intentions.com/blog/cascading-cipher-encryption

#encryption #cryptography #defenseindepth #AES #DiffieHellman #MLSCrypto #SignalProtocol #browsercrypto #JavaScriptsecurity #cascadingcipher #layeredencryption #WebCryptoAPI #security

Application-Level Cascading Cipher

https://positive-intentions.com/blog/cascading-cipher-encryption

#encryption #cryptography #defenseindepth #AES #DiffieHellman #MLSCrypto #SignalProtocol #browsercrypto #JavaScriptsecurity #cascadingcipher #layeredencryption #WebCryptoAPI #security

Application-Level Cascading Cipher

https://positive-intentions.com/blog/cascading-cipher-encryption

#encryption #cryptography #defenseindepth #AES #DiffieHellman #MLSCrypto #SignalProtocol #browsercrypto #JavaScriptsecurity #cascadingcipher #layeredencryption #WebCryptoAPI #security

Plugging the Holes: The Swiss Cheese Model of Cyber Defense
https://youtu.be/bR3y5efWoGE #CyberSecurity #RiskManagement #DefenseInDepth #SwissCheeseModel #Phishing #PatchManagement #NetworkSecurity #EndpointSecurity #IncidentResponse #Governance #AIinCybersecurity

🛡️ Web App Security Architecture: Implementing Defense-in-Depth
https://alexmacra.com/cybersecurity-guides/web-app-security-architecture-implementing-defense-in-depth/
#WebSecurity #DefenseInDepth #CyberSecurity #AppSec

Some decent AppSec advice in here from a security chief at Sony.

https://www.darkreading.com/vulnerabilities-threats/defense-depth-approach-modern-era

#appsec #defenseindepth

A Defense-in-Depth Approach for the Modern Era – Source: www.darkreading.com https://ciso2ciso.com/a-defense-in-depth-approach-for-the-modern-era-source-www-darkreading-com/ #rssfeedpostgeneratorecho #DarkReadingSecurity #CyberSecurityNews #defenseindepth #DARKReading

John Poulin joins the Security Repo Podcast to break down #DefenseInDepth, audit logs, and why security headers are the new "bank-grade encryption." 🔐

🎧 Listen now:
https://buff.ly/3D0Le8C

#MFA #Cybercrime #Hacking #Authentication #Phishing #MFABypass #SimSwapping #SocialEngineering #MFAFatigue #SecurityAwareness #DefenseInDepth #CyberSecurity #PhishingResistantMFA #EndpointDetection #EDR #IncidentResponse #Security #CyberAttack #Darkweb #CybercrimeInfo #HumanFactor

https://www.ccinfo.nl/menu-onderwijs-ontwikkeling/cybercrime/hacking/2251399_mfa-bypass-ontrafeld-waarom-meerfactor-authenticatie-niet-volstaat

There's this thing about resilience engineering being more about being ready for dragons around the next corner than trying to guess where all the holes are in the swiss cheese.

I enjoy high nerd humor.

#ResilienceEngineering #ThereBeDragons #WhenSwissCheeseModelsFail #DefenseInDepth #Complexity https://mastodon.zergy.net/@Enalys/113656847324163454

Defense-in-Depth: Not Deep Enough – Source: www.govinfosecurity.com https://ciso2ciso.com/defense-in-depth-not-deep-enough-source-www-govinfosecurity-com/ #rssfeedpostgeneratorecho #govinfosecuritycom #CyberSecurityNews #defenseindepth

Defense in Depth approach using AWS: https://aws.plainenglish.io/defense-in-depth-approach-using-aws-f064d434c550

#aws #defenseindepth #security

According to #Yubico, it took six months for a firmware vulnerability that allows cloning of #YubiKeys using #EllipticCurveCryptography to be resolved and responsibly revealed to the public. That's not the problem.

The real problem is there will always be another unpatched vulnerability just around the corner. That's why we need new ways of framing what #cybersecurity should look like in today's modern enterprise. Old-school #defenseindepth still has a place, but businesses must find new ways to reduce the amount of sensitive data that's at risk in a #databreach when all layers of defense are inevitably pierced.

https://www.yubico.com/support/security-advisories/ysa-2024-03/

New #DefenseInDepth strategy:

When a company has a data breach and leaks your PII to the world, we tie their CEO to a rock and hurl them into the Pacific Ocean.

"Often, defense in depth is compared to an onion; it has multiple layers. But how many layers do you need before you're secure? In this way, defense in depth fails as a strategy because it's not measurable."

I really like this quote from Project Zero Trust.

#defenseInDepth #expenseInDepth

"Critical Alert! 🚨 Veeam ONE Monitor in the Crosshairs 🎯"

Veeam ONE -a comprehensive monitoring and analytics solution that is part of the Veeam Backup & Replication suite- has issued a high alert 🛑, releasing hotfixes for four vulnerabilities in its Veeam ONE platform, with two critical risks scoring near the max on the CVSS scale (9.8/9.9). The most severe allows RCE and NTLM hash theft! Patch ASAP! 🛠️

Less critical but still noteworthy, CVE-2023-38549 and CVE-2023-41723 show that even with less privileged roles, Veeam ONE users could exploit XSS attacks and view sensitive schedules. Keep those defenses up! 🏰

Tags: #CyberSecurity #Veeam #RCE #Vulnerability #PatchTuesday #InfoSec #CyberThreat #XSS #Vulnerabilities #DefenseInDepth #CyberHygiene

CVE Details:

• CVE-2023-38547: Potential SQL RCE MITRE ATT&CK
• CVE-2023-38548: NTLM hash theft MITRE ATT&CK
• CVE-2023-38549: XSS requiring admin interaction MITRE ATT&CK
• CVE-2023-41723: Schedule viewing without change permissions MITRE ATT&CK

Source and Veeam Support Knowledge Base

Great blog post by a colleague of mine who asks why "Security through obscurity" is not dead in 2023! How many "#cybersecurity #incidents" is it going to take to finally realize that keeping your #securitycontrols a secret is a good thing? How many times does the #cybercommunity have to demonstrate that sharing of #threatintelligence, #TTPs, #IOCs, #securityconcepts, #AwarenessTraining methods, #zerodays, and everything else that goes along with having a #DefenseInDepth approach to a #HealthySecurityProgram, is ACTUALLY THE GOOD THING 🤨

(ahem)

You want to know about the platform I architected? No problem! 👌🏻
You want to know what Threat Intelligence I gather? Check my GitHub (link on my profile 😁).
You want the keys to my kingdom? 🤣 No, but thanks for playing 👍🏻

I'm NOT saying #compromise yourself or open some dark #backdoor to your systems. Just share the knowledge of how you're protecting stuff! Everyone is more #secure for it, and the next generation will make it better.

https://kalahari.substack.com/p/security-through-obscurity?sd=pf

#DarkAI is a thing. I've talked about it before, and this article supports every theory I've mentioned over the years. #CyberCriminals are using #GenerativeAI to create sophisticated #BEC campaigns, #NovelMalware, and lowers the entry for new cyber criminals and especially #ScriptKiddies or people with zero technical experience to create and commit malicious fraud campaigns against a much wider swath of targets than ever before. The ONLY way to combat these emerging threats is through user awareness trainings and a #DefenseInDepth approach to your security platform for #EnterpriseSecurity. For yourselves personally - invest in a solid #antivirus solution, whether that's Microsoft's #Defender (consumer version), or a platform like #Avast who is affordable, very good, and works on desktop and mobile. You also want to look into a #VPN to protect your data streams. These DarkAI's aren't here to play, they are here to cause chaos. #BeCyberAware #BeCyberSafe and #DontGetPhished!!

https://www.darkreading.com/application-security/gpt-based-malware-trains-dark-web

#Kubernetes question for the fedi:

How do you convert webhook formats in a #homelab environment? For example, converting #botkube 'generic webhook' payload to feed #gotify

Lots of people seem to use #nodered, but that is a lot for a json transform.

Difficulty: It is part of the alerting pipe, so it should be as durable as possible. (As durable as something running on the same infra can be.)

I saw https://github.com/adnanh/webhook with simple python or curl scripts, but even with #defenseindepth (networkpolicy, securitycontext, etc) shell scripts seem hacky at best and a Bad Idea at worst.

Some form of #serverless would probably work, but that means finding, installing and learning a new #framework that hopefully won't become a huge headache in a week or a year.

The old #housebrain uses git-backed #nodered and it is a huge pain to maintain. (Mostly thanks to my design.) I'm doing it better this time.

(#boost)
#k8s #k3s #selfhosted

🔥⏲️ Fudge Sunday "Fuzz Jam June" A look at the growing importance of fuzzing in platform engineering

#fuzzing #fuzztesting #fuzzylogic #fuzzball #fuzzy #platformengineering #platformengineer #toolchains #attestation #softwaresupplychain #softwaresupplychainsecurity #dast #owasp #waf #cncf #aif #artificialintelliegence #machinelearningmodels #cloudinfrastructure #securityautomation #securitybydesign #scanning #defenseindepth #shiftleft #newsletter #newsletters

https://fudge.org/archive/fuzz-jam-june/

#defenseindepth

How well does it do in a data center with 90dB chillers blowing 24x7?

#infosec #DefenseInDepth https://techhub.social/@techandcoffee/110010877553474425

@Techmeme This is definitely positive, but in reference to:

“Database leaks have been a bane for security for many years now, with poor practices and configuration mistakes often exposing the sensitive details of millions of people.”

This won’t stop leaks from a misconfigured system (DB or other) on top of S3. By the time data is in the db, it has been decrypted.

#DefenseInDepth

I explain a #WAF as a nice line of defence against common nuisances only. Always secure your underlying API.

For example on #AWS WAF, SQLi / XSS filters are implented with regexes. False positives often lead to some rules being disabled. The article shared by others today demos widespread false negatives.

Geo filters are great against pests who don't have VPNs. WAF rate limits are really great against people who don't control botnets.

https://www.securityweek.com/wafs-several-major-vendors-bypassed-generic-attack-method

#infosec #defenseindepth

Microsoft’s security approach focuses on #defenseindepth, with layers of protection throughout all phases of design, development, and deployment. Read our recent learnings on ensuring #Azure and our technologies are secure for our customers: https://azure.microsoft.com/blog/microsoft-azures-defense-in-depth-approach-to-cloud-vulnerabilities

#security #cybersecurity #Microsoft