mbg
@mbrg0.bsky.social
Breaking AI. Building @zenitysec, lead @owaspnocode, columnist @DarkReading
we're stuck replicating the first AI-human interface that caught on
The Chat
we can do better
www.mbgsec.com/posts/2025-0...
The Chat
we can do better
www.mbgsec.com/posts/2025-0...
How Should AI Ask for Our Input?
How should we reason about machines taking over
www.mbgsec.com
August 28, 2025 at 7:43 PM
we're stuck replicating the first AI-human interface that caught on
The Chat
we can do better
www.mbgsec.com/posts/2025-0...
The Chat
we can do better
www.mbgsec.com/posts/2025-0...
Reposted by mbg
Reposted by mbg
You missed one thing in your (excellent) analysis: the attacker was clever enough to pull this off (and it is amazingly done), but still wasn't able to solve for Amazon Q CLI's dogshit ergonomics.
July 25, 2025 at 1:01 AM
You missed one thing in your (excellent) analysis: the attacker was clever enough to pull this off (and it is amazingly done), but still wasn't able to solve for Amazon Q CLI's dogshit ergonomics.
Reposted by mbg
AWS security bulletin: aws.amazon.com/security/sec...
"This issue did not affect any production services or end-users."
Weird how customer logs show the wiper prompt executing.
Anyone else see "clean a system to a near-factory state" in your logs?
"This issue did not affect any production services or end-users."
Weird how customer logs show the wiper prompt executing.
Anyone else see "clean a system to a near-factory state" in your logs?
July 24, 2025 at 2:01 AM
AWS security bulletin: aws.amazon.com/security/sec...
"This issue did not affect any production services or end-users."
Weird how customer logs show the wiper prompt executing.
Anyone else see "clean a system to a near-factory state" in your logs?
"This issue did not affect any production services or end-users."
Weird how customer logs show the wiper prompt executing.
Anyone else see "clean a system to a near-factory state" in your logs?
After several hours of GitHub dorking on the Amazon Q infection we have:
- hacker's user and intent
- downloader
- prompt payload
- evasion techniques
- timeline from july 13 thru was mitigation and cover
big open questions: how did lkmanka58 gain initial access? is this the only user involved?
- hacker's user and intent
- downloader
- prompt payload
- evasion techniques
- timeline from july 13 thru was mitigation and cover
big open questions: how did lkmanka58 gain initial access? is this the only user involved?
July 24, 2025 at 1:33 PM
After several hours of GitHub dorking on the Amazon Q infection we have:
- hacker's user and intent
- downloader
- prompt payload
- evasion techniques
- timeline from july 13 thru was mitigation and cover
big open questions: how did lkmanka58 gain initial access? is this the only user involved?
- hacker's user and intent
- downloader
- prompt payload
- evasion techniques
- timeline from july 13 thru was mitigation and cover
big open questions: how did lkmanka58 gain initial access? is this the only user involved?
0click chain on a copilot studio agent via email
bypass msft's defense, jailbreak 4o, recon for accessible data, dump the entire salesforce crm
one prompt
labs.zenity.io/p/a-copilot-...
bypass msft's defense, jailbreak 4o, recon for accessible data, dump the entire salesforce crm
one prompt
labs.zenity.io/p/a-copilot-...
A Copilot Studio Story 2: When AIjacking Leads to Full Data Exfiltration
Discover how prompt injections can lead to zero-click exploits threatening AI agents built using Copilot Studio. Learn about real-world risks, including data leakage and security blind spots. Bypass C...
labs.zenity.io
July 18, 2025 at 9:06 PM
0click chain on a copilot studio agent via email
bypass msft's defense, jailbreak 4o, recon for accessible data, dump the entire salesforce crm
one prompt
labs.zenity.io/p/a-copilot-...
bypass msft's defense, jailbreak 4o, recon for accessible data, dump the entire salesforce crm
one prompt
labs.zenity.io/p/a-copilot-...
this manus post has changed my todo for the weekend
the way in which they constrain model logits by manipulating prefixes is brilliant
manus.im/blog/Context...
the way in which they constrain model logits by manipulating prefixes is brilliant
manus.im/blog/Context...
Context Engineering for AI Agents: Lessons from Building Manus
This post shares the local optima Manus arrived at through our own "SGD". If you're building your own AI agent, we hope these principles help you converge faster.
manus.im
July 18, 2025 at 9:02 PM
this manus post has changed my todo for the weekend
the way in which they constrain model logits by manipulating prefixes is brilliant
manus.im/blog/Context...
the way in which they constrain model logits by manipulating prefixes is brilliant
manus.im/blog/Context...
its been 9 months since #BHUSA and living off microsoft copilot
ppl have been asking if things are better now
well.. they are much better. but for whom? 😈😈😈
catch the sequel at hacker summer camp featuring very disturbing shenanigans
@blackhatevents.bsky.social
ppl have been asking if things are better now
well.. they are much better. but for whom? 😈😈😈
catch the sequel at hacker summer camp featuring very disturbing shenanigans
@blackhatevents.bsky.social
May 12, 2025 at 11:03 PM
its been 9 months since #BHUSA and living off microsoft copilot
ppl have been asking if things are better now
well.. they are much better. but for whom? 😈😈😈
catch the sequel at hacker summer camp featuring very disturbing shenanigans
@blackhatevents.bsky.social
ppl have been asking if things are better now
well.. they are much better. but for whom? 😈😈😈
catch the sequel at hacker summer camp featuring very disturbing shenanigans
@blackhatevents.bsky.social
incredible vibes at openai's security conf last week
I came out both humbled and excited
and with a greater conviction --
you can just do things!
I came out both humbled and excited
and with a greater conviction --
you can just do things!
May 6, 2025 at 3:08 PM
incredible vibes at openai's security conf last week
I came out both humbled and excited
and with a greater conviction --
you can just do things!
I came out both humbled and excited
and with a greater conviction --
you can just do things!
AI vendors have been creating vuln disclosure programs asking that every bad prompt be responsibly disclosed
blocking a specific prompt does little to protect users
it creates an illusion of security that leaves users exposed
www.mbgsec.com/posts/2025-0...
blocking a specific prompt does little to protect users
it creates an illusion of security that leaves users exposed
www.mbgsec.com/posts/2025-0...
There Is Nothing Responsible About Disclosure Of Every Successful Prompt Injection
The InfoSec community is strongest when it can collaborate openly. Few organizations can fend off sophisticated attacks alone—and even they sometimes fail. If we all had to independently discover ever...
www.mbgsec.com
May 1, 2025 at 2:45 PM
AI vendors have been creating vuln disclosure programs asking that every bad prompt be responsibly disclosed
blocking a specific prompt does little to protect users
it creates an illusion of security that leaves users exposed
www.mbgsec.com/posts/2025-0...
blocking a specific prompt does little to protect users
it creates an illusion of security that leaves users exposed
www.mbgsec.com/posts/2025-0...
good morning folks! thanks again to everyone who attended my talks this week
ai assistants create a new initial access vector
prompt injection is not a bug to fix, its a problem to manage
slides, hacking demos, security program ->
labs.zenity.io/p/zenity-res...
ai assistants create a new initial access vector
prompt injection is not a bug to fix, its a problem to manage
slides, hacking demos, security program ->
labs.zenity.io/p/zenity-res...
Zenity Research Published at RSAC 2025
Copilots and agents are a new access vector; How to build an AppSec program that scales to the level of citizen development
labs.zenity.io
May 1, 2025 at 2:44 PM
good morning folks! thanks again to everyone who attended my talks this week
ai assistants create a new initial access vector
prompt injection is not a bug to fix, its a problem to manage
slides, hacking demos, security program ->
labs.zenity.io/p/zenity-res...
ai assistants create a new initial access vector
prompt injection is not a bug to fix, its a problem to manage
slides, hacking demos, security program ->
labs.zenity.io/p/zenity-res...
we conflate *the problem* with the term prompt injection
the problem is that AI inherently does not follow instructions, and we act like it does
it follows our goals, an attacker’s, or its own just the same
attackers exploit this
hijacking your AI for their goals
www.mbgsec.com/posts/2025-0...
the problem is that AI inherently does not follow instructions, and we act like it does
it follows our goals, an attacker’s, or its own just the same
attackers exploit this
hijacking your AI for their goals
www.mbgsec.com/posts/2025-0...
AIjacking Goes Beyond Prompt Injection
Naming is powerful. An excellent name does more than frame the problem, it hints at ownership, solutions, and urgency to address it. In a very real sense, they are like equivalence proofs in mathemat...
www.mbgsec.com
April 29, 2025 at 3:14 PM
we conflate *the problem* with the term prompt injection
the problem is that AI inherently does not follow instructions, and we act like it does
it follows our goals, an attacker’s, or its own just the same
attackers exploit this
hijacking your AI for their goals
www.mbgsec.com/posts/2025-0...
the problem is that AI inherently does not follow instructions, and we act like it does
it follows our goals, an attacker’s, or its own just the same
attackers exploit this
hijacking your AI for their goals
www.mbgsec.com/posts/2025-0...
tmrw (Dec 5) at 10am PT Microsoft is releasing a convo by @donasarkar.bsky.social @sarahyo.com and I where we go into using m365 copilot & copilot studio securely
this was a great attacker-defender interaction
join us! we'll be there for live questions in comments
this was a great attacker-defender interaction
join us! we'll be there for live questions in comments
December 4, 2024 at 12:46 PM
tmrw (Dec 5) at 10am PT Microsoft is releasing a convo by @donasarkar.bsky.social @sarahyo.com and I where we go into using m365 copilot & copilot studio securely
this was a great attacker-defender interaction
join us! we'll be there for live questions in comments
this was a great attacker-defender interaction
join us! we'll be there for live questions in comments
first time at INTENT
met lots of talented folks and the vibes were great
ty this was awesome!
met lots of talented folks and the vibes were great
ty this was awesome!
November 20, 2024 at 7:59 AM
first time at INTENT
met lots of talented folks and the vibes were great
ty this was awesome!
met lots of talented folks and the vibes were great
ty this was awesome!
ok we’re having a sequel to living off microsoft copilot
November 17, 2024 at 7:59 PM
ok we’re having a sequel to living off microsoft copilot
Aaron Costello found 1.1 million NHS employee PII records exposed due to a Power Pages misconfig
new powerpwn module is out!
by avishai efrat and ofri nachfolger
scan your environment for public facing Pages and Dataverse tables
github.com/mbrg/power-p...
new powerpwn module is out!
by avishai efrat and ofri nachfolger
scan your environment for public facing Pages and Dataverse tables
github.com/mbrg/power-p...
Modules: Power Pages
An offensive security toolset for Microsoft 365 focused on Microsoft Copilot, Copilot Studio and Power Platform - mbrg/power-pwn
github.com
November 16, 2024 at 5:55 AM
Aaron Costello found 1.1 million NHS employee PII records exposed due to a Power Pages misconfig
new powerpwn module is out!
by avishai efrat and ofri nachfolger
scan your environment for public facing Pages and Dataverse tables
github.com/mbrg/power-p...
new powerpwn module is out!
by avishai efrat and ofri nachfolger
scan your environment for public facing Pages and Dataverse tables
github.com/mbrg/power-p...
is there any popular formal definition of the ‘halting problem’ for AI? i.e. can we build a kill switch?
November 15, 2024 at 11:45 AM
is there any popular formal definition of the ‘halting problem’ for AI? i.e. can we build a kill switch?
55k devs
90k copilots
500k apps
1.1m automations
10m creds
!
90k copilots
500k apps
1.1m automations
10m creds
!
Microsoft has >1.5 million low-code/no-code apps including 90K bots and AI copilots
this is how together we built a security program that managed to remediate 95% of vulns within 4m
I’m really excited to finally be able to share this -
www.youtube.com/watch?v=0jGU...
this is how together we built a security program that managed to remediate 95% of vulns within 4m
I’m really excited to finally be able to share this -
www.youtube.com/watch?v=0jGU...
BlueHat 2024: S14: Scaling AppSec with an SDL for Citizen Development
YouTube video by Microsoft Security Response Center (MSRC)
www.youtube.com
November 14, 2024 at 7:21 PM
55k devs
90k copilots
500k apps
1.1m automations
10m creds
!
90k copilots
500k apps
1.1m automations
10m creds
!
Microsoft has >1.5 million low-code/no-code apps including 90K bots and AI copilots
this is how together we built a security program that managed to remediate 95% of vulns within 4m
I’m really excited to finally be able to share this -
www.youtube.com/watch?v=0jGU...
this is how together we built a security program that managed to remediate 95% of vulns within 4m
I’m really excited to finally be able to share this -
www.youtube.com/watch?v=0jGU...
BlueHat 2024: S14: Scaling AppSec with an SDL for Citizen Development
YouTube video by Microsoft Security Response Center (MSRC)
www.youtube.com
November 14, 2024 at 6:21 PM
Microsoft has >1.5 million low-code/no-code apps including 90K bots and AI copilots
this is how together we built a security program that managed to remediate 95% of vulns within 4m
I’m really excited to finally be able to share this -
www.youtube.com/watch?v=0jGU...
this is how together we built a security program that managed to remediate 95% of vulns within 4m
I’m really excited to finally be able to share this -
www.youtube.com/watch?v=0jGU...