https://daniyalahmed.dev/tags/federation/Recent content in Federation on Daniyal Ahmed | Red Team & Cloud SecurityHugo -- gohugo.ioen-usdaniyal.ahmed@microtechx.com (Daniyal Ahmed)daniyal.ahmed@microtechx.com (Daniyal Ahmed)Wed, 29 Apr 2026 00:00:00 +0000https://daniyalahmed.dev/posts/hybrid-identity-penetration-testing-laboratory-attack-guide/Wed, 29 Apr 2026 00:00:00 +0000daniyal.ahmed@microtechx.com (Daniyal Ahmed)https://daniyalahmed.dev/posts/hybrid-identity-penetration-testing-laboratory-attack-guide/This is my most ambitious lab yet. Multiple attack techniques, a complete initial access methodology, attack and defense, AD setup in Azure, hybrid identity setup and full compromise from zero credentials to cloud persistence. Before we touch a single command I want to walk through every concept that underpins what happens in the lab. This series rewards people who understand why a technique works, not just people who can copy and paste commands.https://daniyalahmed.dev/posts/the-federated-domain-backdoor-tenant-persistence/Mon, 27 Apr 2026 00:00:00 +0000daniyal.ahmed@microtechx.com (Daniyal Ahmed)https://daniyalahmed.dev/posts/the-federated-domain-backdoor-tenant-persistence/This attack was used by APT29 in 2020 to backdoor dozens of US government agencies. In 2025, a ransomware group used the same technique to exfiltrate and destroy data at multiple enterprises. It survives password resets, MFA resets, Conditional Access policy changes, and account deletion. And most organizations have zero detection coverage for it. In the previous article we looked at SyncJacking an attack that abuses the synchronization layer between on-premises Active Directory and Entra ID to hijack cloud identities.