Name: 1 in 5: Why Infostealer Exposure is Outpacing Every Security Model
Uploaded: 2026-04-22T18:31:24.671Z
Duration: 53 min 4 s
Description: 1 in 5: Why Infostealer Exposure is Outpacing Every Security Model

Transcript for "1 in 5: Why Infostealer Exposure is Outpacing Every Security Model": It doesn't wanna work. Anyway, I created a an image to ask everyone a question while we're waiting. What was or is your favorite cartoon character from when you were a kid? Toss that in the chat. We'd love to know. Mine would have to have been Batman. Big Robin guy too, but I think Batman takes the cake. And then just with the, the nature of our industry, you know, it's always evolving. It's very challenging. I wanted to toss out a quote from this book at totally random. This is it always seems impossible until it's done. I pick this up every once in a while, leave it by my desk. The quote that we'll get today, nothing any good isn't hard. F Scott Fitzgerald. I think I would agree with that one. I always say anything worth having is never gonna be easy. So, everybody, thank you so much again for joining us today. My name is Joe Murphy, and today we're gonna have some fun talking about the data behind info stealers and exposure risk. With me today, I have Estelle. Estelle is a threat researcher here at Flare. She is a brilliant mind and one of the brightest individuals I've met to date in the research field. Estelle has a heavy background in mathematics, and I would, like to pass it over to you, Estelle, just to give us a quick introduction. Yep. Hello, everybody. Thank you for your time in attending this. I am French, so if you hear a little accent, it's probably my French speaking. I have been with Flare for about two years now, and I'm having fun with math and bringing data to life to see what's actually going on instead of reading the lines of code. Yeah. Awesome. Thank you, Estelle. Alright, everybody. Quick housekeeping. The, session is being recorded. It will be sent via email following the session, maybe tomorrow. Keep an eye out for the, email. We'll also include a full copy of Estelle's report, and you can actually grab a copy of that now here in the session under the docs tab on the right side of your screen. So feel free to to grab a copy now, follow along with us. But, without further ado, Estelle, I say we dive in. You ready? Yep. Cool. Alright. So for those, who may have not caught the report when it first came out, one of the big takeaways that, at least, I took was one in five exposures contain info stealers, and it's outpacing every security model. So Estelle started this research in 2025, and, you know, as she is mathematician, found an anomaly. And we're calling it the 2025 warning shot from, I think, mid to late December. But, Estelle, you know, last year as a whole, there was 20% drop in the number of logs that were leaked. Normally, like, that would be a celebration, but it's not. So can you, tell us a little bit about why, you know, the the drop is actually a dangerous distraction rather than something to celebrate? Yeah. You pointed that right because when I saw the data and started to play with it, I saw that we had a 20% drop in log volume. All the Steeler logs that we collected between 2025 and '20 2024 and 2025. And then when I started to dabble into the Steeler logs that actually contained enterprise identity credential, I saw that we had an increase, And we had more than a 100 thousands of them more than the previous year, which meant that we had, like, a drop in overall volume, but we had an increase in volume of what's the most dangerous logs. So it was kind of a a facade of, a decrease because in 2024, the overall logs that had enterprise and any credentials represented about 8% of all logs. That percentage arose to more than 11% in 2025, which meant that in 2025, more than one in 10 logs contained those dangerous credentials. Can and for those that might not know, what an info stealer log is or, you know, just could you maybe just provide a brief little, overview of what what it means to us? Yeah. So an info serial log is something quite specific, to be honest. Even I was not aware of what a serial log was, like, two years ago, and I had an. epiphany going into one for the first time. It's basically a snapshot of an individual's digital identity. So if I took your computer, Joe, and I took a snapshot of what's inside of it right now, I will get your files, your autofills from your browser, your photos, your credentials, anything you'd have in browser data saved basically. Then I would extract that information and that considers, as a serial log, basically. And then you can either share it on underground. Some sometimes it's monetized and then sometimes just used for exploitation. Yeah. I think we were talking yesterday. You're saying, you know, the threat actor, whoever finds it first, depending on the level of data inside or valuable the value of the data inside, they'll either keep it or they'll sell it. Thanks for that. If if you ran one on my computer, you'd probably just get a bunch of pictures of cute kittens and stuff like that, so feel free. But, kidding. So we had, some models that predicted a steady climb. We saw the opposite. Is there anything else to touch on with that 16% jump that you saw? Yeah. Actually, there was three steps when I started to see that 16%. So how I got to this data was, first, I got the the twenty four month of data, so 2025 and 2024, computed the models, saw the predictions or the estimations, then I checked, was it actually right? I could compare with what I had with the first February of December, and that's when I saw that gap because the model predicted around 13%. And then during the first February of December, I had more than 16%. Now it has smoothed out because as the month goes, you could have some rise a week and then a decrease in the other. So right now, we'll touch on the on the numbers later, but we are above slightly above 13% for December, which is less than the the original gap with the model estimations, but still quite in the rise and in the increase that we saw during the month of November. Yeah. I think it's just gonna stay on a pretty steady trajectory. The we, we call all of this the identity paradox. Could you explain that to me? Like, I was a five year old. Yeah. So the identity paradox is we have fewer infections but more compromised, corporate identities. And the reason behind this is because we have more security awareness. Less people are getting infected because we have security measures. We're adopting identity providers, SSO, and all that stuff. But then this means that more machines have those security measures and identity credentials, which means when there's an infection, there's actually more chance for the infection to yield identity credentials since it's on more machine now. We see less infections but yielding more high value credentials inside the logs. Interesting. For whatever reason, this just popped into my head, but I could see, like, the difference in the number of logs produced, those that are dangerous and those that are not, like, something like, the various levels of poison that, you know, some animals might have out in the wild. Like, one that could like a, you know, one of those, brown recluse spiders versus, like, a daddy long legs or something. You never know. So cool. Alright. Thank you for that. I wanted to just dive a little bit deeper into the whole Steeler log and info Steeler economy. I'd I I knew what Syslogs were. Right? I knew, you know, about finding vulnerabilities, misconfigured cloud accounts. Like, to me, before I came to Flare, that was that was my world. I wasn't I was aware that, you know, identity and passwords, credentials, secrets being leaked is a huge risk, but we weren't able to talk about it because, you know, that wasn't the nature of the business. Here, we're actually making a difference on the front lines, enabling people to be proactive to find these things before anything bad. happens. I I learned about a combo list. That was one of the first things that I picked up. So, like, diving in a little bit, into that world, the stolen credentials, you know, to me, before I had all this insight, I would think, okay. They got my LinkedIn account or they got my Netflix account. They're gonna be watching watching movies for free and, you know, just changing my algorithm up and just toying with my life. Right? Phishing emails, but info stealers are totally different beast. If a combo list is a Polaroid of a breach, what's what's a stealer log? Yeah. If a combo is a polaroid, then the Steeler Log is basically it's a screen? of you. Eight k. basically you all your data given to someone and then you can basically impersonate someone sometimes. In some Steeler logs, you can see the full address, government name. If perhaps someone entered too many times their Social Security number, then it could be saved in the other fields of Google's, and then your whole identity can be compromised. Interestingly enough, the student logs also extract the browsing history so they can see what you visited, any password you would have, and you can actually deduce quite a lot about an identity of the user or users behind the silo. Because sometimes and most of the times where we see corporate credentials, it comes from a family type of device. Then you can have the kids on there, but also the parents and all their corporate credentials saved. Usually, it's not an infection vector that the parents clicked anymore, something that the kids or the teenager would click. And that's where the problem stems from. So I know, like, Roblox, Fortnite, the kids will download these plugins or, packs or whatever. They can get the latest skin, and it's malicious. I know we just dropped some research today from Adrian about the FIFA World Cup. Apparently, there's already 75 fake sites up for bad actors to, break your heart and steal your money and not let you go to the World Cup. So just be vigilant if you guys are buying tickets to that. Check out the research if you're interested. Yeah. That's I mean, looking at the first time I saw a global search result in the platform, and I got a kick out of the visibility into the passwords that people used, some of them. 123456 password. It's it's unbelievable. Yeah. John in the chat saying that people using personal devices for corporate activities is a real problem. It really is. We have a a use case story of a CFO vacationing in France, and young son is using the iPad, playing Fortnite, downloads, you know, the latest skin. Little do they know it's malicious file, and the bad actor has the CFO of a Fortune 500 company's entire Chrome browser in their possession. And that would contain probably pretty high level clearance levels of, like, of, authority within the organization. There's a lot of things that someone could do with that. So I'm, glad there's people out there like you, Estelle, that are helping keep us as safe as we can be. But I, wanted to we've got a chat, question in the q and a from Martin. And I'll just encourage everybody. If you guys have questions, chat is cool. If you don't want us to miss it, throw it in the q and a. We'll make sure that we can get to it. And anything that we aren't able to get to today, we'll follow-up with you individually. So, Estelle, Martin's asking, do you think the new features in browser like DBSC, device bound session credentials from Google oh, this is an interesting one. I gotta open it up, read more. Will have a significant impact on info stealer operations. I've heard they're gonna get rid of cookies for, like, ten years. And as a marketer, that's horrifying, but what do you think, Estelle? I think it would have an impact. I'm not really too deep into the technicals of the malware's capability, but one of the things I would probably advise, to be more safe against info still is to use device bound sessions. Because when a serial log would steal a cookie or anything, it's usually the long standing cookies or the remember me cookies that could last from up to hours or up to days. But if it's bound to the device, then that cookie or that session can be really reused on another device. You solve that problem. So I definitely think it's gonna slow down at least some of the exploitation we see. But you you gotta be careful because product users are just smart and opportunistic, and I'm pretty sure they're gonna find another way. We just don't know which one yet. Yep. And tend to have too much time on their hands to figure these things out. So, yeah, I think, what about using so when I was at, Secure World, the show in Boston, there was bunch of people using, correct correct me if I'm wrong, duck duck or the duck duck go browser. Now can someone pull an info stealer from that browser as well? From what I grasp of how it functions is you have, certain types of features that would grab some things on certain browsers. I haven't seen too much of like, Ecosia or DuckDuckGo. I've seen a lot of Opera, Google, Firefox, obviously some Edge, but I have not seen many other, like, low key browsers for now. It probably could be picked up, but maybe my sample was just that nobody was using those, and so, it don't think they do. I. yeah. I feel like well, Estelle, you said it yesterday. Right? It's like everyone wants just to be able to operate efficiently and fast in Google sign in with Google. I use it. Right? I mean, I'm surprised that organizations haven't evolved to mandating, like, some type of browser like that. Yeah. But think who knows? it's smart to use something that's not very used because if there's one thing you have to remember about cybercrime and crime in general, is it's opportunistic. It has to have a high reward and low effort for people to do it more because it would be easy, and that's why you have way more stuff and features to extract, credentials and wallets and stuff on Google and Firefox because it's just one of the main thing that people would use. So if you're sure they're gonna use it, you're gonna spend much more time on that browser rather than the other mostly unused one like .com. True. Alan, good to see you. Question in the chat for us, Estelle. I might need some So hope no has creds. Let me see. Hope no has creds in URLs in their bookmark faves. Yeah. They do. Right? I think balanced question, Estelle, is if somebody doesn't save their creds and they, you know, are still visiting the site, maybe they bookmarked it, favorited it. An info stealer will grab that. Right? I have not seen instances of bookmarks being pulled inside the student loans. If you don't save your passwords, sometimes we can find some inside autofills because you just enter the same one over and over again. But I've not seen, at least for now, any synapse I would call the favorites or the bookmarks URLs. Thank you. Got some additional context in the chat there. Thank you. Oh, I see Alan. Okay. Hope no one has creds in URLs in their bookmark saves. Yep. I see. Okay. Estelle, let's, dive a little bit in into we got a little sidetracked there. But, in the report, you mentioned that a single log, we talked about this a little bit, but, you know, has browser saved passwords, autofill, active sessions. Active sessions to me, I'd like to double click on that one. But from a researcher like like you, from your perspective, when you look at a typical Steeler log, like, typical, how much of a person's life could you map out? Does it depend on the size of the log? Does it depend on if it's, like, very targeted? Yeah. You just said it it basically depends on the size of the log and also sometimes on the behavior of the person behind the log. Because if you are very secure, aware individual, you're not saving much into the browser. So then what I can only see is your browsing history and some of the files that you have on your computer. If on the other side of that coin, you're not very, aware of their behavior that's not secure, such as, you know, entering things and saving passwords, I would say I can see many things, especially if you go into the other fields again. I'm gonna repeat myself, but that's where we find the most details about someone. And, honestly, you can have their whole identity. Like, we've had instances of first residents to have the government name, you can have the address up to the postal codes, we can have family member names. It gets pretty scary, so it depends on the size of the log. I particularly or, this happened to me. So had a procedure done a couple months ago and had to log in to many a health care portals, and it was they had just changed over to a new system. They had, you know, really no idea how to use the the software that they just implemented, but they wanted me to put my Social Security number in my profile. So, you know, as a cyberware individual, I push back on that. But, I mean, elderly folks, they're just gonna just do whatever they're asked. Well, we got a ton of questions in the chat and the q and a. So, Estelle, I wanted to we can skip this, the, Amos Mac thing. You wanna skip that and just let's okay. Let's go into some of the questions in the chat here. What what markets do you find are the most prolific source of stealer logs? I'm not really into the collection team, But from my understanding is we have lots of Telegram channels, which are very prolific. But other than that, you can have many more sources on forums. But I would say Telegram is the main thing now. But again, I won't speak much for the collection team. Yeah. I, yeah, I think, for what it's worth, they don't discriminate, so they could you know, every market, I think, is is at risk or could have, a run-in with one. So is that one? Andrea asked, do you already observe key theft on AI browsers, such as AI Atlas, Comet, Perplexity, etcetera? I've seen some keys. Yes. But they were in the autofills, I've seen an instance with a text file summarizing the keys or the key looking like, strings. But that's all I've seen recently. Okay. I'm sure there will be more developments on that, front. Definitely. as we speak. Yeah. John's asking, do you ever observe instances where threat actors, possibly different ones, sell the same log more than once? Sometimes we observe the exact same set of credentials sold by seemingly different threat actors using different info stealers. Why we aren't sure if this is really a dual infection or whether it is an actor trying to double monetize the data. Probably a little bit of both. Yeah. So we we've known for quite a while that in cybercrime, you have recycling just because it's easy, and then you're just selling, for example, combo list where you just aggregate many things or just people putting two bridge together. We've had instances of fake Steeler logs. Looks fake, they just put together credentials and then package it as a Steeler log. You can't really know if it's fake even though you have that kind of feeling because it looks shallow. You have three emails and then it's kind of a feeling you get when when you stumble upon log, but you definitely have some recycling for sure. You can also see some logs that are put as a teaser. Here is some log we've seen, and then it's just two-ten percent of the actual log to tease you and bring you into, oh, yeah, I definitely want to see the rest as well. That makes mini still logs that look very empty. That's interesting. Yeah. Because they can't give away the crown jewels in the listing. Right? Like, they. have to redact the good stuff. Awesome. Great question, John. Thank you. Given that modern info stealers like LUMA or Steel Sea now utilize dead drop revolvers on high reputation platforms, and they rotate c two infrastructure via cloud hopping, How can we programmatically distinguish between a legitimate session migration and a session cookie theft in a hybrid workforce without triggering a paralyzing volume of false positives? Yeah. I can see it. Specifically, if the telemetry matches a known clean user profile but originates from a residential proxy provider, SOCS5, at what point does our intelligence shift from being proactive to simply documenting an inevitable identity collapse? Okay. Yeah. I can see it definitely will give you more errors and false positive. I will admit to my own shortcomings here, and I don't have the capacity to answer that question. But I think Olivier could help you on that one. Yeah. I just I'm definitely sure you could have false positive, but, Okay. again, it's just a numbers game now, and it will be a telemetry game because you have to notice when you have to know, first of all, when a session is compromised or any credential is compromised, and then you have to act fast. But, yeah, again, I will, give the question to someone that's more qualified on that one. Stop. You're very much qualified. I I just passed it to you, Olivia in the Olivia in the in the chat. Question came in from, Priscilla, so thank you for that. Let me just make sure we don't have any more. K. Alright. I wanna talk a little bit about enter ID. The Entra elephant in the room, it's obviously a monopoly. I don't know how many percentage of, logs are involved with Microsoft ID, maybe with Entra ID. You may. But, like, is there a reason why enter's always in in the mix here? Yeah. It's it's just a reflection of the market share of entry ID because info studios don't discriminate. They don't target anyone in particular. It's very, very scarce that we see a campaign aimed specifically at something. They usually lay traps, and then they wait to see who fell for it, basically. The reason behind we see about 80% of enterprise identity logs having intra ID is because it's the first choice when we think about identity providers. It just appears to be the main one we see in the logs. Do you see could an organization have multiple, like, enter IDs? Like, they have proof ping identity, Okta, like, together in their global infrastructure, or is it you have one and you just stick to it? We've seen instances of logs having multiple in there. So in 2025, we've seen that about 18% of the logs we had had multiple credentials, meaning we had, for example, entry ID, and then you could have something for the AWS, and that's just exposing the blast radius basically. And that probably drives the price up. Yeah. Because it's the piece that renders the scene log valuable. If you have more of those high value pieces, then it gets more pricey and then it gets better to exploit the data, Better for business, essentially. Yeah. I guess they wanna probably collect as much intel as they can, get all the potential points of entry before they, you know, press go. So. Definitely. okay. So the blast blast radius is expanding. 18% of the logs included, what we call compound exposure, which is AWS, Okta, different various different very intimate pieces of software with high value admin credentials potentially. So I love MFA, big MFA guy. Can we talk a little bit about the 1,000,000 logs that had both passwords and session cookies. You know, I've always felt like I was safe with MFA. I get the push notification to my phone. I use authenticator app. But, like, a session cookie, like, that's you know? Can you scary. yeah. Because if you if you think about credentials as being the keys to the door, if a threat actor has the key, then they can enter the door freely. Here in the cookie, it's another dimension in the sense that it completely removes the door. So you can just walk in the house, and then you're just free to do whatever you like inside. So when we see a log with not only the credentials, so the key, but also the cookie session, it's it's quite bad because then you can just enter the house because the the door doesn't exist anymore. And as soon as the cookie session will expire, you will still have some credentials. So even if the door reappears, you can still enter, so you have some kind of persistence inside that same log. So that's complicated because you have some cookies. And as I said before, the cookies that gets fetched from the serial logs are usually the long standing ones, the remember me cookies, and they can stay on for multiple days. And that means it's that much time for, the SWAT ID that would use the credentials in the logs in the cookie to do some damage. Yeah. The, ability to hijack via cookies, it just blows my my my mind. I mean, you think you're safe online. Most people do, like the general public. But, man, So I'm glad we're raising awareness here, Estelle. The, you know, how to go about doing this, like, proactively could go a bunch of different ways, but everyone everyone's least favorite word is probably manual. So you mentioned manual monitoring is just unstable. Why can't a team of human identities keep up with with this anymore? It's it's just become a numbers game. We have way too much logs. And in the best scenario, you can be alerted as soon as a log containing credentials for your company, exists. If not, then it's just completely impossible because we're seeing more than 250,000 logs per week, which is more than a million a month. You can really quickly understand that you can't deal with that just being a Is that is that logs that are been, human. like, up uploaded for sale or been? We just see them being shared underground. So sometimes. just. shared for free, and then sometimes it's listed as result. And then if we go into the scenario that you have an amazing alerting system, you can see the log as soon as it gets out. A log is very complex sometimes and it's very heavy. You can have logs up to 60. megabytes of data. Then an analyst would have to go inside the log, skim through the entirety of it to understand, okay, how was this individual infected? And what is inside the log? What are the credentials that put my company at risk? And then you have to go through the entirety of it to understand what kind of threat actor that has its hands on it could deduce about my company. Could they see that I use this type of tech stack? Could they see that I use this cloud infrastructure? Is there any credentials for my email? If they have access to the email, what can they do? So it can take up to several hours, honestly, for an analyst to understand the risk that it posed, and that's not even counting, the remediation steps that you have to take after. Yeah. If you wanna do a thorough job, it's gonna take a while unless, you know, you've. got the tools that can help automate some of it. Yeah. I remember I, I saw a syslog once, and I had no idea what I was looking at. So bless everyone who can understand that stuff, and Flare's out there to help if you need it. But, Estelle, I wanted to you know, we're coming close-up on time. Remind everybody, q and a is open. Please engage in the conversation. It makes the best dialogue. And this is your time. So we wanna make sure that you get the most of it. But, let's let's go back to the oh, wait. Before we do that, what do you think about shadow IT credential dump? I think it's an interesting question. I've not dealt that be, like, AI just dropping it? I've not dealt with any. I think it could has. be used. I don't think it would in my opinion, as a criminologist, I would say would not necessarily sell for a high price, but some of them could fetch a high price depending on the intent behind of it. But it would be less interesting than an actual studio log. So maybe I'm I'm not totally clear on what shadow IT means, in this context, but, like, does that mean that it would just dump credentials to, like, tech like, automated logins that like, nonhuman identities? I think what I gather from it is shadow IT would be something oh, no. I thought about IoT. Hence, the less interesting. I don't know about shadow IT, honestly. Maybe cyber. If you wanna let. us know in the chat, that'd be awesome. But if there's a will, there's a way. So I'm sure stuff outside oh, okay. Gotcha. Like a disconnected Dropbox account box account? Okay. Oh, yeah. Wow. There's a lot of that. I I remember was looking over someone's shoulder when they were, giving a presentation at Secure World, and there was, like, business application logins to some platform that the company hadn't used in, like, five years, but it was still active or what have you. Like so the person was shocked by it. So, That would be a jackpot. yeah, so okay. Anything else in the queue? Oh, yep. Let's see. Nope. Okay. The, the infection's happening on personal devices like we talked about earlier. What should companies do about that? You know? Are they gonna have to police or put policies in place that and I think I actually we're seeing it. Employees, you know, can't do any work. I know that's a policy here at Flare. Can't do any, like, work work on personal devices. What do you think is gonna what do you think that's gonna look like? I think it's gonna end up being in that direction. I'm a big advocate for being aware of what you do and understanding the traps, social engineering. Because most of the infections we see are self infections because people download it and they don't know it's malicious. And most often, they even disable their own antivirus themselves, which is ironic because they're just socially engineered to infect themselves. So I think spreading awareness is one of the biggest thing that could get infections to be lowered. But I agree. even if the parents are aware of those traps, then the the kids have to be too, and then you can't just guarantee that an eight year old or 17 year old is gonna resist the temptation of having a Fortnite Galaxy Swapper skin for free. So, yeah, we might have to come down to policies of policing, corporate activity, and then being strictly for corporate, machines. Yeah. And I think if it's positioned correctly, everyone would understand it. I was with my nephew over the weekend, and he's a big Fortnite guy. Holy moly. This the level of obsession Yeah. is high. I've, yeah, I have no Victory Royale's under my belt, but I have played other, games like that and have some chicken dinners. Yeah. They're if there's any gamers in the chat, they're very used as. baits to to infect. So mean, it's it's the ones we see would do. most. Fortnite, Roblox. We've Yeah. I feel like we've always heard any game with, like, microtransactions or anything with microtransactions, kids literally little punks stealing or borrowing the parents' credit card and, helping themselves to, you know, the deluxe edition of the game that cost twice as much. But, yeah, I think, the the best thing any company can do is have a security aware workforce and to bring that into the home, I think, is wise. I know I do it. Right? My my son, he says, I don't talk to AI. AI is shady. Anytime, like, Gemini will come up on my phone, he freaks out. It's pretty cute. But, we got another question in the chat here. Is a combination of step up authentication and token binding triggered by risk based behavioral signals? The the definite definitive solution to mitigation, mitigate info stealer attacks and session hijacking. Any other suggestions? Alright. We have Olivia in the chat too. I'll put that in let me see. I think I can share it. There we go. Oh, I think you named quite a lot of good options and good combinations. Binding and talking to a device is already a very good start, stepping up the authentication, even. if we talked about MFA sessions being, reused. As long as you stack up those, it's more obstacles that the threat actor will have to bypass, and then it's more effort. And then it's less likely that they would go through that effort, as soon as there's more obstacle. Obviously, if someone wants to hack you, they're gonna go through those efforts, but it's basically you have to put those up, so when you're protected and to even if you're, compromised, then it's more effort to, exploit those. I maybe I could have another suggestion. Yeah. We can I think we could take this back to the team and provide, you know, as much context and insight as we can? So thanks for submitting that question. I like what all of you said. Non technological solutions like not downloading InfoSphere in the first place is a really good suggestion, and I would push for that one in the first place. Yep. Cool. And don't give anyone admin rights. Yeah. There's this thing called zero trust out there, I think. I heard it's not that easy to pull off, but, Estelle, I wanted to get your opinion on this one From your perspective, right, like, your worlds, if there was one thing that a security team or a criminologist, anyone with a security mind, should be on the lookout for or tracking from your report this year? Like, what what would it be and why? I think it's the number of student log out of 10 that would yield corporate credential. Right now, it's about one in eight. If by the few the following month of the year, it goes down to one in six, one in five, then you have to get a bit alarmed. If we're going up one in nine and we're going back to one in 10, it means the security measures and the awareness we're seeing are basically working. But I don't really see that going up anymore. I think we're either going to stabilize or it's going to go a bit down, meaning we're going to have a higher percentage of overall logs having corporate credentials. But again, we're going to see how it evolves. Right now, we are about twelve-thirteen percent of logs per month we are seeing are containing enterprise identity credentials right now. All the AI and innovation that's going on is done in a browser. A lot of it. Right? Yeah. And, I know you can bolt tech or bolt, you know, software onto your model to build artifacts. So, you know, there's gonna be developers who have the source code. There's gonna be people who have customer data in there. So, yeah, it's a lot it's a lot to keep up with. Do you think that the steel or economy has peaked? Where do you think we're at on the little graph? I think we're neither on the beginning nor on the peak. I think it has been going on kind of hidden and mostly ignored or unknown to people for quite a few years. And now we're beginning to shed some light on it and put it under the spotlight because people are starting to understand how crucial those information inside serial logs can be and how dangerous they can be for a whole company. Because a single compromised device can lead to enterprise wise compromise. And so we're starting to understand, okay, because this is actually a big deal and we have to watch out for it. So I think it's it's going on and it's going well, sadly, for us, but it's it's definitely a threat that's here to stay for the foreseeable future. Yeah. I mean, IoT, everything is is connected these days, and there's zero perimeter. Team, we're, about thirteen minutes to go. I do want to, let everybody know or remind folks that there will be a survey at the end. If you wouldn't mind taking a minute to fill that out, that'd be awesome. One of the questions most important is what would you like to see us cover next or do some more research on? So, again, this is your time. We wanna make sure you get the most of it. There are some documents that you could pull down in the docs tab over by the chat and the q and a. We have Estelle's full report, and Estelle has some new data to report that will be reflected on there. So make sure that you bookmark it and check it periodically because it's a living and breathing document. Very cool and very thorough. Incredible job, Estelle. Let's see. Don't think we have any other questions. So we can I think, Estelle, we can go ahead and open it up for q and a? Yeah. I think if there's one thing that? Alright. that I would say is please don't click on something that is free and shouldn't. If it's free, usually, you are the product. Just have to think about. that logic. If it usually has a license, there's a reason why you're finding it for free and that reason you're not going to like if you download it. Well, actually, you just made me think of something. Because I've been getting on my personal email these, like, weird emails about setting up, like, investment accounts, and they're calling me by the name of Michael, and that's not my name. But they keep coming. So if, you know, I'm reporting them as spam and phishing, but, like, if somebody who was receiving some random stuff or, you know, get some email that looks too good to be true, like, if they're, you know, getting these strange rogue emails, could and should they assume that there's been some sort of compromise and or have credentials that are in someone else's possession? Sometimes it's not even about the credentials. It's about knowing that an email is actually active and there's a person behind it because they would send it, again, opportunistic to a bunch of people, and they just need one that clicked on it, and then it's basically a win for them. Usually, humans have pretty good instincts. When sometimes when something feels off, you should listen to that instinct because usually it's pretty white, but you can hone. that instinct into knowing the traps that they use, the social engineering. For example, we've seen a very interesting campaign using some Google Ads accounts, and then they made a copy, which is very, very convincing, of, an official website, and then they use Google Ads to put it on the top of results. And since user trust the top results, people clicked and they got infected without knowing it. You have to look for these details that you just you know it's a trap once you know about the technique, Yeah. but you have to know about this technique first. I love that you said that. I, I I think, yeah, sometimes we forget that we can trust our instincts. You know, they're there for a reason, and we can when something smells fishy or feels wrong, you get that feeling. And to hone it, to practice it, hopefully, you don't have to practice it too much, but I I like that. And I think coming to these sessions, joining our Discord community, and just engaging in the community, you know, we're all helping each other fight the good fight. So just let's all keep learning. I think that's the least we could do. Alan had a a one in a question in the chat. We'll get to this one real quick. Is there evidence of info still is being triggered by a webhook? Something like, is that eBPF? Be b e f? I'm not familiar with DEF, so I can't really think it says question. beef. Oh. Beef. I'm hungry. All this cookie talk, and now this. I'm not sure. Honestly, I have not seen it, and I don't think I could answer that question again. We'll track it. yeah. I'm sure. I have not seen it pops. up. Cool. Oh, didn't even know the project was still active. Interesting. Okay. Cool. See? You learn something new every day. That's that's the beauty of it. Everybody, I'm gonna trigger the survey. You'll also get a follow-up email with the recording and some links to Astell's full report as well as, the opportunity to register for our webinar next Wednesday. That's gonna be with our friends from Black Hills, information security group. You guys might know Derek over there. We're gonna be, running part two of our identity security evolution workshop. So come say hi. Serge and Nick will be there with, with Derek. It's gonna be a good one. There's gonna be a lot of good insights and demos of, some open source threat hunting tools and all that good stuff. So surveys launched. We'll hang out for a couple minutes to see if there's any questions. But, everybody, thank you so much for the time. Estelle, thank you for the time and for the. insights. As, as you said earlier, Estelle does reside in France. Big Victor Wemyon Yamah fan. So we, we're hoping for. the best for him. Fingers crossed. Yeah. I think he's so tall. He'll be alright. Hopefully hopefully, when they trigger the concussion procedure, I was like, no. Please no. Yeah. I know. Well, at least they didn't let him play because I'm sure he wanted to. Yeah. Oh, Brian. says that was it was that framework was fun a a decade ago. Evan, you're welcome. Thanks for joining us, everybody. Alright. That's all for today, folks. We'll see you on the next one. Again, thank you so much. Adios.