Matt Swann

Cyber intelligence analyst and detection engineer. I write about turning threat intelligence into detection logic — KQL, malware analysis, and detection-as-code across the Microsoft security stack.

Browse the series below, or start with the latest post.

Detection Deep Dive: Encoded PowerShell Commands (T1059.001)

The first entry in the Detection Deep Dive series: mapping encoded PowerShell execution to detection logic in Microsoft Defender, tuning out the false positives, and knowing what the detection can’t see.

July 7, 2026 · 4 min · Matt Swann

How a Single KQL Query Stopped an Entire EvilTokens Phishing Campaign

An AI-powered PhaaS campaign leaned on legit-vendor redirects and device-code phishing — but spoofing left a fingerprint. One KQL query plus a 5-minute MDE automation loop neutralized over 1,200 malicious emails in 48 hours.

June 11, 2026 · 4 min · Matt Swann