About LexLab Tools
Security research lab. Infrastructure services. Run by Leo.
What we do
LexLab Tools is a security research lab focused on identity attack surfaces in Microsoft 365 and Entra ID: AiTM phishing, browser session theft, OAuth abuse. We study how these attacks work, in a real lab, against real tooling. Then we write up the defenses.
Not the theoretical kind. The ones tuned to real tradecraft, tested against actual infrastructure, and written so a defender can deploy them the same day.
Published research
The Microsoft 365 AiTM Defense bundle is live: threat model, three Sentinel KQL detections, Conditional Access rollout guide, and IR runbook. Six artifacts, all free, no paywall, no email gate.
More bundles in progress: LinkedIn AiTM Defense (li_at session theft, CASB and proxy log detections, FIDO2 rollout, IR), OAuth Consent Attack Defense (post-access persistence, detection and hardening for Microsoft 365), and Gmail BitM Defense (Browser-in-the-Middle attacks, detection signals, mitigations, IR).
We also shipped BitM Shield, a Chrome extension that detects Browser-in-the-Middle phishing in real time. It catches the noVNC variant that bypasses FIDO2 and passkeys. Open source, MIT licensed.
Commercial services
To keep the lab running, we operate commercial services. These fund the research.
Dedicated IPs, SPF/DKIM/DMARC handled, SMTP and HTTP API. Built for application email.
Servers with root access, DDoS protection, fast deployment.
Python/Django development, server deployment, DNS and email auth setup, security assessments.
Leo
Security researcher, red team operator, Python/Django developer, founder of LexLab Tools.
LexLab is where I publish what I learn. The commercial services pay for the time.
Contact
For security disclosures, research questions, or service enquiries: