Security research, written for defenders.
Threat models. Detection queries. Conditional Access policies. Playbooks. Built by people who study how attackers operate, published for the people defending against them. No paywall, no email gate.
Research bundles
Microsoft 365 AiTM Defense
AiTM phishing steals the session cookie after MFA succeeds, then replays it for full account takeover. Here's how to catch it in your tenant and the controls that make the cookies useless when it happens.
LinkedIn AiTM Defense
AiTM phishing against LinkedIn captures the password and the li_at session cookie. MFA does not stop it. Here's what the attack actually looks like, how to spot it, and the controls that break it.
Phishing Redirect Abuse
How attackers deliver phishing through trusted-domain redirects, open redirect bugs, and free hosting platforms. Empirical 2026 findings with a free tracing tool.
Microsoft 365 OAuth Consent Defense
OAuth illicit consent grants bypass the entire credential-theft defensive stack. No password, no MFA prompt, no impossible travel, just a user clicking Accept. Here is what the attack looks like, the five Sentinel detections we run, and what to harden first.
Gmail BitM Defense
Browser-in-the-Middle attacks stream a real attacker browser to the victim instead of cloning HTML. FIDO2 does not help. Passkeys do not help. Here is the attack, the detection signals, the BitM Shield extension we built and verified in our research lab, and the IR move most playbooks skip, revoking the OAuth refresh token.
Microsoft 365 Device Code Defense
Device code phishing does not steal a password. It gets the victim to authenticate to the real Microsoft sign-in page and hand the attacker a 90-day refresh token. MFA satisfies normally. FIDO2 does not stop it. Here is what the attack looks like, the detection that catches it, and the one CA policy that closes the flow entirely.
Recently added
redirect_analyzer: A Free Tool to Trace Phishing Redirect Chains
Most email security products are HTTP-only scanners — they miss soft redirects, meta-refresh, subdomain-encoded destinations, and JS-obfuscated redirects. We built …
When Attackers Build Their Own Redirect Layer
Cloudflare Workers, GitHub Pages, Netlify — free trusted hosting becomes free trusted redirect infrastructure. The full compound chain that defeats …
The Twitter Open Redirect Nobody Patched
We hunted 80 trusted-domain endpoints for unauthenticated open redirects. One is still live in 2026 — twitter.com/logout?redirect_after_logout= — and works …
Redirect Abuse in 2026: What Still Works
Most trusted-domain redirect tricks are dead in 2026. We tested every major platform — Google, YouTube, LinkedIn, Microsoft, Facebook — …
Device code phishing incident response, what to do when you find a sign-in you cannot explain
A device code sign-in in SigninLogs that nobody authorized. The attacker has had a 90-day refresh token since the moment …
Blocking device code phishing in Microsoft 365, the CA policy that closes the flow
One Conditional Access policy blocks the entire device code flow. Most tenants have never deployed it. Here is the exact …
Why we publish this
We work both sides of security. The same understanding that builds offensive tooling also writes detections that catch it. Closed defensive content gets cited zero times; open content gets adopted, audited, improved.
Everything here is free to read, copy, and adapt. If you need help deploying any of it in your environment (tuning detections, rolling out Conditional Access, designing IR for AiTM), we offer that too.