AiTM phishing, what actually happens, and what breaks each step
The attack in plain English, mapped to ATT&CK, and which defensive control kills which step. Read this before …
Sentinel detection, same session, two sources
When an attacker replays a stolen cookie, the same session ID shows up from two different IPs within …
Sentinel detection, sign-in from a hosting ASN
Real users sign in from residential ISPs and corporate networks. Attackers replaying cookies sign in from rented VPS. …
Sentinel detection, suspicious sign-in plus persistence action
The highest-fidelity detection in this bundle. Catches the chain: dodgy sign-in, then within 2 hours a forwarding rule, …
Conditional Access policies that actually break AiTM
Five Conditional Access policies, deployed in this order, make AiTM economically unviable against your tenant. Plus the rollout …
AiTM incident response, what to do when the alert fires at 2am
Step-by-step runbook for when an AiTM detection lights up. Revoke, reset, audit, clean persistence, pivot-hunt. Exact PowerShell included.
OAuth consent phishing against Microsoft 365, what happens when no password is stolen
The attacker registers an app in their own tenant, tricks a user into clicking Accept, and gets Microsoft-signed …
Five Sentinel detections for OAuth consent attacks (with the KQL inline)
Suspicious consent grant, mass campaign, anomalous SP sign-in, post-consent credential addition, and Graph API mass read. Plus a …
Why Conditional Access will not stop OAuth consent attacks (and what will)
CA gates sign-in. Consent happens after sign-in. Real prevention lives in three Entra ID consent-framework settings most established …
Containing an OAuth consent compromise, the four moves you have to make in order
Revoke grants. Disable the SP. Revoke refresh tokens. Tenant-block the AppId. Order matters and most SOCs do it …
Device code phishing against Microsoft 365, how the attack inverts a legitimate OAuth flow
The victim authenticates to the real Microsoft sign-in page. MFA satisfies normally. FIDO2 does not stop it. The …
Detecting device code phishing in Microsoft Sentinel, one field, one rule
Every successful device code sign-in writes `AuthenticationProtocol == deviceCode` to SigninLogs. Normal users almost never trigger this. The …
Blocking device code phishing in Microsoft 365, the CA policy that closes the flow
One Conditional Access policy blocks the entire device code flow. Most tenants have never deployed it. Here is …
Device code phishing incident response, what to do when you find a sign-in you cannot explain
A device code sign-in in SigninLogs that nobody authorized. The attacker has had a 90-day refresh token since …