Conditional Access policies that actually break AiTM
Five Conditional Access policies, deployed in this order, make AiTM economically unviable against your tenant. Plus the rollout …
LinkedIn AiTM phishing, what actually happens, step by step
The attack in plain English. What gets captured, when reCAPTCHA matters, why li_at is the prize, and which …
Detecting LinkedIn AiTM, three queries and a Python monitor
SPL queries for credentials submitted to a non-LinkedIn domain, li_at replayed from a new ASN, and impossible travel …
Controls that break LinkedIn AiTM. FIDO2, CASB, and the ones that do not work
FIDO2 makes the attack structurally impossible. CASB session policies catch the rest. Password managers, security awareness, and SSO …
LinkedIn AiTM incident response runbook
Triage, contain, scope, notify, preserve evidence. The full sequence with exact LinkedIn URLs and timing expectations from real …
Why Conditional Access will not stop OAuth consent attacks (and what will)
CA gates sign-in. Consent happens after sign-in. Real prevention lives in three Entra ID consent-framework settings most established …
BitM Shield and the broader posture, what actually stops Browser-in-the-Middle
BitM Shield is a free Chrome extension we built and verified in our research lab. It blocks the …
Blocking device code phishing in Microsoft 365, the CA policy that closes the flow
One Conditional Access policy blocks the entire device code flow. Most tenants have never deployed it. Here is …