Microsoft 365 AiTM Defense
AiTM incident response, what to do when the alert fires at 2am
Step-by-step runbook for when an AiTM detection lights up. Revoke, reset, audit, clean persistence, pivot-hunt. Exact PowerShell included.
LinkedIn AiTM Defense
LinkedIn AiTM incident response runbook
Triage, contain, scope, notify, preserve evidence. The full sequence with exact LinkedIn URLs and timing expectations from real …
Microsoft 365 OAuth Consent Defense
Containing an OAuth consent compromise, the four moves you have to make in order
Revoke grants. Disable the SP. Revoke refresh tokens. Tenant-block the AppId. Order matters and most SOCs do it …
Gmail BitM Defense
Responding to a Gmail BitM compromise, the OAuth-revoke step every other playbook skips
Password rotation does not revoke the OAuth refresh token. Sign-out-all-sessions does not revoke the OAuth refresh token. Until …
Microsoft 365 Device Code Defense
Device code phishing incident response, what to do when you find a sign-in you cannot explain
A device code sign-in in SigninLogs that nobody authorized. The attacker has had a 90-day refresh token since …