AiTM phishing, what actually happens, and what breaks each step
The attack in plain English, mapped to ATT&CK, and which defensive control kills which step. Read this before …
Sentinel detection, same session, two sources
When an attacker replays a stolen cookie, the same session ID shows up from two different IPs within …
Sentinel detection, sign-in from a hosting ASN
Real users sign in from residential ISPs and corporate networks. Attackers replaying cookies sign in from rented VPS. …
Sentinel detection, suspicious sign-in plus persistence action
The highest-fidelity detection in this bundle. Catches the chain: dodgy sign-in, then within 2 hours a forwarding rule, …
Conditional Access policies that actually break AiTM
Five Conditional Access policies, deployed in this order, make AiTM economically unviable against your tenant. Plus the rollout …
AiTM incident response, what to do when the alert fires at 2am
Step-by-step runbook for when an AiTM detection lights up. Revoke, reset, audit, clean persistence, pivot-hunt. Exact PowerShell included.
LinkedIn AiTM phishing, what actually happens, step by step
The attack in plain English. What gets captured, when reCAPTCHA matters, why li_at is the prize, and which …
Detecting LinkedIn AiTM, three queries and a Python monitor
SPL queries for credentials submitted to a non-LinkedIn domain, li_at replayed from a new ASN, and impossible travel …
Controls that break LinkedIn AiTM. FIDO2, CASB, and the ones that do not work
FIDO2 makes the attack structurally impossible. CASB session policies catch the rest. Password managers, security awareness, and SSO …
LinkedIn AiTM incident response runbook
Triage, contain, scope, notify, preserve evidence. The full sequence with exact LinkedIn URLs and timing expectations from real …
Browser-in-the-Middle attacks against Gmail, what makes them different from AiTM
BitM streams a real attacker-controlled browser to the victim instead of cloning HTML. FIDO2 does not help. The …
Detecting BitM against Gmail, network signals, browser signals, and the Workspace audit query
RFB protocol handshake on a WebSocket. Canvas-rendered login pages with no password input in the DOM. Input lag …
BitM Shield and the broader posture, what actually stops Browser-in-the-Middle
BitM Shield is a free Chrome extension we built and verified in our research lab. It blocks the …
Responding to a Gmail BitM compromise, the OAuth-revoke step every other playbook skips
Password rotation does not revoke the OAuth refresh token. Sign-out-all-sessions does not revoke the OAuth refresh token. Until …