Microsoft 365 AiTM Defense
AiTM incident response, what to do when the alert fires at 2am
Step-by-step runbook for when an AiTM detection lights up. Revoke, reset, audit, clean persistence, pivot-hunt. Exact PowerShell included.
Microsoft 365 Device Code Defense
Device code phishing incident response, what to do when you find a sign-in you cannot explain
A device code sign-in in SigninLogs that nobody authorized. The attacker has had a 90-day refresh token since …