Sentinel detection, suspicious sign-in plus persistence action
The highest-fidelity detection in this bundle. Catches the chain: dodgy sign-in, then within 2 hours a forwarding rule, …
AiTM incident response, what to do when the alert fires at 2am
Step-by-step runbook for when an AiTM detection lights up. Revoke, reset, audit, clean persistence, pivot-hunt. Exact PowerShell included.
LinkedIn AiTM phishing, what actually happens, step by step
The attack in plain English. What gets captured, when reCAPTCHA matters, why li_at is the prize, and which …
LinkedIn AiTM incident response runbook
Triage, contain, scope, notify, preserve evidence. The full sequence with exact LinkedIn URLs and timing expectations from real …
OAuth consent phishing against Microsoft 365, what happens when no password is stolen
The attacker registers an app in their own tenant, tricks a user into clicking Accept, and gets Microsoft-signed …
Containing an OAuth consent compromise, the four moves you have to make in order
Revoke grants. Disable the SP. Revoke refresh tokens. Tenant-block the AppId. Order matters and most SOCs do it …
Browser-in-the-Middle attacks against Gmail, what makes them different from AiTM
BitM streams a real attacker-controlled browser to the victim instead of cloning HTML. FIDO2 does not help. The …
Detecting BitM against Gmail, network signals, browser signals, and the Workspace audit query
RFB protocol handshake on a WebSocket. Canvas-rendered login pages with no password input in the DOM. Input lag …
Responding to a Gmail BitM compromise, the OAuth-revoke step every other playbook skips
Password rotation does not revoke the OAuth refresh token. Sign-out-all-sessions does not revoke the OAuth refresh token. Until …
Device code phishing incident response, what to do when you find a sign-in you cannot explain
A device code sign-in in SigninLogs that nobody authorized. The attacker has had a 90-day refresh token since …