Microsoft 365 AiTM Defense
Sentinel detection, same session, two sources
When an attacker replays a stolen cookie, the same session ID shows up from two different IPs within …
LinkedIn AiTM Defense
Detecting LinkedIn AiTM, three queries and a Python monitor
SPL queries for credentials submitted to a non-LinkedIn domain, li_at replayed from a new ASN, and impossible travel …
Microsoft 365 Device Code Defense
Detecting device code phishing in Microsoft Sentinel, one field, one rule
Every successful device code sign-in writes `AuthenticationProtocol == deviceCode` to SigninLogs. Normal users almost never trigger this. The …