Security research, written for defenders.
Threat models. Detection queries. Conditional Access policies. Playbooks. Built by people who study how attackers operate, published for the people defending against them. No paywall, no email gate.
Research bundles
Microsoft 365 AiTM Defense
AiTM phishing steals the session cookie after MFA succeeds, then replays it for full account takeover. Here's how to catch it in your tenant and the controls that make the cookies useless when it happens.
Yahoo / AOL AiTM Defense
AiTM phishing against Yahoo and AOL Mail. What the attack actually captures (less than you think), what Yahoo silently does right (more than you think), and how to catch the replay when it happens.
LinkedIn AiTM Defense
AiTM phishing against LinkedIn captures the password and the li_at session cookie. MFA does not stop it. Here's what the attack actually looks like, how to spot it, and the controls that break it.
Phishing Redirect Abuse
How attackers deliver phishing through trusted-domain redirects, open redirect bugs, and free hosting platforms. Empirical 2026 findings with a free tracing tool.
Microsoft 365 OAuth Consent Defense
OAuth illicit consent grants bypass the entire credential-theft defensive stack. No password, no MFA prompt, no impossible travel, just a user clicking Accept. Here is what the attack looks like, the five Sentinel detections we run, and what to harden first.
Gmail BitM Defense
Browser-in-the-Middle attacks stream a real attacker browser to the victim instead of cloning HTML. FIDO2 does not help. Passkeys do not help. Here is the attack, the detection signals, the BitM Shield extension we built and verified in our research lab, and the IR move most playbooks skip, revoking the OAuth refresh token.
Microsoft 365 Device Code Defense
Device code phishing does not steal a password. It gets the victim to authenticate to the real Microsoft sign-in page and hand the attacker a 90-day refresh token. MFA satisfies normally. FIDO2 does not stop it. Here is what the attack looks like, the detection that catches it, and the one CA policy that closes the flow entirely.
Recently added
Scoping data exposure after a Yahoo capture, what the attacker actually got
By the time you engage on IR, the mailbox dump is done. This is how to scope what was taken, …
Yahoo / AOL AiTM incident response runbook
What to do, in what order, when a Yahoo or AOL account compromise is confirmed or suspected. Tuned for the …
Detecting Yahoo session replay, the patterns that survive cookie-extension delivery
AiTM detection rules typically look for JavaScript cookie injection. Yahoo cookies are httpOnly, so the practical replay path is a …
Yahoo's silent step-up authentication, partial defense Yahoo doesn't document
Captured Yahoo session cookies grant inbox read, but not settings access. What's gated, what's not, and how to use this …
Yahoo / AOL AiTM, what actually gets compromised, and what does not
The attack chain in plain English. The cookies that get captured, what they grant, what they do not grant (more …
redirect_analyzer: A Free Tool to Trace Phishing Redirect Chains
Most email security products are HTTP-only scanners, they miss soft redirects, meta-refresh, subdomain-encoded destinations, and JS-obfuscated redirects. We built a …
Why we publish this
We work both sides of security. The same understanding that builds offensive tooling also writes detections that catch it. Closed defensive content gets cited zero times; open content gets adopted, audited, improved.
Everything here is free to read, copy, and adapt. If you need help deploying any of it in your environment (tuning detections, rolling out Conditional Access, designing IR for AiTM), we offer that too.