OAuth consent phishing against Microsoft 365 — what happens when no password is stolen
The attacker registers an app in their own tenant, tricks a user into clicking Accept, and gets Microsoft-signed …
Five Sentinel detections for OAuth consent attacks (with the KQL inline)
Suspicious consent grant, mass campaign, anomalous SP sign-in, post-consent credential addition, and Graph API mass read. Plus a …
Why Conditional Access will not stop OAuth consent attacks (and what will)
CA gates sign-in. Consent happens after sign-in. Real prevention lives in three Entra ID consent-framework settings most established …
Containing an OAuth consent compromise — the four moves you have to make in order
Revoke grants. Disable the SP. Revoke refresh tokens. Tenant-block the AppId. Order matters and most SOCs do it …
Browser-in-the-Middle attacks against Gmail — what makes them different from AiTM
BitM streams a real attacker-controlled browser to the victim instead of cloning HTML. FIDO2 does not help. The …
Detecting BitM against Gmail — network signals, browser signals, and the Workspace audit query
RFB protocol handshake on a WebSocket. Canvas-rendered login pages with no password input in the DOM. Input lag …
Responding to a Gmail BitM compromise — the OAuth-revoke step every other playbook skips
Password rotation does not revoke the OAuth refresh token. Sign-out-all-sessions does not revoke the OAuth refresh token. Until …