Research

Most attackers don’t walk into your tenant and announce themselves. They quietly blend into normal logins and API calls, making life annoying for incident responders. Until now, tracing what happened during a single session across Microsoft 365 was slow, messy, and filled with guesswork. If you have ever worked an AiTM phishing case, you know the pain. The attacker steals a token, skips MFA, and suddenly starts pulling emails and good luck figuring out which login that activity actually came from. ...

The research is still ongoing :-) I have been studying mr.d0x blogposts, and recently stumbled upon his new article about ClickFix and FileFix. For those of you that do not know what ClickFix is about, it is a sneaky social engineering trick. Attackers set up fake sites like fake updates or CAPTCHA pages that copy a malicious command to your clipboard. You are then told to hit Win+R, paste, and run it. Just like that, you install the malware yourself. ...