Watch an attack happen from the “other” side:
Trick a user into entering creds into a fake Office 365 login page (made with evilginx).
Issue an MFA code request to Microsoft on that user’s behalf.
Steal the user’s access token, breach their Office 365 instance, and exfiltrate sensitive data.
- 1 Where in the kill chain could you spot this attack?
- 2 How would you detect this in your environment?
- 3 When and how should you respond?
- 4 How would you investigate the incident, and how long would it take?