OAuth Consent Phishing in 2026: MFA Stops Password Theft, Not Bad App Grants
Attackers do not always need your password. A single OAuth consent grant can give a malicious or compromised app durable access to mail, files, calendars, and SaaS data.
Phishing
8 articles
Trusted Email Is the New Phishing Infrastructure
Scammers are abusing legitimate notification systems from Microsoft, Google, PayPal, Docusign, and other trusted platforms. The message can pass SPF, DKIM, and DMARC because the platform really sent it.
AitM Phishing: How Attackers Bypass MFA and How to Stop Them
Adversary-in-the-Middle phishing silently proxies real login pages and steals session tokens — making MFA useless. Here's how it works and how to detect it.
Browser-in-the-Browser: The Phishing Attack That Fakes the Browser Itself
Browser-in-the-Browser (BitB) attacks forge convincing browser popup windows using pure HTML and CSS — making phishing pages nearly impossible to spot by eye. Here's how it works and how to defend against it.
Entra ID Attacks in Practice: Device Code Phishing, PRT Theft, and Conditional Access Bypass
MFA is no longer enough to protect Microsoft Entra ID accounts. Attackers steal tokens, register their own devices, and bypass Conditional Access — without ever touching a password. Here's the full attack chain and how to detect it.
Trust Me, I'm a Shortcut: How LNK Files Lie to Windows Explorer
Windows .lnk shortcut files can show one target while silently executing another. Discover five spoofing techniques including CVE-2025-9491, how attackers exploit them, and how to detect them.
72 Hours to Domain Admin: A Red Team Engagement Debrief
A step-by-step debrief of a real-world red team engagement — from passive OSINT through AiTM phishing, EDR evasion, and ADCS exploitation to full domain compromise. What worked, what didn't, and what would have stopped us.
Phishing Under the Microscope: Analyzing a Real Attack Email Step by Step
We tear apart a realistic phishing email using Security Decoder — headers, URLs, JWT tokens, and obfuscated JavaScript — and show exactly what each red flag means.