SOP-18: AiTM MFA Bypass & Session Token Theft Response
SOC analyst playbook for Adversary-in-the-Middle phishing that bypasses MFA by stealing post-authentication session cookies. Portal navigation for Entra ID risk events, tokenIssuerAnomaly triage, sign-in error codes, session revocation, and full Entra ID containment steps. KQL for Sentinel, SPL for Splunk.
Rudra Verma, Senior Security Architect & Researcher