SOP-18: AiTM MFA Bypass & Session Token Theft Response

SOC analyst playbook for Adversary-in-the-Middle phishing that bypasses MFA by stealing post-authentication session cookies. Portal navigation for Entra ID risk events, tokenIssuerAnomaly triage, sign-in error codes, session revocation, and full Entra ID containment steps. KQL for Sentinel, SPL for Splunk.

2026-06-28T09:37:14.157Z
Rudra Verma, Senior Security Architect & Researcher