logo
Defence blues
Social engineering and identity hunting
  • Red tradecraft
  • Privacy greenhouse
  • Purple crossroads
  • Indigo observatory
  • Contact
Initializing search
    • Blue team @Home
    • Servers without a security team
    • Honeytech for humans
    • Blue team for dev
    • OT and ICS security
    • Counter moves
      • Closing the doors just walked through
        • Reducing phishing exposure
        • Email delivery controls
        • Inbound email filtering
        • MFA hardening
        • Controlling cloud storage and OAuth exposure
        • Social engineering and identity hunting
          • Phishing investigation and AiTM detection
          • Phishing campaign response playbook (SME, 50-250 staff)
          • Authentication method changes and OAuth consent hunting
        • Social engineering and identity hunting
          • Phishing investigation and AiTM detection
          • Phishing campaign response playbook (SME, 50-250 staff)
          • Authentication method changes and OAuth consent hunting
      • The machine at the point of impact
      • Traffic patterns as evidence
      • Inter-domain routing as a target
      • The surface designed to be accessible
      • The application layer as a target
      • Infrastructure you defend but do not own
      • Where the container meets the host
      • Systems that were never meant to be networked
      • The domain as an attack graph
      • The gap between access and authority
      • Harvesting stored secrets
      • Surviving the reboot
      • From target to target
      • Plausibility as cover
      • Memory corruption and its limits
      • Watching data being gathered
      • Watching the exits
      • Limiting the blast radius
      • Operational cost of security controls
    • Golem Trust Computing Ltd.
    • Civic Defence Establishment
    • The Circle Sea Arrangement
    • Office of Civil Surveys
    • Civil Observers’ Society
    • The Home for Bewildered Beasts of Legend
    • Campaigns, manoeuvres and scenarios

    Social engineering and identity hunting¶

    Runbooks for hunting attacker activity in email delivery, identity, and authentication controls: phishing triage and AiTM token theft detection, and hunting for persistence via authentication method changes, mailbox forwarding rules, and OAuth consent grants.

    • Phishing investigation and AiTM detection
    • Phishing campaign response playbook (SME, 50-250 staff)
    • Authentication method changes and OAuth consent hunting
    2026-07-09 22:41
    © Copyright 2026, TyMyrddin.
    Created using Sphinx 7.2.6. and Sphinx-Immaterial

    Made with love by Ty Myrddin, 2026, with a forest garden fostered by /ut7