Module 12: Investigating AiTM Credential Phishing
This module is not a theoretical exercise. It reconstructs a real adversary-in-the-middle credential phishing campaign — five attack waves over 72 hours against a 500-seat organisation. Every KQL query is executable. Every investigation decision has a rationale. Every containment action includes its blast radius and rollback procedure. The names, domains, and IP addresses are sanitised using the Northgate Engineering fictional environment. The attack chain, analyst decisions, and investigation methodology are real.
AiTM credential phishing is the most operationally significant attack technique targeting M365 environments. It bypasses MFA by proxying the authentication session in real time, capturing both the password and the session token. The attacker does not need to crack or brute-force anything — they replay the stolen token to access the mailbox, create persistence mechanisms, and launch internal phishing campaigns, all while the legitimate user’s MFA remains intact and uncompromised.
This is the attack that every M365 SOC operator will encounter. This module teaches you to handle it.
What you will build during this module
By the end of this module, you will possess these deployable artifacts:
AiTM Investigation Playbook. A step-by-step decision tree covering: initial alert triage, email analysis, sign-in log investigation, post-compromise activity assessment, containment, eradication, scope assessment, and reporting. Binary decision points throughout — “if A, do B; if not A, do C.” Usable during a real incident.
8 AiTM Detection Rules. KQL analytics rules for Sentinel covering: phishing URL click from email, sign-in from new IP after phishing, token replay from different IP, inbox rule creation post-compromise, mail forwarding to external address, mass email read, MFA method modification, and the complete AiTM attack chain sequence. Each rule includes entity mapping, MITRE ATT&CK technique, alert grouping, and GRC compliance mapping.
IR Report Template. A formal incident report structure based on the report delivered to the CISO during the real incident. Sections: executive summary, timeline, scope, containment actions, root cause, recommendations, and appendices. Reusable for any M365 incident.
Hardening Checklist. Post-incident hardening steps specific to AiTM prevention: conditional access policy changes, token binding configuration, Safe Links policy updates, and inbox rule restrictions. Each step includes blast radius, rollback procedure, and GRC mapping.
Prerequisites
Complete Modules 1 (Defender XDR), 6 (KQL), 7 (Sentinel workspace), 8 (data connectors), and 9 (detections). This module applies every skill from those modules to a single integrated scenario. If you have not completed Module 6, you will not be able to write or modify the KQL queries. If you have not completed Module 10, you will not understand the analytics rule deployment in subsection 12.13.
MITRE ATT&CK techniques covered
T1566.002 (Phishing: Spearphishing Link), T1557 (Adversary-in-the-Middle), T1078.004 (Valid Accounts: Cloud Accounts), T1550.001 (Use Alternate Authentication Material: Application Access Token), T1114.003 (Email Collection: Email Forwarding Rule), T1098.005 (Account Manipulation: Device Registration), T1534 (Internal Spearphishing).
Compliance mapping
NIST CSF: RS.AN-1 (Investigations are conducted), RS.AN-2 (The impact of the incident is understood), RS.MI-1 (Incidents are contained), RS.MI-2 (Incidents are mitigated). ISO 27001: A.5.24 (Information security incident management planning), A.5.25 (Assessment and decision on information security events), A.5.26 (Response to information security incidents). SOC 2: CC7.3 (The entity evaluates security events to determine whether they constitute security incidents), CC7.4 (The entity responds to identified security incidents).
How this module is structured
11.1 — Understanding AiTM Attack Mechanics. How AiTM proxies work, why MFA does not protect against them, the complete attack chain from phishing email to data exfiltration.
11.2 — Incident Briefing: INC-2026-0227-001. The scenario setup: what triggered the investigation, the initial alert, the timeline, and the five attack waves.
11.3 — Investigation Setup and Scoping. Establishing the investigation workspace, identifying data sources, and running initial scoping queries.
11.4 — Email Analysis: Tracing the Phishing Campaign. Identifying the phishing emails, analysing URLs and sender infrastructure, determining which users clicked.
11.5 — Sign-In Log Investigation. Analysing sign-in events to identify compromised accounts, attacker IPs, and the token replay pattern.
11.6 — Post-Compromise Activity Assessment. What the attacker did after gaining access: inbox rules, mail forwarding, email reading, internal phishing.
11.7 — Containment. Revoking tokens, resetting passwords, blocking attacker infrastructure. Blast radius and rollback for each action.
11.8 — Eradication. Removing inbox rules, mail forwarding, OAuth app consents, and device registrations created by the attacker.
11.9 — Campaign Tracking Across Waves. Correlating infrastructure and TTPs across five attack waves to build the campaign picture.
11.10 — Scope Assessment: Who Else Was Hit? Determining the full blast radius — every user who clicked, every account compromised, every mailbox accessed.
11.11 — CISO Report. Writing the executive incident report using the IR report template artifact.
11.12 — Hardening Recommendations. Post-incident security improvements with blast radius, cost, rollback, and GRC mapping for each.
11.13 — Detection Engineering. Converting investigation findings into 8 permanent analytics rules.
11.14 — Lessons Learned and Post-Incident Review. Structured PIR with timeline, detection assessment, response assessment, and action items.
11.15 — Module Assessment. 20 scenario-based questions testing investigation decisions, not recall.