You have completed a full AiTM credential phishing investigation — from first alert to lessons learned. This assessment tests your understanding across the entire investigation lifecycle.
Module 13 — Final assessment (15 questions)
1. What is the fundamental mechanism that allows AiTM to defeat MFA?
AiTM disables MFA
AiTM brute-forces the MFA code
AiTM proxies the entire authentication flow and captures the session token after MFA is legitimately completed by the user
The user completes a legitimate MFA challenge through the proxy. The token returned by Microsoft contains the MFA claim. The attacker replays this token — Azure AD sees valid MFA and allows access.
2. Which KQL table is the primary source for detecting token replay?
SigninLogs
AADNonInteractiveUserSignInLogs
SecurityAlert
Token replay uses stolen refresh tokens that generate non-interactive sign-in events. The attacker never visits a login page — they present the token directly to the token endpoint.
3. What is the first containment action when token replay is confirmed?
Revoke all sessions — this invalidates the stolen token immediately
Reset the password
Remove inbox rules
Session revocation is instant and stops the active session. Password reset prevents re-entry but does not invalidate the current token. Always revoke first to stop the active threat, then close the backup paths.
4. The phishing URL was clean at delivery but flagged 23 minutes later. Why?
The phishing kit used a Cloudflare turnstile CAPTCHA that blocked automated URL scanners. Only human visitors reached the proxy. The URL was reclassified when Microsoft threat intelligence updated.
The URL was not yet active at delivery
Safe Links was disabled
Anti-analysis CAPTCHAs are a key feature of modern AiTM kits. Automated scanners see the CAPTCHA page and classify the URL as benign. Human visitors solve the CAPTCHA and reach the proxy. This creates the delay between delivery and detection.
5. Why is the URL path pattern /auth/[hash]/login more valuable than the phishing domain as an IOC?
Domains are always the same
URL paths are longer
Domains are disposable and change per wave. The URL path is generated by the phishing kit code and remains consistent across all domains — it identifies the kit, not the infrastructure.
IOC durability is inversely related to how easily the attacker can change it. Domains cost a few pounds to register. Changing the kit's URL structure requires development work. Detect the kit, not the domain.
6. Which conditional access policy would have prevented the entire attack?
Require MFA for all users
Require compliant device — the attacker's unmanaged device fails compliance regardless of the token's MFA claim
Block sign-ins from Nigeria
MFA is in the token. Location blocking is evadable. Device compliance checks the physical device — the attacker's machine is not enrolled in Intune, so it fails compliance regardless of the token.
7. What is the purpose of checking OAuth grants during post-compromise analysis?
OAuth grants persist beyond session revocation and password reset. A malicious app with mailbox permissions retains access independently of the user's authentication state.
OAuth grants are always malicious
Microsoft requires it
OAuth grants are application-level permissions that survive user-level containment. If the attacker granted a malicious app Mail.Read access, that app reads email silently even after you revoke sessions, reset the password, and re-register MFA.
8. The attacker read 34 financial emails. What type of follow-on attack were they preparing?
Business email compromise — gathering intelligence on payment processes, vendor names, and invoice formats to craft a convincing financial fraud email
Ransomware deployment
Data sale on the dark web
Financial reconnaissance is the hallmark of BEC preparation. Understanding payment workflows, vendor relationships, and invoice formats enables fraud emails that are nearly indistinguishable from legitimate correspondence.
9. Why contact the user by phone rather than email after containment?
Email is too slow
The user might ignore an email
The attacker had mailbox access. If forwarding exists you missed, or if the inbox rule is still processing, an email notification could be intercepted. Phone is the only channel the attacker cannot compromise.
Operational security during containment means using communication channels the attacker cannot access. Phone calls to verified numbers are outside the attacker's reach. Email, Teams, and chat all transit through the compromised M365 environment.
10. Detection improved from 23 minutes (Wave 1) to pre-delivery blocking (Waves 4-5). What drove this progression?
Microsoft automatically updated their detections
Each wave produced IOCs and patterns that were converted into progressively faster detections: ZAP (reactive) to NRT rule (near-real-time) to transport rule (preventive block)
Users stopped clicking
Detection maturity is built during the incident. Each wave provides data that improves detection for the next. The analyst's job is not just to contain — it is to convert each wave's intelligence into faster, more reliable detection.
11. FIDO2 stops AiTM but authenticator app push does not. What is the fundamental difference?
FIDO2 is hardware-based
FIDO2 uses biometrics
FIDO2 cryptographically verifies the server domain — a proxy on a different domain cannot complete the handshake. Authenticator push has no domain verification.
Domain binding is the key. FIDO2 includes the server's domain in the cryptographic challenge. A proxy on phishing-domain.com cannot present a valid challenge for login.microsoftonline.com. Push notifications and OTP codes have no concept of which domain requested them.
12. In the CISO report, why must recommendations include effort and timeline in addition to priority?
A recommendation without effort is a wish list. The CISO needs to know what can be done in a week vs what requires a 6-month project, and what costs £0 (config change) vs £40,000 (hardware for all users).
It makes the report longer
Auditors require it
Actionable recommendations enable decisions. Priority tells the CISO what matters most. Effort tells them what is realistic. Timeline tells them when to expect it. Cost tells them what to budget. Without all four, the recommendation cannot be approved or planned.
13. The device compliance policy was on the security roadmap for 6 months but was not implemented. What is the organisational lesson?
The security team was understaffed
The policy was not important enough
Known gaps that are not remediated are accepted risks. Someone should be explicitly accepting them. A process requiring risk acceptance sign-off for overdue roadmap items creates accountability.
Accountability closes the gap between knowing about a risk and acting on it. If delay requires explicit sign-off, the decision-maker consciously accepts the residual risk rather than letting items silently age on a backlog.
14. You find successful non-interactive sign-ins from the attacker IP 20 minutes after revoking all sessions. What is the most likely cause?
Token revocation takes 20 minutes
The query is delayed
A persistence mechanism was missed — likely an OAuth grant, a delegate mailbox permission, or a second compromised account. Escalate immediately and expand scope.
Continued access after full containment means a gap in your containment scope. The most common causes are OAuth grants (survive session revocation), delegate mailbox access (survive password reset), or a second compromised account used as a pivot.
15. What should every investigation produce at minimum, beyond the incident report?
At least one new detection rule — converting the investigation's IOCs and patterns into automated detection that catches the same attack pattern in the future
A blog post
A penetration test
Every investigation is a detection engineering opportunity. The IOCs, attack patterns, and query logic you used during investigation become the scheduled detection rules that catch similar attacks automatically. An investigation that does not produce at least one new rule is a missed opportunity.
