Adversary-in-the-middle kits steal the session token after MFA succeeds, then replay it from somewhere else. Here is how the replay actually looks in your sign-in logs, why token protection only half-closes the gap, and where it maps to 800-53.
When MFA held and the attacker still got in, the evidence lives in session token reuse, not failed logins. A defender’s view of reconstructing a stolen-session timeline in Entra ID — what survives, what to query, and where the false positives come from.
System-preferred authentication is moving to the first factor, the password prompt is about to vanish for passkey holders, and break-glass accounts are not exempt from mandatory MFA. Here’s what that actually changes for Entra defenders and home users.
Chinese state actors have been inside major U.S. carrier networks for months to years. Here is what enterprise defenders should actually do about it — detection logic, SIEM specifics, and the control updates that matter.
Continuous Access Evaluation and Device Bound Session Credentials closed some of the AitM gap, but session token theft against Entra ID is still the dominant identity attack and most of the detection burden still falls on the SOC. Here is the shape of the problem and where the first round of tuning has to land.
A Nightwing contractor with CISA access kept a public GitHub repository called Private-CISA from November 13, 2025 to May 15, 2026 — 184 days of admin credentials to three AWS GovCloud accounts, Entra ID SAML certificates, Artifactory tokens, plaintext passwords in CSV, and the Landing Zone DevSecOps configuration for the agency tasked with everyone else’s vulnerability hygiene. The leak is bad. The thing that should worry defenders more is that the AWS keys remained valid for 48 hours after CISA was notified.
Device Bound Session Credentials are landing in Chrome and Edge, but the gap between the protocol promise and what your SIEM sees is wider than the vendor decks suggest. A defender-oriented look at what detection actually requires right now.
A defender-focused analysis of how APT29-aligned and Storm-2372-style intrusion sets are abusing device authorization grants and long-lived OAuth consent in Entra ID through 2026 — what to detect, what to revoke, and where it maps to 800-53.
Agentic AI breaks the assumptions baked into service accounts and long-lived API keys. Here is what an honest non-human identity model looks like when an LLM is the principal making the call.
RMF Control IA-5: Authenticator Management requires organizations to select, implement, and manage authenticators to verify the identity of users attempting to access information systems or data. Supplemental Guidance The Risk Management Framework (RMF) is a cybersecurity framework that provides a process for managing cybersecurity risk to systems and organizations. RMF Control IA-5: Authenticator Management is …
