Token Protection and DBSC closed some doors in 2026 but left the SOC with a messier detection surface than the vendor decks suggest. Here is what the incident actually looks like in the SIEM, where the first round of tuning has to land, and what most teams get wrong on revocation.
First VPN — 1vpns.com, twelve years old, 5,000 accounts, the bulletproof VPN that ‘wouldn’t fall under any jurisdiction’ — is offline as of May 20. The story isn’t the seizure. It’s that Europol was already inside the infrastructure before the takedown, walking out with the user database. That changes the threat model for every successor service still running.
A defender-oriented walkthrough of investigating adversary-in-the-middle token theft against Entra ID now that token protection, CAE, and device-bound sessions are widely on — what the logs actually contain, what the first detection misses, and where the artifacts live outside Entra.
ClickFix initial access has been pasting PowerShell into RunMRU for two years and most detection content still treats it like a primer. Here is what the telemetry actually looks like, what tunes out, and where teams keep getting it wrong.
RMF Control IR-5: Incident Monitoring requires organizations to track and document information system security incidents. This includes identifying incidents, assessing their impact, and taking steps to mitigate the impact and prevent future incidents. Supplemental Guidance The Risk Management Framework (RMF) is a cybersecurity framework that provides a process for managing cybersecurity risk to systems and …
