PhishU

Requiring pre-registered authentication mechanisms seems like a logical security enhancement and I'm hoping it cuts down on the password reset abuse we've been seeing a lot of lately. Now to get to work on cloning the registration page. 😅 "Microsoft is making a major change to Entra ID authentication" - Neowin https://lnkd.in/gxBkrrFM

Device Bound Session Credentials (DBSC) are a big win for account security. They make stolen cookies harder to replay from another device, which directly hurts infostealers, exposed session logs, leaked headers, and other cookie-theft paths (think XSS -> third-party). That is worth praising, but DBSC is not a phishing fix. This is often conflated in the community. In Adversary-in-the-Middle (AiTM) phishing, the victim’s real browser remains active in the session path, which means the bound device is still present during the attack. DBSC helps with stolen cookie replay elsewhere. It does not stop a live phishing proxy like what we use in the Framework, where the proxy IS the device that's replaying the sessions. The real defensive lesson is stack alignment: Use DBSC to reduce stolen-cookie replay risk. Use phishing-resistant MFA. Enforce phishing-resistant authentication at the policy layer. Test the whole path under realistic conditions. We wrote a short breakdown on where DBSC helps, where it does not, and why defenders should be excited without overclaiming what it solves. https://lnkd.in/grt_vmEa #DBSC #DeviceBoundSessionCredentials #Phishing #Cybersecurity #SessionHijacking #AiTM #MFA #IdentitySecurity #GoogleWorkspace #SecurityAwareness

It's cool to scroll security news and come across my own technique! I also noticed it on the SANS Internet Storm Center podcast this morning. 😄

😁🤗🥳 https://lnkd.in/gT4nA-E5 #VaultJacking #SisforSpearPhishing

PhishU's #VaultJacking attack technique research is getting picked up my major Cybersecurity news outlets! 👏

I've been getting a lot of questions from concerned individuals about the recent #Kali365 hype. My response is, the advanced spear-phishing tools will continue to be deployed rapidly with AI development, building off of previous kits. New techniques are being explored more rapidly and executed end-to-end without much delay now. That being said, Kali365 is no more scary than EvilTokens, or even custom Evilnginx phishlets before that. They're just tools that attackers have to more easily target security weaknesses, a tale as old as time. What can we do to protect ourselves, specifically? Most of these tools take advantage of gaps that can easily be buttoned up with hardened authentication policies. Your phishing simulator and awareness training tool(s) should be doing the hard work of keeping up with current techniques in order to train users to spot modern attacks and actively test the policies you have in place. If they aren't, it's time to consider something else. Please reach out to me if you have any questions, I'm always happy to help if I can. Also feel free to comment here or ask questions. Anyone want a free Spear Phishing book? Willing to sign and send out a few! #SisforSpearPhishing

Hey all! If I've been quiet (for me) it's because I've been hard at work on a NEW phishing technique I'm excited to share. I'm calling it "#Vaultjacking" and the impact is honestly a bit sobering. In my blog I demonstrate how a single AiTM landing page can spoof your Google passkey/password manager PIN and use that to access ALL of a victim's third-party credentials (yes, including passkeys). A simple phish on one site can lead to a total compromise of all Chrome-saved credentials. 😬 As always, I'm sharing for awareness and will include in my forever-free training in the PhishU Framework. https://lnkd.in/gF63wEpY #SisforSpearPhishing #VisforVaultJacking

Most phishing tools refuse to test the most realistic attacker move: spoofing the customer's own domain. The reason is structural. If a platform's egress could forge any From: header, it would be open spam infrastructure. So every commercial tool restricts senders to a verified pool. That keeps the platform safe. It also keeps it blind to supplier-impersonation, the most common social-engineering pattern of the last decade. The PhishU Framework now closes that gap. Recon automatically scores every target domain for SPF, DMARC, DKIM, and the receiver-side mail gateway (Proofpoint, Mimecast, Barracuda, Cisco, Trend Micro, Sophos). When a domain's published authentication is weak enough that a real attacker would land mail, the domain appears as a sender option in the existing Email Settings dropdown. Operators pick it from a menu. The Framework handles relay selection, egress, mail capture, per-recipient training, and a graphical Email Security Posture Report Card in every customer report. The report card includes the exact DNS records the customer should publish. No SMTP config. No DNS work. No separate workflow. Two outputs from one engagement: a phishing test that closes the supplier-impersonation realism gap every other platform leaves open, and a per-domain posture review with verbatim remediation. Read the deep-dive: https://lnkd.in/gvXgUmq3 #Phishing #EmailSecurity #DMARC #BEC #RedTeam #Cybersecurity #InfoSec #SocialEngineering

Another article about Device Code OAuth Consent phishing. Please reach out if you have any questions about how to test your current defenses, employee training, and patch up policy gaps! https://PhishU.net #SisforSpearPhishing #PhishU