Tag

#Detection Engineering

9 articles covering Detection Engineering across campaign analysis, detection engineering, and defender tradecraft.

Coverage

9 entries

Field Analysis

Blue TeamInfrastructure IntelligenceJun 12, 202613 min read

Trusted Notification Systems Are Becoming Phishing Delivery

Scammers abusing a real Microsoft account-alert sender are part of a wider pattern: attackers are turning legitimate SaaS notification workflows into authenticated phishing infrastructure.

The Step After the Click: Five Persistence Primitives That Survive Your Response

Mailbox rules, OAuth grants, replayed sessions, RMM agents, and downstream account changes are not the aftermath of an intrusion — they are the point. A field guide to the persistence layer most response playbooks still treat as cleanup.

The Procedure Is the Threat: Why an Intrusion's Shape Outlives Its Toolkit

Runtimes, platforms, and brands rotate every quarter. The six handoffs that move a victim from manufactured urgency to durable persistence have barely changed in five years, and they are what defenders can actually build for.

By PhishPond Desk

Field Analysis

Blue TeamResearch ReportsMay 20, 20269 min read

Research Note: Measuring AI-Generated Phishing Without the Survey Noise

Vendor headlines about AI phishing blend volume, effectiveness, and survey sentiment into single numbers. Defenders need to separate those measurements to instrument the threat honestly.

Detect OAuth Abuse by Watching What Apps Do After Consent

A static permission review cannot catch a trusted integration whose token is later stolen or whose behavior changes.

By PhishPond Desk

Field Analysis

Blue TeamTradecraft LabsMay 1, 202611 min read

Device Code Phishing: A Walkthrough and Detection Playbook

Device code phishing turns a legitimate OAuth flow into a credential-free token theft technique. Here is how it runs end-to-end and what defenders can hunt on in Sentinel and Defender XDR.

Detecting AitM Reverse Proxies: TLS Fingerprints, Cookie Artifacts, and Page-Side Tells

AitM kits proxy a real identity provider page, so brand and URL checks fail. The detectable artifacts live one layer down - in TLS handshake fingerprints, in the cookies the proxy must rewrite, and in the small page-side tells that betray the relay.

By PhishPond Desk

Field Analysis

Blue TeamCampaign AnalysisApr 15, 20269 min read

ClickFix and Fake-CAPTCHA Paste-and-Run: From 2024 Variant to 2026 Default Stage-One

What started as a niche fake-CAPTCHA gimmick became one of 2026's most common stage-one execution pivots. This is what defenders are seeing in telemetry and what the response patterns look like.

By PhishPond Desk

Field Analysis

Blue TeamDetection & ValidationApr 10, 202610 min read