Mission, Course Structure, and Who This Is For

Where training stops and operations begin

Most security training teaches you where the buttons are. Open this portal, click this blade, enable this feature, move on. You finish knowing what Defender for Endpoint does the same way you know what a fire extinguisher does. Conceptually.

Between April 14 and 16, 2026, Microsoft's Defender Research team observed a single AiTM campaign that hit 35,000 users across 13,000 organizations in 26 countries. The attackers used fake "code of conduct" investigation emails to lure victims through a proxy that captured their authenticated session tokens. MFA was satisfied. The tokens were valid. The attacker walked into each compromised mailbox as the legitimate user. Ninety-two percent of targets were in the United States.

That campaign is three weeks old as of this writing. The phishing kits that powered it (Tycoon 2FA, Mamba 2FA, Evilginx) cost between $120 and $350 per month on underground markets. AiTM incidents surged 46% in 2025 according to Proofpoint, and Microsoft's own Digital Defense Report attributed 80% of MFA-bypass breaches to this attack pattern. These are not exotic nation-state techniques. They are commodity attacks available to anyone with a credit card and a weekend to spare.

The FBI's 2025 Internet Crime Report puts the financial picture in perspective. Business email compromise, which is the attack that typically follows AiTM account takeover, generated $3.05 billion in verified losses from just 24,768 complaints. Total cybercrime losses exceeded $20 billion for the first time, a 26% increase over the prior year. The average BEC wire transfer request was $24,586. A single Oregon city government lost $6 million in one BEC incident in April 2025.

None of these attacks required novel malware or zero-day exploits. They required a phishing email, a stolen session token, and a security team that could not investigate fast enough to stop what happened next.

Figure 0.1 — Certification teaches what the tools do. Operations requires using them under pressure across ambiguous, multi-source investigations.

Mandiant's M-Trends 2026 report, published in March and based on over 500,000 hours of incident response work conducted in 2025, quantifies the problem from multiple angles. Global median dwell time rose to 14 days, up from 11 the prior year. That increase was driven by espionage campaigns and North Korean IT worker operations where dwell time reached 122 days, with some intrusions persisting undetected for over a year. Standard 90-day log retention policies leave organizations completely blind to intrusions at that timescale. Mandiant specifically called out BRICKSTORM, a campaign achieving nearly 400 days of persistence. If your Sentinel workspace retains logs for 90 days, an attacker with 400-day dwell time has been operating for 310 days with no evidence available.

The speed data tells a different story. In 2022, the median time between initial access and the handoff to a secondary threat group exceeded 8 hours. By 2025, that window collapsed to 22 seconds. Initial access brokers now deliver malware directly on behalf of ransomware operators through automated handoff pipelines. In some cases Mandiant characterized as "distribution cluster" behavior, the secondary group gained access in under 30 seconds through what appears to be fully automated tooling. The 22-second figure measures when the secondary group gains access, not when hands-on-keyboard activity begins, but the operational implication is clear: by the time a SOC analyst sees the first alert from the initial access, the secondary operator may already be inside.

Exploits remained the leading initial infection vector at 32%. Voice phishing climbed to 11%, making it the second most common entry point, a technique that barely registered two years ago. Stolen credentials accounted for 9%. Email phishing dropped to 6%, down from 22% in 2022. Attackers abandoned the technique because phishing filters improved, and moved to vectors where defenses are weaker. That adaptation is the part most organizations miss: the threat landscape shifts toward whatever your weakest point is, and it shifts faster than annual security reviews can track.

Internal detection reached 52% in 2025. Real improvement. But external notification dwell time jumped from 11 to 25 days, pulled up by long-dwell espionage campaigns where the security team had no visibility at all. When a third of breaches are still discovered by someone outside your organization, the gap is not in tooling. The SIEM is running. The alerts are firing. The gap is in the people operating the tools.

Five attacks you will investigate

Five attack types define the investigation work in this course. Each one targets the Microsoft 365 platform specifically, requires a different investigation methodology, and exercises different data sources across Defender XDR and Sentinel.

Figure 0.1b — Five attack types across Modules 12-16. Each requires different data sources and investigation techniques.

AiTM credential phishing proxies the entire authentication flow through an attacker-controlled server, capturing both the credential and the session token. The attacker replays the token to access the account without triggering MFA. Microsoft reported over 10,000 AiTM attacks per month against its user base throughout 2025. The investigation challenge: every sign-in record shows "MFA satisfied" because MFA was satisfied, through the proxy. Defenders who filter alerts by MFA status miss the compromise entirely. Module 12 traces AiTM from the initial phishing email through token replay, mailbox access, and lateral movement across Defender for Office 365, Entra ID Protection, Defender for Endpoint, and Sentinel.

Business email compromise follows AiTM as the monetization phase. The attacker creates inbox rules to hide their activity, monitors financial conversations, and inserts themselves into payment threads. BEC generated $3.05 billion in verified losses in the United States in 2025 alone, making it the second-costliest cybercrime category behind investment fraud. A single successful wire diversion is typically unrecoverable. Module 13 covers BEC investigation, including the specific AuditLogs operations that reveal inbox rule manipulation and what to document for law enforcement referral through the FBI's Financial Fraud Kill Chain.

Token replay and session hijacking is the reason AiTM remains dangerous long after the phishing email is deleted. Stolen session tokens work from any device, any location, without triggering MFA. Default token lifetimes grant access for an hour, with refresh windows that extend it for days. The most common remediation failure: the security team resets the user's password and considers the incident contained. Password reset does not invalidate existing session tokens. The attacker keeps working. Token protection and Continuous Access Evaluation can reduce the exploitation window, but coverage is inconsistent across SaaS applications and legacy protocols, and tokens may still be replayed within evaluation windows before enforcement kicks in. Module 14 teaches token lifecycle tracing and the Conditional Access controls that limit reuse.

Consent phishing and OAuth abuse survives password resets entirely. The attacker tricks a user into granting an application permissions to read mail, read files, or send messages. Those permissions persist as long as the consent grant exists, independent of the user's password or MFA state. Changing the password does nothing. The OAuth device code phishing technique (RFC 8628 abuse) hit over 340 Microsoft 365 organizations in early 2026 according to the Cloud Security Alliance, and the EvilTokens Phishing-as-a-Service platform fully commoditized the technique by February. Module 15 covers tenant-wide consent auditing, the admin consent workflow, and the Graph API queries that enumerate every permission in your tenant.

Insider threat uses legitimate access for unauthorized purposes. Departing employees copying customer data. Contractors accessing files outside project scope. Administrators disabling audit logging before exfiltrating sensitive data. Insider investigations require Purview audit logs, DLP policy telemetry, and legal-compliant evidence preservation, and they require doing all of it covertly. Module 16 covers investigation methodology, HR and legal coordination, and evidence handling to employment law standards.

Course structure

Module 6 (KQL) is the foundation. Every module after it writes KQL for investigation, detection, and hunting. Skip it and the analytics rules in Module 10 will not make sense because they are written in KQL. Follow the progression.

Every module produces artifacts you keep. Module 2 deploys ASR rules on your lab device. Module 6 produces KQL queries you will reuse for years. Module 10 deploys analytics rules that detect real attacks. Module 12 produces a complete AiTM investigation report with evidence chain, cross-product timeline, containment actions, executive summary, and hardening recommendations. Module 16 produces a covert insider investigation report with legally defensible evidence preservation. By the time you finish, your tenant is a working security operations platform with deployed protections, active detections, and documented investigation procedures. Those artifacts transfer directly to production environments. You built them. You understand why each configuration exists. You can defend every decision to a CISO who asks why.

Who benefits

SOC analysts doing alert triage: Phases 3 and 4 change how you investigate. You will stop treating alerts as isolated events and start tracing attack chains across products. After Module 12, when a sign-in alert fires with ConditionalAccessStatus "notApplied" and a SessionId that matches a known phishing proxy, you will know what that means and what to query next. Before Module 12, that alert gets closed as a false positive because MFA was satisfied.

Security engineers configuring Defender and Sentinel: Phase 2 and the detection engineering content in Modules 10 and 11 will change how you deploy protection. You will evaluate Content Hub template rules against your actual environment before enabling them, scope entity lists to your user population, and document your threshold decisions so the analyst working the night shift understands why a rule fires at five occurrences instead of three.

IT administrators who inherited security responsibility: Phase 1 meets you where you are. The course assumes you can navigate the M365 admin center and understand Azure AD (now Entra ID) user and group management. It does not assume you have ever investigated a security incident or written a KQL query. Module 6 teaches KQL from scratch, starting with the table structure and building to multi-table joins.

Incident responders adding cloud investigation to their skillset: Phases 3 and 4 give you M365-specific methodology. Cloud identity investigation operates on a different evidence model from endpoint forensics. There are no disk artifacts to image, no memory dumps to analyze. The evidence is in SigninLogs, AuditLogs, and CloudAppEvents. The investigation technique is KQL-based correlation across those tables, and the containment actions are API calls to Entra ID, not network isolation commands.

No minimum experience required. Prerequisites are listed in Section 0.3 for self-assessment. The security industry tells people they need three years in a SOC before they can learn detection engineering, or five years of IR before they can write analytics rules. That gatekeeping serves the industry, not the learner. The skills are learnable. The tools are accessible. Your background determines your starting speed, not your eligibility.