YellowKey
February 3, 2026. Help-desk chat lights up: executives forward a polished ‘IT verification’ portal that asks for BitLocker recovery keys. You walk chat transcripts, Intune exports, and a forged page hash.
Briefing
Attackers branded a fake portal ‘Device Trust Recovery’ and pushed links through SMS and compromised vendor mail. The goal is volume: collect BitLocker recovery keys and wipe resale friction on stolen laptops. You work evidence staged as flat text files, no live tenant APIs.
Your role
Enterprise DFIR analyst on the identity and endpoint team.
Objective
Reconstruct the phish from SMS lure to fake recovery form to recovery-key use, then verify wipe and identity containment.
Terminal environment
- user
- responder
- host
- dfir-laptop-02
- cwd
- /home/dfir/yellowkey
- steps
- 8
Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.