Skip to main content
ThreatPhishing & impersonation

Cross-context login session phish — "companion / connector / verifier" app asks you to sign in at your real IdP then forwards your session to the attacker (2026 post-passkey pivot)

cross-context-login-session-phish

What this tier means

High-confidence threat indicator — phishing, impersonation, BEC, or scam pattern. Strong contributor to the trash decision.

How Gorganizer detects this

As passkeys replace passwords, phishing pivots from credential harvest to SESSION-TOKEN harvest. In this attack class, a "companion", "helper", "connector", or "verifier" app on an attacker-controlled origin asks the user to sign in at their real IdP (Microsoft 365 / Google Workspace / Okta / OneLogin / PingOne / Auth0 / Azure AD / Entra) in a separate popup window. The attacker page then uses postMessage, window.name, or same-origin iframe techniques to pick up the authenticated session token and forward it to the attacker's server. Because the user IS at their real IdP when signing in, MFA and passkey checks pass — the attacker harvests a valid post-auth session. Distinct from aitm-session-cookie-phishing-lure which proxies the entire login flow via Evilginx / Muraena. Fires when the body contains ALL of (1) helper/companion/connector/verifier product language, (2) sign-in-at-real-IdP step, (3) session-transfer / session-link / session-forward language. Excludes known IdP senders and SaaS vendors, reply threads, and newsletter articles about the technique.

False-positive guard

Every signal in Gorganizer feeds a multi-module score — never a sole verdict. This is a threat-tier signal — it adds a strong contribution to the trash score. The full pipeline still requires convergence across multiple modules + a margin over the safety floor before deletion happens, and Gmail's trash (30-day recovery) is always used — never permanent delete.

About the scoring engine

Gorganizer's scoring engine emits over 1,800 signals across six modules — headers, sender, subject, body, attachments, and structural metadata. Every email is scored by every module independently; the final verdict requires multiple modules to agree and the trash score to beat the safety floor by a margin.

Sacred safety guards — never delete starred emails, replies, calendar invites, receipts/invoices, or attachments — apply unconditionally regardless of any signal.

Browse all signalsSafety guaranteesJSON

Ready to clean your inbox?

Gorganizer scans your Gmail with this signal and 1,800+ others, then cleans everything in one click. $4.99 one-time, no subscription.

Get started