Skip to main content
SANDWORMSECURITY

Truthsayer

Anti-social-engineering across email, OAuth, lookalike domains, MFA-bombing, and the help desk.

What is Truthsayer?

Truthsayer is an anti-social-engineering platform that detects and surfaces attacks that bypass traditional email gateways and endpoint controls: targeted phishing, OAuth application abuse, MFA fatigue push-bombing, lookalike-domain registration, and help-desk impersonation. It is designed for security teams that need coverage of the human attack surface — identities, communication channels, and the social behaviours attackers exploit — without deploying endpoint agents.

  • Analyses email, SSO, and collaboration platforms via read-only OAuth or API access — no agents or mail-relay changes required.
  • MFA bombing detection alerts on repeated push-notification storms targeting specific users before an account is compromised.
  • Lookalike-domain monitoring runs continuously and surfaces newly-registered domains that mimic your brand within hours of registration.

Connect your communication and identity platforms

Truthsayer integrates with your existing email, SSO, and collaboration platforms via OAuth or read-only API access. No agents required.

  • Microsoft 365: grant Truthsayer the Mail.Read and IdentityRiskEvent.Read.All Graph API permissions.
  • Google Workspace: authorize the Truthsayer OAuth app as an admin with read access to Gmail and Admin SDK.
  • Okta: create a read-only API token and paste it in Settings → Connectors → Okta.
  • Slack: install the Truthsayer Slack app via the App Directory — requires Workspace Admin approval.
  1. 1
    Grant Microsoft 365 or Google Workspace permissions.

    In your admin console, grant Truthsayer the minimum read-only API scopes listed in Settings → Connectors. Truthsayer requests no write permissions.

  2. 2
    Connect your SSO platform.

    Paste your Okta API token or configure the Entra ID app registration in Settings → Connectors → Identity to enable MFA-bombing and OAuth-abuse detection.

  3. 3
    Configure notification routing.

    Navigate to Truthsayer → Settings → Alerting and set up Slack or email routing for high-severity alerts so the right people are notified without delay.

Sandworm never writes to your environment. All integrations use the minimum read-only permissions required.

Key concepts

Truthsayer detects and surfaces social-engineering attacks that bypass traditional email gateways: targeted phishing, OAuth app abuse, MFA fatigue, lookalike domains, and help-desk impersonation.

  • Phishing detection: multi-signal scoring on email headers, link reputation, and sender behaviour.
  • OAuth app abuse: detects third-party apps requesting excessive scopes or behaving anomalously post-grant.
  • Lookalike domains: continuously monitors for newly-registered domains that mimic your brand.
  • MFA bombing: detects repeated push notification storms targeting specific users.
  • Help-desk impersonation: flags requests that follow patterns consistent with social-engineering of IT staff.

Reviewing your first alerts

After connecting at least one platform, Truthsayer begins analysing historical signals to build a baseline. New alerts surface in the Truthsayer Inbox within the Sandworm portal.

  • Triage an alert by clicking it — you can dismiss, escalate to Elm, or take a direct remediation action (revoke OAuth grant, reset MFA).
  • Configure notification routing under Truthsayer → Settings → Alerting to send high-severity alerts to Slack or email.
  • The Domain Monitor tab shows lookalike domains sorted by similarity score and registration recency.

Integrations

Truthsayer connects to communication, identity, and collaboration platforms and feeds findings to response and orchestration tools.

  • Email: Microsoft 365 (Graph API Mail.Read), Google Workspace (Gmail read-only), generic IMAP.
  • Identity / SSO: Okta, Microsoft Entra ID — MFA push logs, OAuth grant events, risk signals.
  • Collaboration: Slack (app-level read access for social-engineering pattern detection).
  • Domain intelligence: WHOIS and certificate transparency feeds for lookalike-domain monitoring.
  • Elm (SOAR): escalate alerts to Elm cases for coordinated response; playbooks can revoke OAuth grants or reset MFA automatically.
  • Sandworm SIEM: Truthsayer alert events are forwarded in OCSF format for correlation with other identity signals.

API and CLI

Query Truthsayer alerts and manage connectors programmatically via the sandworm CLI or REST API.

  • `sandworm truthsayer alerts list --unread` — unread social-engineering alerts.
  • `sandworm truthsayer domains list` — lookalike domain watchlist.
  • `sandworm truthsayer connectors status` — health of connected platforms.
  • REST API: see the OpenAPI spec at /api/truthsayer/openapi.json on your deployment.
bash
sandworm truthsayer alerts list --unread --format table
Book a demo← Back to Truthsayer
Sandworm Security — One security platform, AI in every tool