🚨 𝗥𝗶𝘀𝗲 𝗶𝗻 𝗞𝗮𝗹𝗶𝟯𝟲𝟱 .𝚍𝚎 𝗗𝗼𝗺𝗮𝗶𝗻𝘀 🎣 Over the past two weeks, we’ve observed a 𝘀𝗶𝗴𝗻𝗶𝗳𝗶𝗰𝗮𝗻𝘁 𝘀𝗽𝗶𝗸𝗲 𝗶𝗻 𝗞𝗮𝗹𝗶𝟯𝟲𝟱 𝗽𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝗮𝗰𝘁𝗶𝘃𝗶𝘁𝘆 abusing .𝚍𝚎 domains via @anyrun_app Intelligence Lookup. 📊 𝗞𝗲𝘆 𝗳𝗶𝗻𝗱𝗶𝗻𝗴𝘀: • 𝟭𝟮𝟳 𝗱𝗼𝗺𝗮𝗶𝗻𝘀 𝗱𝗲𝘁𝗲𝗰𝘁𝗲𝗱 in total • Consolidated into 𝟴𝟬 𝘂𝗻𝗶𝗾𝘂𝗲 𝗿𝗼𝗼𝘁 𝗱𝗼𝗺𝗮𝗶𝗻𝘀 I’ve prepared a 𝘀𝗰𝗮𝗻𝗻𝗶𝗻𝗴 𝗞𝗤𝗟 leveraging these newly extracted IOCs. If your telemetry shows hits and you haven’t blocked 𝗱𝗲𝘃𝗶𝗰𝗲 𝗰𝗼𝗱𝗲 𝗮𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 in your tenant via Conditional Access, you should 𝗮𝘀𝘀𝘂𝗺𝗲 𝗰𝗼𝗺𝗽𝗿𝗼𝗺𝗶𝘀𝗲. github.com/SlimKQL/Detection… Defenders — stay sharp, share detections, and close those gaps before attackers exploit them. 🛡️ #Cybersecurity #KALI365 #DeviceCodePhishing #DefenderXDR

Fake #OneDrive document page abuses Microsoft's Device Code hxxps://testviewadbobe1[.]sbs #phishing #microsoft365 #DeviceCodePhishing

Domain reputation is not enough. Content and behavioural analysis is where detection lives. Encrypted in. Encrypted out. Nothing kept in the middle. #PhishingBrief #ThreatIntel #DeviceCodePhishing #EvilTokens #EmailSecurity #InfoSec #SoEmailSecurity

The phishing site impersonates Microsoft 365 Voicemail and abuses Microsoft's Device Code Authentication flow, while the operator panel may be used to manage or monitor victim authentication sessions. IOCs: miami-techinc[.]com /landing/voicemail /landing/api/start /landing/api/session-status #phishing #microsoft365 #devicecodephishing @500mk500

Microsoft Device Code phishing The site generates legitimate Microsoft device codes and polls backend infrastructure at miami-techinc[.]com until the victim authorizes the session. IOCs: idos-claim[.]live miami-techinc[.]com /landing/api/start /landing/api/session-status #phishing #M365 #Microsoft365 #DeviceCodePhishing @500mk500 @malwrhunterteam

🚨 New Device Code Phishing Domain Spotted! One of my favorite features in @anyrun_app Intelligence Lookup is the subscribe function 🫶 — it automatically notifies me of fresh device‑code phishing domains the moment I fire it up. No manual searching needed; the hits just roll in. Latest find: <10‑Alphanumeric>.ford-gernert-kitzingen.de 🔎 Add this pattern to your regex hunts 🫡 and keep defenders ahead of evolving phishing clusters. Follow KQLWizard for the latest Device Code 🎣! #Cybersecurity #DeviceCodePhishing #ThreatHunting

🚨📰 Storm-2372 (Russian-aligned) has been running a device code phishing campaign since Aug 2024 and it is frighteningly effective. Once inside they use MS Graph API to search your mailbox for keywords like "password", "credentials", "admin" and "gov" then exfiltrate. Targets: GOV, NGO, Defense, Telecoms and Energy Protect yourself now: ✅ Block device code flow in Entra Conditional Access ✅ Ditch SMS MFA, use FIDO tokens or passkeys ✅ Monitor for anomalous sign in and token activity ✅ Revoke refresh tokens the moment you suspect compromise #CloudBreach #CyberSecurity #Phishing #ThreatIntelligence #InfoSec #MicrosoftSecurity #ZeroTrust #DeviceCodePhishing #APT #RussianHackers #NationStateThreats #MFA #IdentitySecurity #SOC #BlueTeam #ThreatIntel

🚨 Vendor Contract & Voicemail Device Code 🎣 Themes Using @anyrun_app sandbox analysis and intelligence lookups, I traced recent device‑code phishing sites. A recurring URL pattern stood out: */api/generate_device_code Expanding the hunt revealed three phishing clusters, each tied to two unique themes: <10‑Alphanumeric>.billbutterworth.com <10‑Alphanumeric>.accutaneforacne.com <10‑Alphanumeric>.auto‑stier‑kt.de These clusters show how attackers are diversifying their lure domains — from vendor contract impersonation to voicemail‑style phishing — while abusing legitimate OAuth flows.(PS: The first one was linked to my earlier post on Thryv marketing email redirect link) I've uploaded a copy of this domain IOCs to my SlimKQL 2026 Community Group Knowledge section for defender sharing.🫡 SlimKQL2026 Community Group Invite Code: SlimKQL2026 detections.ai/workspace/grou… #Cybersecurity #Defender #DeviceCodePhishing

New Device Code Phishing Campaign🎣 Look out for new device code phishing campaign from Thryv marketing redirect links 🫡 gogo4wz6qn[.]billbutterworth[.]com #Cybersecurity #Defender #DeviceCodePhishing

🚨 Kali365 Device Code Phishing – .de Domain Spike Alert Over the past week, we’ve observed a significant surge in .de domains leveraged in Kali365‑linked device‑code phishing campaigns. These attacks abuse Microsoft OAuth flows, tricking users into entering verification codes on fake portals. 🔎 Detection tip: Look for RemoteUrl domains with the following pattern: <10‑alphanumeric>.<brand>.de Example: 9jtr5qfz9o[.]memorablebrands[.]de This helps flag suspicious .de domains hosting device‑auth phishing pages. Sharing detections across the defender community is key to staying ahead of this evolving trend. 🫡 #Cybersecurity #Kali365 #DeviceCodePhishing #DefenderXDR

PHISH ALERT: Built to Bypass — The Same Kit. Different Victims. Every Time Device code phishing is no longer just a targeted technique attackers have figured out how to scale it to mass campaigns. Currently, KnowBe4 ThreatLabs is tracking a highly sophisticated campaign that impersonates SharePoint and DocuSign document-sharing workflows to trick victims into handing over account control via compromised websites. What makes this campaign particularly dangerous is its multi-layered evasion matrix, specifically engineered to trick both automated security filters and human eyes. The Hook - Victims receive personalized document-sharing notifications spoofing trusted internal tools. These emails use the recipient's name and plausible file names to mimic legitimate platform alerts and establish credibility. The Attack Chain: Content Stuffing - Attackers embed invisible newsletters in email bodies using White-on-White text to deceive security scanners. This content flooding dilutes phishing signals with legitimate vocabulary, bypassing ML-based classifiers into assigning safe spam scores. Per-Recipient Token Randomization - Each campaign email uses a unique cryptographic token in redirect URLs to bypass hash-based filters by appearing original. This randomization simultaneously verifies active targets for the attacker upon clicking. The Dynamic Bait: The visible email body perfectly mimics DocuSign or SharePoint templates, but with a twist the kit dynamically injects the recipient's organization name into the file name (e.g., [orgname]-Agreement2026.pdf) and randomizes the subject lines. It's the exact same kit, but results in zero identical emails, completely breaking signature-based detection. Redirect Chain: flosync[.]io (click tracker victim fingerprint) → cofraviles[.]com//cgi-bin/waggers (credential harvest) IOCs to Monitor and Block: fc263848[.]link[.]flosync[.]io f70abfd6[.]map[.]travelicious[.]com[.]pk fatel97407-okcpress-com-s-account[.]workers[.]dev authsign-verifyemail[.]workers[.]dev axiscaremn[.]com/439fh92/ polisradio[.]net/wp-admin/wagger ketoannhs[.]com/wp-admin/rese/ cofraviles[.]com//cgi-bin/waggers gs-stellaalpina[.]com/wp-admin/arinola/ pohana[.]de/wp-admin/herc #ThreatIntel #Phishing #OAuth #DeviceCodePhishing #M365 #IoCs #infosec #CyberSecurity #knowbe4

PHISH ALERT: How Attackers Are Abusing Google Infrastructure for Phishing KnowBe4 ThreatLabs is tracking an active phishing campaign that weaponizes a nested, triple-chain of Google services —Google Meet, Google Search Redirect, and Google Ad Service—to completely blindside Secure Email Gateways. By routing traffic entirely through trusted infrastructure, attackers deliver victims to malicious phishing pages undetected. The Hook: Attackers exploit a blind spot in modern email security by layering multiple trusted Google domains within a single link. Because gateway inspection engines only see authorized infrastructure, reputation checks pass cleanly. The true malicious destination is only resolved at click-time by a human user. The Attack Chain: The Bait: High-urgency corporate lures are weaponized, including FedEx updates, DocuSign/AutoSign requests, M365 password expiry alerts, fake remittances, and malicious QR codes. The Nested Delivery Matrix: Attackers stack three trusted Google domains into a single nested URL to bypass Secure Email Gateways * SafeLinks → meet[.]google[.]com/linkredirect → google[.]com/url?q= → adservice[.]google[.]com[.]ph/ddm/clk → [attacker domain] The Evade: Gateway scanners check the outer hops, validate the legitimate Google domain reputations, and allow the email through—leaving the final destination completely uninspected until click-time. The Fork: Upon clicking, the campaign splits based on the lure context: Credential Harvesting: Captures credentials on a pixel-perfect M365 sign-in page, pre-populated with the victim's email. Device Code Phishing: Leads to a fake OneDrive "Shared Document" displaying a pre-generated Microsoft device code designed to hijack the corporate session. IOCs to Monitor: vazquezfleytas[.]com Link-form-unj9[.]p-sm7rw6ru[.]workers[.]dev edificiocristal[.]pt odahlzr5lm[.]reliabilityinoperations[.]de cloudbemismanufacturingcompanygroup[.]rydezyhrsysteminc[.]vu servicetriumphgroupsimplyappraisals[.]spectrhwqumbrands[.]vu unitedtechnofzmlogies[.]vu velvorra[.]com cloudgillettebrandberkshirehathaway[.]rtzcoekdrporation[.]vu furqanmustafa[.]com staiwooje[.]app data-cloud-ofe8[.]p-8yejy42o[.]workers[.]dev #ThreatIntel #Phishing #GoogleAbuse #M365 #DeviceCodePhishing #InfoSec #Knowbe4 #IOC

AI "vibe coding" and the EvilTokens PhaaS platform are supercharging device code phishing to bypass Microsoft 365 MFA. Secure your network today! #DeviceCodePhishing #Microsoft365 #CyberSecurity #InfoSec #Phishing #MFA #EvilTokens #PhaaS #AI #VibeCoding securityonline.info/device-c…

Tycoon2FA Kit Adds Device-Code Attacks on Microsoft 365 #tycoon2fa #microsoft365 #devicecodephishing anavem.com/en/news/cybersecu…

Device Code Phishing URL access-sharepoint-exchange.d2a8tpeb2129r7[.]amplifyapp[.]com Redirects to secure-share-r1y7.p-cebompw5[.]workers[.]dev/l/UP4HIVXTl3Q #Phishing #DeviceCodePhishing #Microsoft @500mk500 @skocherhan

Microsoft uncovers EvilToken, an AI-powered PhaaS toolkit using Dynamic Device Code Generation to bypass MFA and breach high-value accounts. #EvilToken #DeviceCodePhishing #MFA #InfoSec #AIPhishing #CyberSecurity #MicrosoftDefender securityonline.info/eviltoke…

Device code phishing has surged 37x in 2026. Learn how "EvilTokens" and PhaaS kits weaponize OAuth 2.0 to bypass MFA and hijack corporate accounts. #DeviceCodePhishing #EvilTokens #CyberSecurity2026 #OAuth #Infosec #Microsoft365 #PhaaS #AccountTakeover meterpreter.org/the-eviltoke…

🎣From Device Code to Detection Sekoia uncovered EvilTokens, a new Phishing-as-a-Service kit exploiting Microsoft’s device code flow to steal tokens and enable persistent account takeover. Already adopted across global campaigns, it leaves behind distinctive traces such as the X-Antibot-Token header — a reliable beacon defenders can hunt. Link: blog.sekoia.io/new-widesprea… A YARA rule targeting this indicator has surfaced at least 239 domains abusing Microsoft’s device code phishing (3 times more than Sekoia provided IOCs 😱). EvilTokens is spreading fast, but its footprints are visible. Defenders should stay alert and ready to act. YARA Rule: detections.ai/share/rule/mJ9… #Cybersecurity #EvilToken #DeviceCodePhishing #AnyRun

🎯 High-Fidelity Device Code Phishing Abuse Detection A large-scale phishing campaign has impacted more than 340 Microsoft 365 organizations across the U.S., Canada, Australia, New Zealand, and Germany. The attackers are exploiting device code authentication flows to steal credentials, leveraging Cloudflare Workers and Railway-hosted infrastructure to redirect sessions and harvest login data at scale. First observed on February 19, 2026, this campaign demonstrates a highly coordinated abuse of legitimate authentication mechanisms. Source: thehackernews.com/2026/03/de… To monitor this, I have developed a high-fidelity Microsoft Defender for Office (MDO) detection focused on device code phishing abuse. This detection monitors scenarios where: 1. A phishing email contains Microsoft device code authentication prompts. 2. A user subsequently registers a device within the same timeframe. Such correlation strongly suggests compromise, as the user may have unknowingly registered a device under attacker control. This detection is designed to trigger SecOps investigation, ensuring defenders can quickly validate and respond to suspicious device registrations before attackers gain persistence. KQL Code: github.com/SlimKQL/Detection… #Cybersecurity #DeviceCodePhishing #DefenderXDR

⚠️ Phishing Alert – Device Code Phishing URL: sharepoint-marubeni/.pages/.dev Redirects to: sharepoint-marubeni/.pages/.dev auth/.duemineral/.uk/l/q5-nz28VeNc #Phishing #CyberSecurity #ThreatIntelligence #Infosec #DeviceCodePhishing #Microsoft @500mk500 @skocherhan