Device Code Phishing is an Evolution in Identity Takeover
· Published 14/05/2026 13:16 · Modified 14/05/2026 18:11
Essential information
- Published
- 14/05/2026 13:16
- Modified
- 14/05/2026 18:11
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- account takeover artokens clickfix credential theft device code phishing eviltokens identity compromise kali365 microsoft 365 oauth abuse odx phishing-as-a-service tycoon 2fa
- Tags
- 2026-05-14 account takeover artokens clickfix credential-theft device code phishing eviltokens identity compromise kali365 microsoft 365 oauth abuse odx phishing-as-a-service tycoon 2fa
- Related entities
- 35 indicators, 35 observables, 1 intrusion sets (apt), 19 techniques (mitre), 6 malware, 35 others
Description
Device code phishing attacks have exploded across the threat landscape, with new toolkits emerging weekly. This surge coincides with publicly released criminal toolkits and multiple phishing-as-a-service offerings like EvilTokens and Tycoon. Threat actors abuse the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 and other enterprise accounts by tricking users into authorizing malicious applications. Current implementations use on-demand code generation, addressing the 15-minute expiration limitation of previous techniques. Most activity appears to be generated using AI-based coding techniques. Successful attacks lead to full account takeover, data theft, business email compromise, and potential ransomware deployment. The technique represents the natural evolution of credential phishing as organizations improve their defenses against traditional multifactor authentication bypass methods.
Related entities
Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.
Indicators (35)
-
019d442e-endpoint.com -
europesignaltrust.de -
019d6860-endpoint.com -
reliableinteractions.de -
hti-245401512.hs-sites-na2.com -
europetrustwave.de -
ed5ce47d835f-endpoint.com -
019d442a-endpoint.com -
z6e43e5886fe-endpoint.com -
extendyourcredibility.de -
marketcredibilitysignals.de -
jo2c9ada427c6-endpoint.com -
digitalcontinuity.de -
methodicalness.de -
kohlhoff-edelstahlverarbeitung.de -
f36c2774f013-endpoint.com -
trustedengagement.de -
heilbronner-fruehlingssymposium.de -
crediblebizextension.de -
consistentdigital.de -
6dd5fd945b34-endpoint.com -
reliablesupport.de -
yaga9b286ae2c101-endpoint.com -
ee10bbf6c689-endpoint.com -
digitalreliability.de -
servicewithoutinterruption.de -
2dc62559e005-endpoint.com -
euromarketsignal.de -
panel.hewktree.net -
7806d4cf9366-endpoint.com -
0fdba029e6a5-endpoint.com -
stablewebsystems.de -
uninterruptedperformance.de -
marktkarree-langenfeld.de -
4daa2aea93db-endpoint.com
Observables (35)
europesignaltrust.deed5ce47d835f-endpoint.comeuropetrustwave.destablewebsystems.deeuromarketsignal.deheilbronner-fruehlingssymposium.dereliablesupport.de0fdba029e6a5-endpoint.comz6e43e5886fe-endpoint.comextendyourcredibility.de019d6860-endpoint.comdigitalreliability.demarketcredibilitysignals.detrustedengagement.demethodicalness.demarktkarree-langenfeld.de2dc62559e005-endpoint.comconsistentdigital.def36c2774f013-endpoint.com019d442e-endpoint.com4daa2aea93db-endpoint.comdigitalcontinuity.de019d442a-endpoint.comuninterruptedperformance.deservicewithoutinterruption.dejo2c9ada427c6-endpoint.com6dd5fd945b34-endpoint.com7806d4cf9366-endpoint.comee10bbf6c689-endpoint.comyaga9b286ae2c101-endpoint.comreliableinteractions.dekohlhoff-edelstahlverarbeitung.decrediblebizextension.depanel.hewktree.nethti-245401512.hs-sites-na2.com
Intrusion sets (APT) (1)
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 03:09 · Modified 21/12/2025 03:09
Techniques (MITRE) (19)
-
Malicious Link
-
Data from Information Repositories
-
Valid Accounts
-
Internal Spearphishing
-
Browser Session Hijacking
-
Steal Application Access Token
-
Phishing
-
Spearphishing Link
-
Malicious File
-
Spearphishing Attachment
-
User Execution
-
Data Encrypted for Impact
-
Email Collection
-
Spearphishing via Service
-
Steal Web Session Cookie
-
Phishing for Information
-
Account Discovery
-
Cloud Accounts
-
Spearphishing Link
Malware (6)
-
FamilyPublished 14/05/2026 11:16 · Modified 14/05/2026 11:16
-
FamilyPublished 14/05/2026 11:16 · Modified 14/05/2026 11:16
-
FamilyPublished 14/05/2026 11:16 · Modified 14/05/2026 11:16
-
FamilyPublished 14/05/2026 11:16 · Modified 14/05/2026 11:16
-
FamilyPublished 14/05/2026 11:16 · Modified 14/05/2026 11:16
-
FamilyPublished 14/05/2026 11:16 · Modified 14/05/2026 11:16
Others (35)
- 019d442e-endpoint.com
- europesignaltrust.de
- 019d6860-endpoint.com
- reliableinteractions.de
- hti-245401512.hs-sites-na2.com
- europetrustwave.de
- ed5ce47d835f-endpoint.com
- 019d442a-endpoint.com
- z6e43e5886fe-endpoint.com
- extendyourcredibility.de
- marketcredibilitysignals.de
- jo2c9ada427c6-endpoint.com
- digitalcontinuity.de
- methodicalness.de
- kohlhoff-edelstahlverarbeitung.de
- f36c2774f013-endpoint.com
- trustedengagement.de
- heilbronner-fruehlingssymposium.de
- crediblebizextension.de
- consistentdigital.de
- 6dd5fd945b34-endpoint.com
- reliablesupport.de
- yaga9b286ae2c101-endpoint.com
- ee10bbf6c689-endpoint.com
- digitalreliability.de
- servicewithoutinterruption.de
- 2dc62559e005-endpoint.com
- euromarketsignal.de
- panel.hewktree.net
- 7806d4cf9366-endpoint.com
- 0fdba029e6a5-endpoint.com
- stablewebsystems.de
- uninterruptedperformance.de
- marktkarree-langenfeld.de
- 4daa2aea93db-endpoint.com