{ "name": "Device Code Phishing is an Evolution in Identity Takeover", "slug": "device-code-phishing-is-an-evolution-in-identity-takeover", "description": "Device code phishing attacks have exploded across the threat landscape, with new toolkits emerging weekly. This surge coincides with publicly released criminal toolkits and multiple phishing-as-a-service offerings like EvilTokens and Tycoon. Threat actors abuse the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 and other enterprise accounts by tricking users into authorizing malicious applications. Current implementations use on-demand code generation, addressing the 15-minute expiration limitation of previous techniques. Most activity appears to be generated using AI-based coding techniques. Successful attacks lead to full account takeover, data theft, business email compromise, and potential ransomware deployment. The technique represents the natural evolution of credential phishing as organizations improve their defenses against traditional multifactor authentication bypass methods.", "published": "2026-05-14T11:16:24.673000+00:00", "created_at": "2026-05-14T18:11:52.738000+00:00", "modified_at": "2026-05-14T16:11:52+00:00", "created_at_opencti": "2026-05-14T18:11:52.738000+00:00", "author": "AlienVault", "confidence": 100, "report_types": [ "threat-report" ], "labels": [ "account takeover", "artokens", "clickfix", "credential theft", "device code phishing", "eviltokens", "identity compromise", "kali365", "microsoft 365", "oauth abuse", "odx", "phishing-as-a-service", "tycoon 2fa" ], "tags": [ "2026-05-14", "account takeover", "artokens", "clickfix", "credential-theft", "device code phishing", "eviltokens", "identity compromise", "kali365", "microsoft 365", "oauth abuse", "odx", "phishing-as-a-service", "tycoon 2fa" ], "related_entities": { "indicators": [ { "id": "fb91c09d-1020-4f45-9434-b08fb2419b05", "name": "019d442e-endpoint.com" }, { "id": "20e08252-14cf-427e-92c9-b641aac0b97a", "name": "europesignaltrust.de" }, { "id": "f29a931f-041e-48c4-baee-9d501a718ccb", "name": "019d6860-endpoint.com" }, { "id": "7e203ac2-faf9-4fe1-a3a9-a0ab33344f4a", "name": "reliableinteractions.de" }, { "id": "3cf8d227-a938-4cd2-a928-1954e04a6e04", "name": "hti-245401512.hs-sites-na2.com" }, { "id": "42695fd7-27be-4bef-94c1-1057bce4830a", "name": "europetrustwave.de" }, { "id": "5552be40-14b6-4fae-b390-53fdcb70d153", "name": "ed5ce47d835f-endpoint.com" }, { "id": "8fd04f30-bfc4-4401-af38-38ce2bdf5528", "name": "019d442a-endpoint.com" }, { "id": "d93600bc-d934-4a0f-9b10-8ae0869a3820", "name": "z6e43e5886fe-endpoint.com" }, { "id": "7611c1a9-b59d-4ec0-b0de-30c104238646", "name": "extendyourcredibility.de" }, { "id": "1345b2a8-4719-4840-b881-ef16b8881efd", "name": "marketcredibilitysignals.de" }, { "id": "45ccc792-8657-4bdc-b025-3d9dd545cdb8", "name": "jo2c9ada427c6-endpoint.com" }, { "id": "c51329c6-7bd1-4424-ba53-8737d4bab062", "name": "digitalcontinuity.de" }, { "id": "299cb436-8eb0-4d0e-b066-601b2fbdc87d", "name": "methodicalness.de" }, { "id": "ff8b5326-4571-43db-b5d8-fd7a8cc5bc2b", "name": "kohlhoff-edelstahlverarbeitung.de" }, { "id": "fbd42073-8b46-4e02-b909-6d22f7a5e6ea", "name": "f36c2774f013-endpoint.com" }, { "id": "8bc9c23c-f453-41f2-94f6-bf597db848de", "name": "trustedengagement.de" }, { "id": "a6ad0959-5b0f-410e-b391-806a0a70423e", "name": "heilbronner-fruehlingssymposium.de" }, { "id": "954f717e-a02c-4768-a4f7-70673ef64289", "name": "crediblebizextension.de" }, { "id": "c3a4ec30-7c86-4d88-bf63-d12708695148", "name": "consistentdigital.de" }, { "id": "fb48af98-a2fa-41cc-9f28-33a9bc9dc85b", "name": "6dd5fd945b34-endpoint.com" }, { "id": "7e2d63f4-ca08-4d15-856a-a46b78072410", "name": "reliablesupport.de" }, { "id": "23cb9b84-e1f4-4235-b1cc-6515f8f27c4b", "name": "yaga9b286ae2c101-endpoint.com" }, { "id": "21d7b90f-8cfd-48d6-99f5-56ebc2f2aa3e", "name": "ee10bbf6c689-endpoint.com" }, { "id": "74caf281-f298-4222-b189-47f6a6fd50ca", "name": "digitalreliability.de" }, { "id": "e774a59c-ed82-4eee-8b89-a19852fce79b", "name": "servicewithoutinterruption.de" }, { "id": "22c12256-c88a-49d8-ac29-0bd1aedee3bc", "name": "2dc62559e005-endpoint.com" }, { "id": "250300ed-f68b-4d60-a656-c103543f01c9", "name": "euromarketsignal.de" }, { "id": "3300d6be-b2c3-4d2b-8238-8ce1bd4fb180", "name": "panel.hewktree.net" }, { "id": "3bb3da7f-9f29-4236-b426-f44cbf986887", "name": "7806d4cf9366-endpoint.com" }, { "id": "b640df35-a936-4353-88d1-f806cd437aec", "name": "0fdba029e6a5-endpoint.com" }, { "id": "8310b1e2-a63b-417c-af57-f147e7240239", "name": "stablewebsystems.de" }, { "id": "1d5c56d7-c106-469f-bec1-7e71af94b323", "name": "uninterruptedperformance.de" }, { "id": "91593991-c39d-4226-8225-f7122da55a1d", "name": "marktkarree-langenfeld.de" }, { "id": "21715ec0-bba6-4117-b153-c76e88a36829", "name": "4daa2aea93db-endpoint.com" } ], "intrusion_sets": [ { "id": "00f405b6-6989-4553-9adb-9fca3ebefa05", "name": "TA4903", "slug": "ta4903" } ], "attack_patterns": [ { "id": "16e4fc82-7c0b-4d1a-b784-b804b4df26dc", "name": "T1204.001" }, { "id": "e73b317e-ea92-49b4-a45d-051f7279aced", "name": "T1213" }, { "id": "9f11a241-9abc-4c57-95dd-33955ab08826", "name": "T1078" }, { "id": "5fbd38af-69a3-49b9-9ff4-e7ab3e59bd12", "name": "T1534" }, { "id": "5c67e5d2-bc85-4ce0-822d-f2f5d3b0ae4e", "name": "T1185" }, { "id": "7e3e3784-9547-42ca-b888-482972d14be3", "name": "T1528" }, { "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d", "name": "T1566" }, { "id": "c10eac8a-a5d7-465a-b557-8a1f7fc6ef99", "name": "T1598.003" }, { "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6", "name": "T1204.002" }, { "id": "dc410646-9cdd-427b-92e7-179a54f78f90", "name": "T1566.001" }, { "id": "50514c04-b3a2-4abf-a855-e3a434200c87", "name": "T1204" }, { "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1", "name": "T1486" }, { "id": "5bab4974-1fc2-4144-b093-28ebcb8767dc", "name": "T1114" }, { "id": "397ed6b1-0142-4167-b0e0-bd69a9adf819", "name": "T1566.003" }, { "id": "b7c6c1ad-f183-4128-8427-3891029c73dc", "name": "T1539" }, { "id": "74d5f31c-5e2d-4aed-b8b9-4fabdde76dfa", "name": "T1598" }, { "id": "6efb8bea-11d7-418d-a429-9f4a3e6c50f6", "name": "T1087" }, { "id": "ee82762a-2958-4901-aade-341277d9b410", "name": "T1078.004" }, { "id": "52b92395-d3d3-4e05-976a-0fccccfce8d2", "name": "T1566.002" } ], "malware": [ { "id": "403ea8a8-bf2b-4558-b49f-c244af9c410f", "name": "ARTokens", "slug": "artokens" }, { "id": "2d2c305e-d8f7-4cb6-8195-6cce5631c6c9", "name": "ClickFix", "slug": "clickfix" }, { "id": "0e3e96ca-dc32-44cc-9dd8-9316ae1bce6f", "name": "ODx", "slug": "odx" }, { "id": "48baeea5-d9f5-46ee-9b41-c0bb1ee14953", "name": "Tycoon 2FA", "slug": "tycoon-2fa" }, { "id": "0ce936d8-4ac7-444f-bc61-60356568844c", "name": "Kali365", "slug": "kali365" }, { "id": "28185e7f-9085-42f2-bd9a-22ffc252c050", "name": "EvilTokens", "slug": "eviltokens" } ], "observables": [ { "id": "482894ce-4ac3-4b9d-bfb5-465c6f3d2dbb", "name": "europesignaltrust.de" }, { "id": "0581bd84-1cb5-478c-9a09-1fb7312e0680", "name": "ed5ce47d835f-endpoint.com" }, { "id": "5be11d06-9e87-46d1-a958-a4295a2d8c65", "name": "europetrustwave.de" }, { "id": "38de3933-8fa3-4a0e-a68a-46bfff892747", "name": "stablewebsystems.de" }, { "id": "4588493a-f5b9-47e8-9658-67b43c9cf421", "name": "euromarketsignal.de" }, { "id": "6e37cb42-90af-4b4c-9b18-5744e06db96e", "name": "heilbronner-fruehlingssymposium.de" }, { "id": "ab51a6a5-0ea8-4275-aa38-6bfa6bb23ca1", "name": "reliablesupport.de" }, { "id": "e85f83cc-257e-4863-b805-3d6e5a60225b", "name": "0fdba029e6a5-endpoint.com" }, { "id": "336022e8-1671-47ec-9328-4892a2a8a6dd", "name": "z6e43e5886fe-endpoint.com" }, { "id": "344ebcda-28ab-45f5-9115-7f9c49b0bba2", "name": "extendyourcredibility.de" }, { "id": "eb3c7356-1b5b-4cc5-86d1-49cf65469fb6", "name": "019d6860-endpoint.com" }, { "id": "a124c5f9-cdb2-4759-a3ec-c54c6e8224d4", "name": "digitalreliability.de" }, { "id": "4d8de4bb-8341-47e9-826e-2851fe3de8cf", "name": "marketcredibilitysignals.de" }, { "id": "5b500180-7339-475f-84d1-19811b853d5c", "name": "trustedengagement.de" }, { "id": "838977f6-1e46-45ab-9111-f4884424e7a7", "name": "methodicalness.de" }, { "id": "3500cdf6-8c15-4e13-bfca-e98c73b031d0", "name": "marktkarree-langenfeld.de" }, { "id": "f72c68c1-27cd-4b81-a5c8-702cfdb56546", "name": "2dc62559e005-endpoint.com" }, { "id": "26bf0ff5-1602-48fb-915f-4afc6eaba9a5", "name": "consistentdigital.de" }, { "id": "f2ccb0d1-c719-47ee-830e-0c95a650fc80", "name": "f36c2774f013-endpoint.com" }, { "id": "2311b256-aea7-4659-a022-ff7481b8dd7e", "name": "019d442e-endpoint.com" }, { "id": "277da560-11fd-4459-8bac-3f1d39f5c8d0", "name": "4daa2aea93db-endpoint.com" }, { "id": "6a962c63-0001-441c-ba4f-b05d03cc1c82", "name": "digitalcontinuity.de" }, { "id": "c0d6bdec-63f2-4e0e-b63b-d558e8884998", "name": "019d442a-endpoint.com" }, { "id": "da6254dd-6a4d-4b88-982c-2450e93275a8", "name": "uninterruptedperformance.de" }, { "id": "9651ee57-690f-44da-9f4c-d3695f2610ef", "name": "servicewithoutinterruption.de" }, { "id": "4d389cb0-8282-459d-8cad-d7fd3f9c1bba", "name": "jo2c9ada427c6-endpoint.com" }, { "id": "d85c58fd-0cb3-42b1-ae40-5c0a37af42dc", "name": "6dd5fd945b34-endpoint.com" }, { "id": "222e36a6-f9b2-4552-873d-72a6ac104846", "name": "7806d4cf9366-endpoint.com" }, { "id": "0afd5fbc-fdfe-4cc1-aae8-609053a68940", "name": "ee10bbf6c689-endpoint.com" }, { "id": "a2c95c7a-9efa-49c0-877d-84f028757374", "name": "yaga9b286ae2c101-endpoint.com" }, { "id": "01542e50-abe4-4195-9b07-048e0e8db769", "name": "reliableinteractions.de" }, { "id": "43da2dc2-fa57-4e9d-9c5e-d7033a25a00a", "name": "kohlhoff-edelstahlverarbeitung.de" }, { "id": "4711e38a-de03-470e-b437-134aaafabd44", "name": "crediblebizextension.de" }, { "id": "42d6ba64-6880-4d43-bc2f-460a2aaae134", "name": "panel.hewktree.net" }, { "id": "affd9617-31d2-4df9-bc33-e8dd49610ec9", "name": "hti-245401512.hs-sites-na2.com" } ], "others": [ { "id": "", "name": "019d442e-endpoint.com" }, { "id": "", "name": "europesignaltrust.de" }, { "id": "", "name": "019d6860-endpoint.com" }, { "id": "", "name": "reliableinteractions.de" }, { "id": "", "name": "hti-245401512.hs-sites-na2.com" }, { "id": "", "name": "europetrustwave.de" }, { "id": "", "name": "ed5ce47d835f-endpoint.com" }, { "id": "", "name": "019d442a-endpoint.com" }, { "id": "", "name": "z6e43e5886fe-endpoint.com" }, { "id": "", "name": "extendyourcredibility.de" }, { "id": "", "name": "marketcredibilitysignals.de" }, { "id": "", "name": "jo2c9ada427c6-endpoint.com" }, { "id": "", "name": "digitalcontinuity.de" }, { "id": "", "name": "methodicalness.de" }, { "id": "", "name": "kohlhoff-edelstahlverarbeitung.de" }, { "id": "", "name": "f36c2774f013-endpoint.com" }, { "id": "", "name": "trustedengagement.de" }, { "id": "", "name": "heilbronner-fruehlingssymposium.de" }, { "id": "", "name": "crediblebizextension.de" }, { "id": "", "name": "consistentdigital.de" }, { "id": "", "name": "6dd5fd945b34-endpoint.com" }, { "id": "", "name": "reliablesupport.de" }, { "id": "", "name": "yaga9b286ae2c101-endpoint.com" }, { "id": "", "name": "ee10bbf6c689-endpoint.com" }, { "id": "", "name": "digitalreliability.de" }, { "id": "", "name": "servicewithoutinterruption.de" }, { "id": "", "name": "2dc62559e005-endpoint.com" }, { "id": "", "name": "euromarketsignal.de" }, { "id": "", "name": "panel.hewktree.net" }, { "id": "", "name": "7806d4cf9366-endpoint.com" }, { "id": "", "name": "0fdba029e6a5-endpoint.com" }, { "id": "", "name": "stablewebsystems.de" }, { "id": "", "name": "uninterruptedperformance.de" }, { "id": "", "name": "marktkarree-langenfeld.de" }, { "id": "", "name": "4daa2aea93db-endpoint.com" } ] }, "external_refs": [ { "id": "2710fe22-4da2-4ae9-9249-b81ba053a218", "standard_id": "external-reference--1536cccd-7347-5f0c-be44-d0495d969478", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://www.proofpoint.com/us/blog/threat-insight/device-code-phishing-evolution-identity-takeover", "hash": null, "external_id": null, "created": "2026-05-14T18:11:50.647Z", "modified": "2026-05-14T18:11:50.647Z", "createdById": null }, { "id": "87e0f7cb-7541-441d-9797-4b2780ec028f", "standard_id": "external-reference--f4df448c-ca72-5cab-8229-a0e4b765e0f7", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://otx.alienvault.com/pulse/6a05af080ae591ea2bf00e87", "hash": null, "external_id": "6a05af080ae591ea2bf00e87", "created": "2026-05-14T18:11:50.624Z", "modified": "2026-05-14T18:11:50.624Z", "createdById": null } ] }