{ "Event": { "analysis": "1", "date": "2026-04-06", "extends_uuid": "", "info": "[Threat Intel] Inside an AIenabled device code phishing campaign", "protected": false, "publish_timestamp": "1775975065", "published": true, "threat_level_id": "3", "timestamp": "1775975064", "uuid": "05e91cb0-b934-46a1-acbb-ff55d34cd588", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#96f4f6", "local": false, "name": "misp-galaxy:producer=\"Microsoft\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#18005c", "local": false, "name": "rectifyq:topic=\"ai\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775530810", "to_ids": false, "type": "link", "uuid": "f28b1fd8-ba47-458f-901f-e4b91bbe34e3", "value": "https://www.microsoft.com/en-us/security/blog/2026/04/06/ai-enabled-device-code-phishing-campaign-april-2026/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1775530810", "to_ids": false, "type": "text", "uuid": "6d50e1c5-7b92-4eef-a1b4-6ff10bcd1b1e", "value": "Microsoft Defender Security Research has observed a widespread phishing campaign leveraging the Device Code Authentication flow to compromise organizational accounts at scale. While traditional device code attacks are typically narrow in scope, this campaign demonstrated a higher success rate, driven by automation and dynamic code generation that circumvented the standard 15-minute expiration window for device codes. This activity aligns with the emergence of EvilToken, a Phishing-as-a-Service (PhaaS) toolkit identified as a key driver of large-scale device code abuse." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1775530810", "to_ids": false, "type": "text", "uuid": "27d4fcba-9324-4924-876c-684f63784c66", "value": "Name: Inside an AIenabled device code phishing campaign\nAuthor: AlienVault\nAdversary: \nTags: [\"phishing\"]\nTgtd countries: []\nMlwr families: [\"EvilToken\"]\nAttack_ids: [\"T1566\"]\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775974376", "to_ids": true, "type": "domain", "uuid": "94346a38-2ffa-4f0e-8c78-f0935d0fb7c2", "value": "office365-login.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775974397", "to_ids": true, "type": "domain", "uuid": "5e55f5a5-e0e8-4b31-b29f-f327fb1ea4df", "value": "portal-azure.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775974418", "to_ids": true, "type": "hostname", "uuid": "22e96861-f7ec-4b95-941b-be87930d3866", "value": "a7b2-c9d4.office-verify.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Threat actor infrastructure observed with sign-in", "deleted": false, "disable_correlation": false, "timestamp": "1775974439", "to_ids": true, "type": "ip-dst", "uuid": "6a1475d3-2cb4-4529-a63f-3bc2d2bc6d31", "value": "160.220.232.0", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Threat actor infrastructure observed with sign-in", "deleted": false, "disable_correlation": false, "timestamp": "1775974461", "to_ids": true, "type": "ip-dst", "uuid": "6b798fe5-9d2c-4c04-8b76-92823859bb7b", "value": "160.220.234.0", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Threat actor infrastructure observed with sign-in", "deleted": false, "disable_correlation": false, "timestamp": "1775974482", "to_ids": true, "type": "ip-dst", "uuid": "1d96f665-1a26-4ca0-827c-8a599c54d259", "value": "89.150.45.0", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Threat actor infrastructure observed with sign-in", "deleted": false, "disable_correlation": false, "timestamp": "1775974503", "to_ids": true, "type": "ip-dst", "uuid": "1d90b096-4a73-45a2-8986-3e732221a20b", "value": "185.81.113.0", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ] } }