{ "Event": { "analysis": "1", "date": "2026-04-24", "extends_uuid": "", "info": "[Threat Intel] Token Bingo: Don't Let Your Code be the Winner", "protected": false, "publish_timestamp": "1779545710", "published": true, "threat_level_id": "3", "timestamp": "1779545709", "uuid": "74400b1c-ff68-47cd-97f0-b50c15ad226c", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#d2ee74", "local": false, "name": "misp-galaxy:producer=\"Arctic Wolf\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:region=\"021 - Northern America\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Education\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Finance\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Government, Administration\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Health\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Insurance\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Manufacturing\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777287615", "to_ids": false, "type": "link", "uuid": "46c2ba4d-e6b4-465f-b8c9-7e65a764cb5c", "value": "https://arcticwolf.com/resources/blog/token-bingo-dont-let-your-code-be-the-winner/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777287615", "to_ids": false, "type": "text", "uuid": "40780115-7f34-447a-9669-13f70f0c4ef6", "value": "In early April 2026, a large-scale device code phishing campaign targeted organizations across multiple sectors and regions, exploiting OAuth 2.0 Device Authorization Grant. Threat actors leveraged the Kali365 phishing-as-a-service platform, originating primarily from IP address 216.203.20[.]95. The campaign used high-fidelity lures directing victims to Microsoft's legitimate device login flow, where users unknowingly authorized threat actor-controlled sessions. Captured OAuth tokens enabled immediate mailbox access and post-compromise activities. In some cases, attackers established malicious inbox rules to suppress security notifications, extending dwell time. The Kali365 platform operates as a multi-tenant PhaaS ecosystem supporting both device code abuse and adversary-in-the-middle session capture, featuring rapid lure generation across multiple languages and file types, Cloudflare Worker-hosted pages, and token sharing capabilities between affiliates." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777287615", "to_ids": false, "type": "text", "uuid": "f389ec2c-bdcd-4a40-831d-7e570b43c7b6", "value": "Name: Token Bingo: Don't Let Your Code be the Winner\nAuthor: AlienVault\nAdversary: \nTags: [\"credential theft\", \"oauth abuse\", \"token theft\", \"kali365\", \"microsoft 365\", \"inbox rules\", \"device code phishing\", \"phishing-as-a-service\"]\nTgtd countries: []\nMlwr families: [\"Kali365\"]\nAttack_ids: []\nIndustries: [\"Manufacturing\", \"Education\", \"Government\", \"Finance\", \"Healthcare\"]" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545709", "to_ids": true, "type": "sha256", "uuid": "8a705767-2527-4e01-839c-0d693236c054", "value": "883d5d4a73b0ac8cf4f78fe46d8f4e76e21508872836f2b439af2de4a205128e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777629726", "to_ids": true, "type": "ip-dst", "uuid": "c3ac6f9f-acdd-427b-9fd3-634b57d405b6", "value": "199.91.220.111", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777629747", "to_ids": true, "type": "ip-dst", "uuid": "585114cf-04e1-45ca-9210-a45a50151416", "value": "216.203.20.95", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777629768", "to_ids": true, "type": "domain", "uuid": "3f823c52-bb5e-4b13-831e-6924050b777d", "value": "duemineral.uk", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777629789", "to_ids": true, "type": "domain", "uuid": "e9971b38-0307-48fb-95a8-6f4f2f69776b", "value": "kali365.xyz", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777629811", "to_ids": true, "type": "hostname", "uuid": "090b920f-f2b9-4b6b-afbe-275f4886f072", "value": "api.kali365.xyz", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777629832", "to_ids": true, "type": "hostname", "uuid": "35b4a32a-580b-4030-88e3-204e3ec45c47", "value": "v2.kali365.xyz", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "On port 8443", "deleted": false, "disable_correlation": false, "timestamp": "1777625903", "to_ids": true, "type": "ip-dst|port", "uuid": "33a43749-de3a-4ea2-807b-b3bcd4b7a0a2", "value": "216.203.20.95|8443" }, { "category": "Network activity", "comment": "On port 8443", "deleted": false, "disable_correlation": false, "timestamp": "1777625903", "to_ids": true, "type": "ip-dst|port", "uuid": "7a37ffd9-e456-4c4a-8abd-9e26cc12ff59", "value": "162.243.166.119|8443" }, { "category": "Network activity", "comment": "On port 8443", "deleted": false, "disable_correlation": false, "timestamp": "1777625903", "to_ids": true, "type": "ip-dst|port", "uuid": "3cadb5d2-9b3c-4b7c-8c0f-745c431e9989", "value": "199.91.220.111|8443" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545705", "uuid": "edf8ae88-3658-48b2-86e9-cbf0676d2e47", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545704", "to_ids": true, "type": "md5", "uuid": "b8f1776c-f7fd-4928-8b98-61e44c1cdb15", "value": "074ec771da5e042b7ab31e6da6546709", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545704", "to_ids": true, "type": "sha1", "uuid": "5361dc8e-3548-4520-8de7-4eef39778c27", "value": "68056a9a5c70eae8f2054fe00676788503cf59a0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545705", "to_ids": true, "type": "sha256", "uuid": "3a94469c-eb64-442e-a61b-c7a024792f63", "value": "09bb7e568e573497e22bfa3f36d71fe9d104899826608affedb25d988f391c85", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777627439", "to_ids": true, "type": "ssdeep", "uuid": "9e8f32e6-6157-4656-b3db-2843d369be73", "value": "192:6Wt9vp1eZ3uDoVkMTcyqqqrZ8I3yyiyA+yAvQSd7yb:tt9v7835mqqrZryyiyA+yAvQSd7yb" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777627439", "to_ids": false, "type": "size-in-bytes", "uuid": "e8cadea7-6bd4-42e4-8af4-eaff794bb5d4", "value": "9491" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777627439", "to_ids": true, "type": "vhash", "uuid": "2a775759-d533-45d0-b03d-ad763687ce92", "value": "eeabc43ee0930b03f4dcd0c760a75053" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777627439", "to_ids": true, "type": "filename", "uuid": "4dd2f069-7ea6-4f5c-a075-b7a09af636f6", "value": "Westdeutscher Metall-Handel GmbH Company Profile, Equipment Samples and System Specifications.html" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777627439", "to_ids": false, "type": "text", "uuid": "f70af73e-9da9-48e2-a054-6cf1cbb246e6", "value": "Type Description: HTML\nMicrosoft: None\nVT Total Detection:0/61\nFirst Submission:2026-04-21T13:04:22.000000+00:00\nLast Submission:2026-04-21T13:04:22.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545708", "uuid": "0e268d0a-d255-4260-bfbf-efba0dab3c48", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545707", "to_ids": true, "type": "md5", "uuid": "1043c5e4-d4fd-40a5-b38a-0630b0c6723c", "value": "6a86e4072663d185fa1d751710e9a70a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545707", "to_ids": true, "type": "sha1", "uuid": "be4d956b-f545-4458-b5ff-4fd0a616a737", "value": "e33c178c1526361029bbfd6b24664db4da9f7f26", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545708", "to_ids": true, "type": "sha256", "uuid": "4b7c1f81-1b92-40ef-a3fb-3c5c1ceafc64", "value": "2fa6fc2199d3be55e240500d87e4484f39b9315bf336be25434f6716b8d28ec8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777627461", "to_ids": true, "type": "ssdeep", "uuid": "c44b83f7-bd48-49af-a33c-40a6ea267c0b", "value": "192:62GOpFKudQBV1D3MBMN6gcyIMdYa8I3yyiyA+yAvQSd7yb:lGGMoOpv62IMdYaryyiyA+yAvQSd7yb" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777627461", "to_ids": false, "type": "size-in-bytes", "uuid": "104f58ca-5f6f-4183-8ab9-bc63c753961e", "value": "9515" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777627461", "to_ids": true, "type": "vhash", "uuid": "cf7b88af-74e4-450f-a764-64803bda1976", "value": "eeabc43ee0930b03f4dcd0c760a75053" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777627461", "to_ids": true, "type": "filename", "uuid": "5abe6562-a009-4fbe-942e-72ef6d2b655e", "value": "Shared_document.pdf (1).html" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 01/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777627461", "to_ids": false, "type": "text", "uuid": "9713b7f2-f00d-4eec-893d-886a7523450b", "value": "Type Description: HTML\nMicrosoft: Trojan:Script/Wacatac.C!ml\nVT Total Detection:1/61\nFirst Submission:2026-04-19T10:28:22.000000+00:00\nLast Submission:2026-04-19T10:28:22.000000+00:00" } ] } ] } }