{ "Event": { "analysis": "1", "date": "2026-03-30", "extends_uuid": "", "info": "[Threat Intel] New widespread EvilTokens kit: device code phishing as-a-service", "protected": false, "publish_timestamp": "1775907163", "published": true, "threat_level_id": "3", "timestamp": "1775907162", "uuid": "99cf6a31-5267-463e-9ed5-8531f4854724", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#d3e17d", "local": false, "name": "misp-galaxy:producer=\"Sekoia\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#ed66f6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Web Session Cookie - T1539\"", "relationship_type": "" }, { "colour": "#77a4ec", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Email Collection - T1114\"", "relationship_type": "" }, { "colour": "#91c667", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Cloud Storage - T1530\"", "relationship_type": "" }, { "colour": "#a320c3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unsecured Credentials - T1552\"", "relationship_type": "" }, { "colour": "#b25e1b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Use Alternate Authentication Material - T1550\"", "relationship_type": "" }, { "colour": "#08221e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Application Access Token - T1528\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#139188", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Transfer Data to Cloud Account - T1537\"", "relationship_type": "" }, { "colour": "#e6bbfd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Cloud Service Discovery - T1526\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#b990dd", "local": false, "name": "misp-galaxy:target-information=\"Australia\"", "relationship_type": "" }, { "colour": "#098efb", "local": false, "name": "misp-galaxy:target-information=\"British Indian Ocean Territory\"", "relationship_type": "" }, { "colour": "#1faf16", "local": false, "name": "misp-galaxy:target-information=\"Canada\"", "relationship_type": "" }, { "colour": "#15ccfd", "local": false, "name": "misp-galaxy:target-information=\"France\"", "relationship_type": "" }, { "colour": "#013748", "local": false, "name": "misp-galaxy:target-information=\"India\"", "relationship_type": "" }, { "colour": "#e6caf2", "local": false, "name": "misp-galaxy:target-information=\"Switzerland\"", "relationship_type": "" }, { "colour": "#a24b57", "local": false, "name": "misp-galaxy:target-information=\"United Arab Emirates\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Cybercrime\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775012422", "to_ids": false, "type": "link", "uuid": "8844fa15-1dac-49f2-a214-b2422d1055ee", "value": "https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1775012422", "to_ids": false, "type": "text", "uuid": "0c412071-b2bd-4428-a99a-21b6565793d8", "value": "EvilTokens is a new Phishing-as-a-Service offering a turnkey Microsoft device code phishing kit. It enables attackers to harvest access and refresh tokens, granting unauthorized access to victims' Microsoft accounts. The kit supports post-compromise operations, allowing data exfiltration from various Microsoft services. EvilTokens has been rapidly adopted by cybercriminals since March 2026, impacting organizations globally. The service provides advanced capabilities for account takeover, including token conversion to Primary Refresh Tokens and browser cookies for persistent access. Phishing campaigns using EvilTokens target employees in finance, HR, logistics, and sales, primarily for Business Email Compromise attacks." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1775012422", "to_ids": false, "type": "text", "uuid": "2f8ea0af-a394-401c-9f3a-e6b153aa8918", "value": "Name: New widespread EvilTokens kit: device code phishing as-a-service\nAuthor: AlienVault\nAdversary: \nTags: [\"device code phishing\", \"token harvesting\", \"microsoft 365\", \"phishing-as-a-service\", \"business email compromise\", \"oauth 2.0\", \"eviltokens\", \"account takeover\"]\nTgtd countries: [\"United States of America\", \"Australia\", \"British Indian Ocean Territory\", \"Canada\", \"France\", \"India\", \"Switzerland\", \"United Arab Emirates\"]\nMlwr families: []\nAttack_ids: [\"T1539\", \"T1114\", \"T1530\", \"T1552\", \"T1550\", \"T1528\", \"T1566\", \"T1078\", \"T1537\", \"T1526\"]\nIndustries: [\"Finance\", \"Government\", \"Manufacturing\", \"Transportation\"]" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775904844", "to_ids": true, "type": "domain", "uuid": "092cb1b7-97a8-43f7-b664-bf66595a855c", "value": "authdocspro.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775904866", "to_ids": true, "type": "domain", "uuid": "5f522364-7e8a-47ae-9003-4b822a1ae8b3", "value": "backdoor-hub.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775904887", "to_ids": true, "type": "domain", "uuid": "52685f8f-10dd-4296-8641-974d52e0d46c", "value": "bumpgames.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775904909", "to_ids": true, "type": "domain", "uuid": "fd00815c-e4da-4682-a263-ce6af6a4d607", "value": "carbatterygurgaon.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775904930", "to_ids": true, "type": "domain", "uuid": "1d591020-32c6-4a16-a9fa-3ec7539fd9a1", "value": "careldutoit-el.co.za", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775904951", "to_ids": true, "type": "domain", "uuid": "841ee371-fe3d-4309-9e32-38e74c2e5930", "value": "eqfit.co.za", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775904972", "to_ids": true, "type": "domain", "uuid": "77bb351e-49a2-4cfe-93b8-599dfa2019df", "value": "eventcalender-schedule.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775904993", "to_ids": true, "type": "domain", "uuid": "928b92f1-74de-4081-8a4e-e01cd8251777", "value": "evobothub.org", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905015", "to_ids": true, "type": "domain", "uuid": "8e19779b-562e-4722-97dc-d0edc9f71608", "value": "framebound.cloud", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905036", "to_ids": true, "type": "domain", "uuid": "ccd7833c-4418-4593-9b56-a4e8c719e028", "value": "infinitechai.org", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905057", "to_ids": true, "type": "domain", "uuid": "0150241e-8712-4629-997f-32e1a79caf46", "value": "macmamo.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905079", "to_ids": true, "type": "domain", "uuid": "3335c1f9-bd93-4388-84a1-b8f38732ebdb", "value": "mirsanotolastik.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905100", "to_ids": true, "type": "domain", "uuid": "cc4571f6-566f-4fc2-90de-42e5bff2fe65", "value": "mirzanyapi.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905121", "to_ids": true, "type": "domain", "uuid": "c5d0210b-8456-4691-9371-8ef3d1cf0bf1", "value": "newmobilepolojean.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905142", "to_ids": true, "type": "domain", "uuid": "dedafebf-b150-4117-b118-bd9dc1cfe166", "value": "notificationsmanagersec.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905163", "to_ids": true, "type": "domain", "uuid": "e7c2d452-1f64-495d-b3f4-e205d59e9855", "value": "pelangiservice.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905184", "to_ids": true, "type": "domain", "uuid": "92520bc9-4386-4783-831d-114a4fe3d36b", "value": "prcservis.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905206", "to_ids": true, "type": "domain", "uuid": "d8c235ff-75ff-4956-ad32-d5e8b5359cb7", "value": "serenitygovsupplys.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905227", "to_ids": true, "type": "domain", "uuid": "e6ecc716-2d9f-47d6-9317-a4cc43150cfe", "value": "smstltle.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905248", "to_ids": true, "type": "domain", "uuid": "ec2ec49b-ec28-4ee3-92d2-98e406e3b5bc", "value": "suctwocesonesstory.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905269", "to_ids": true, "type": "domain", "uuid": "6dc54f27-cd47-4bd0-8091-3e6b08447f52", "value": "thesafarigarden.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905290", "to_ids": true, "type": "domain", "uuid": "2e1cff9b-c0a8-48fc-9f76-c37438fc8eb5", "value": "topbuysella.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905311", "to_ids": true, "type": "domain", "uuid": "b4f05512-f175-434e-8370-36b6d3084a4c", "value": "totalhomesafe.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905332", "to_ids": true, "type": "domain", "uuid": "60cd8dd8-f105-4986-bb7e-40f31d6f3cbd", "value": "xlkconsulting.co.za", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905354", "to_ids": true, "type": "domain", "uuid": "13df2527-daf5-4df7-aa84-bdde355cf2cf", "value": "yankeepine.co", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905375", "to_ids": true, "type": "domain", "uuid": "45aa1945-1325-4778-b71b-d70c052d5d3f", "value": "youremplregroup.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905396", "to_ids": true, "type": "hostname", "uuid": "8ea4cd0b-366e-42b4-8ce3-08bcbeaa868f", "value": "docusend.networkssolutionmail.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905418", "to_ids": true, "type": "hostname", "uuid": "cb43ef42-7b45-4177-a38c-331ad96ddea1", "value": "internalmemorecord.bxwancheng.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905439", "to_ids": true, "type": "hostname", "uuid": "e813fafb-d069-47be-83b3-e042b90c9222", "value": "promanager.outboundciwidey.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905460", "to_ids": true, "type": "hostname", "uuid": "de90d0b6-26cd-4d45-9bb3-88389c9bcc7f", "value": "signaturerequired.thecoolcactus.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905481", "to_ids": true, "type": "hostname", "uuid": "3e10fc09-02d0-4df3-b5f8-b7d622a56d89", "value": "statushelper.aguasomos.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905503", "to_ids": true, "type": "hostname", "uuid": "5ea3e08b-a689-4ca4-a7a3-2fb271d92a42", "value": "update.youcreadio.cfd", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905524", "to_ids": true, "type": "hostname", "uuid": "9f969e69-13e7-4612-8a42-b635d76dd891", "value": "well.atlantaperlnatal.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905544", "to_ids": true, "type": "hostname", "uuid": "c666f3c6-34c6-4b28-bc92-e60ed62a83fb", "value": "careldutoit-el.co.za", "Tag": [ { "colour": "#669ae5", "local": false, "name": "AlreadyExistsError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905565", "to_ids": true, "type": "hostname", "uuid": "b44788d1-bc4a-4517-8785-dd72b7dabb97", "value": "dao.com.au", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905586", "to_ids": true, "type": "hostname", "uuid": "307c9210-1eae-4d2a-8f9a-659b0c6fe99f", "value": "eqfit.co.za", "Tag": [ { "colour": "#669ae5", "local": false, "name": "AlreadyExistsError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905607", "to_ids": true, "type": "hostname", "uuid": "13b622df-d4be-4d50-8fc7-c91577e80f19", "value": "xlkconsulting.co.za", "Tag": [ { "colour": "#669ae5", "local": false, "name": "AlreadyExistsError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905628", "to_ids": true, "type": "hostname", "uuid": "af3982f7-1a60-4e91-ab6c-0ed88f68d9e1", "value": "adobe-lar.denise-chxhistory-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905649", "to_ids": true, "type": "hostname", "uuid": "67a00655-99c1-43a6-801b-4a8f89fcd8a3", "value": "docusign-vs4.finance-zltnservices-org-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905671", "to_ids": true, "type": "hostname", "uuid": "a87b64a6-6c13-42fa-a4ec-b265064b1738", "value": "onedrive-au8.hayixa9795-pazard-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905692", "to_ids": true, "type": "hostname", "uuid": "0452ac48-42ec-4d7a-8930-3dc02b144471", "value": "adobe-b6d.tuwilika-fcsnam-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905713", "to_ids": true, "type": "hostname", "uuid": "e092970a-3490-4f94-8cf2-6f0fbfb8ca4d", "value": "onedrive-23n.sbutler-stateservice-us-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905734", "to_ids": true, "type": "hostname", "uuid": "c3235b06-1e34-406f-ae4c-90711562572d", "value": "onedrive-ac4.ryker-samik-dropmeon-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905756", "to_ids": true, "type": "hostname", "uuid": "373917df-5e32-4519-b14b-94c2fe4488c4", "value": "onedrive-33i.amittal-prodwaresol-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905778", "to_ids": true, "type": "hostname", "uuid": "7ccb0e38-c570-44af-9d59-d4d78ce9e9a9", "value": "docusign-d0e.admin-treyripple-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905799", "to_ids": true, "type": "hostname", "uuid": "500be9e9-456f-4db4-8ab5-23ab6a01df20", "value": "adobe-t9r.thomas-gibson-clyde-enq-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905820", "to_ids": true, "type": "hostname", "uuid": "c319088a-2463-470a-bd83-b6dc846e348e", "value": "onedrive-7fp.davarius-thackery-dropmeon-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905841", "to_ids": true, "type": "hostname", "uuid": "5a46d12d-ab3a-474a-b898-67981571ec3f", "value": "adobe-h7l.gregcausey-hyundaicrenshaw-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905862", "to_ids": true, "type": "hostname", "uuid": "54555304-786a-4f17-9ee3-b2652d427984", "value": "sharepoint-uo2.angela-warrconstructioninc-onmicrosoft-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905884", "to_ids": true, "type": "hostname", "uuid": "fb06d1af-2282-4e7e-9dde-da4c92904718", "value": "onedrive-hea.jhaas-hapnehartmedia-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905905", "to_ids": true, "type": "hostname", "uuid": "9485873f-474e-4092-87c4-670ab4db1001", "value": "page-custommmvx6290-9kb.snpfs90-outlook-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905926", "to_ids": true, "type": "hostname", "uuid": "5e808a82-42c5-445f-8e91-7f8ceff78450", "value": "index-8ni.shirdav-mail-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905947", "to_ids": true, "type": "hostname", "uuid": "1569f166-9b6c-43e5-88cb-f24592779fb3", "value": "docusign-gmx.medea-locallovechs-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905968", "to_ids": true, "type": "hostname", "uuid": "598a64aa-3e97-446a-a092-85391fdf7eec", "value": "index-izk.rifkit-protonmail-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775905990", "to_ids": true, "type": "hostname", "uuid": "41bffb35-b386-4ca4-b61a-adf38d5c78bd", "value": "docusign-t0o.accountsreceivable-greens-au-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775906012", "to_ids": true, "type": "hostname", "uuid": "b082f19f-9214-43d8-874e-bb013ef32689", "value": "adobe-7bf.signature-on-invoice-required-mail-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775906033", "to_ids": true, "type": "hostname", "uuid": "a0b30d4a-2437-476a-97d9-417780d8f0f1", "value": "page-voicemail-3i6.ucbqzm9-ucl-ac-uk-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775906054", "to_ids": true, "type": "hostname", "uuid": "f9a34171-8b48-43b6-af60-48ea4a0031fe", "value": "adobe-y73.letsgo-birdynyc-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775906075", "to_ids": true, "type": "hostname", "uuid": "d8140cbc-6577-41d0-b127-f488eae86985", "value": "onedrive-dsk.cassandra-warholak-ifrma-org-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775906096", "to_ids": true, "type": "hostname", "uuid": "160cdc68-3d4f-4746-9b13-1ee55d6da81e", "value": "docusign-u0p.kevin-domae-ca-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775906118", "to_ids": true, "type": "hostname", "uuid": "f52d40a6-ec51-4842-a79d-eeffdd527e02", "value": "docusign-a5c.export-cellular-iberia-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775906139", "to_ids": true, "type": "hostname", "uuid": "233b1634-d935-4ac1-ba0b-e136cab5d648", "value": "docusign-14g.jhipolito-arrow-food-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775906161", "to_ids": true, "type": "hostname", "uuid": "8866e8a1-5fbb-4572-8912-11b97bf505b6", "value": "adobe-qi2.pm-pdgrealty-proton-me-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775906182", "to_ids": true, "type": "hostname", "uuid": "e368592d-8d06-4106-abea-b45b065f16dc", "value": "adobe-8dt.ishaan-zvi-dropmeon-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775906203", "to_ids": true, "type": "hostname", "uuid": "b76d6947-58aa-445a-b302-ca97ed792b9a", "value": "adobe-of6.hayixa9795-pazard-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775906225", "to_ids": true, "type": "hostname", "uuid": "8dfd5b4c-0a19-45b3-8bbe-8f129fbe8a5f", "value": "docusign-ffp.garciarodriguezt-student-wpunj-edu-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775906246", "to_ids": true, "type": "hostname", "uuid": "8e5ce066-9192-46ba-a16e-98d8bc8c73ed", "value": "docusign-y8l.accountant-fitfranchisebrands-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775906267", "to_ids": true, "type": "hostname", "uuid": "9b842c7d-bfe6-4b4d-a804-15d825912b7b", "value": "adobe-mxg.snpfs90-outlook-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775906288", "to_ids": true, "type": "hostname", "uuid": "13951ce9-5423-44a6-b32b-f256a821c98e", "value": "index-ap3.tyler2miler-proton-me-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775906309", "to_ids": true, "type": "hostname", "uuid": "e4d2efe0-de8d-41fd-8b4d-15e330c0565a", "value": "adobe-yzz.ejkim-gsglobalusa-us-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775906330", "to_ids": true, "type": "hostname", "uuid": "7eea31bb-8133-4fbb-8530-301a67f697f7", "value": "docusign-520.mike-maplecityglass-net-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775906352", "to_ids": true, "type": "hostname", "uuid": "2eb686e8-c246-421e-9706-ec450d55242d", "value": "voicemail-l1b.thomas-gibson-clyde-enq-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775906373", "to_ids": true, "type": "hostname", "uuid": "145d080b-897d-4eca-9c96-7fae768486a6", "value": "docusign-ac3.christina-parsons-charter-comm-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775906394", "to_ids": true, "type": "hostname", "uuid": "3d903842-a86b-490f-875f-71b5792b608a", "value": "docusign-o4x.bhc-credit-services-edl-bayreer-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775906415", "to_ids": true, "type": "hostname", "uuid": "45c811ed-5c8b-4477-8ecd-0edaf3e28f42", "value": "onedrive-4um.accounting-malitzconstructioninc-co-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1775899821", "uuid": "d2e06970-0d03-4981-ac35-88744b3726bc", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1775899821", "to_ids": false, "type": "text", "uuid": "be9de106-00b5-4f5d-abf9-b015577d245a", "value": "phishing_eviltokens_phishing_page" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1775899821", "to_ids": false, "type": "comment", "uuid": "2468150c-cd3b-49bf-b307-045c20f4b727", "value": "Find EvilTokens device code phishing pages based on characteristic strings" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1775899821", "to_ids": true, "type": "yara", "uuid": "fd9729e4-369b-4684-887a-f8d068f268f1", "value": "rule phishing_eviltokens_phishing_page {\r\n meta:\r\n malware = \"EvilTokens\"\r\n description = \"Find EvilTokens device code phishing pages based on characteristic strings\"\r\n source = \"Sekoia.io\"\r\n creation_date = \"2026-03-05\"\r\n modification_date = \"2026-03-05\"\r\n classification = \"TLP:CLEAR\"\r\n reference = \"https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/\"\r\n\r\n strings:\r\n $html = \"\" ascii\r\n\r\n $str01 = \"
\" ascii\r\n $str02 = \"function f(s){\" ascii\r\n $str03 = \"return Uint8Array.from(atob(s),x=>x.charCodeAt(0))\" ascii\r\n $str04 = \"var k=await crypto.subtle.importKey(\" ascii\r\n $str05 = \"var p=await crypto.subtle.decrypt(\" ascii\r\n $str06 = \"name:\\\"AES-GCM\\\",iv:f(b)\" ascii\r\n $str07 = \"document.write(new TextDecoder().decode(\" ascii\r\n $str08 = \"document.body.innerHTML=\\\"Loading failed\\\"\" ascii\r\n $str09 = \"document.close()}catch(e)\" ascii\r\n\r\n condition:\r\n $html at 0 and\r\n 6 of them and filesize < 50KB\r\n}" } ] } ] } }