{ "Event": { "analysis": "1", "date": "2026-03-10", "extends_uuid": "", "info": "[Threat Intel] Microsoft OAuth Device Code Phishing", "protected": false, "publish_timestamp": "1773997356", "published": true, "threat_level_id": "3", "timestamp": "1773997356", "uuid": "ced3e787-cdd1-4d24-a3c0-0999234dfa74", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#60f452", "local": false, "name": "misp-galaxy:producer=\"ANY.RUN\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#098efb", "local": false, "name": "misp-galaxy:target-information=\"British Indian Ocean Territory\"", "relationship_type": "" }, { "colour": "#013748", "local": false, "name": "misp-galaxy:target-information=\"India\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773226808", "to_ids": false, "type": "link", "uuid": "56e82a66-6a04-4cce-8fca-3ac95171f856", "value": "https://any.run/cybersecurity-blog/oauth-device-code-phishing/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773226808", "to_ids": false, "type": "text", "uuid": "5d687c81-b1ef-4250-b2f6-d794ef99c1d8", "value": "A new phishing technique abusing Microsoft's OAuth Device Code flow is on the rise, with over 180 phishing URLs detected in a week. This method shifts from credential theft to token-based account takeover, making detection more challenging. Attackers initiate a device authorization process, tricking victims into approving it on legitimate Microsoft pages. The attack uses encrypted HTTPS traffic and legitimate authentication flows, bypassing traditional phishing indicators. Victims unknowingly grant attackers access to their Microsoft 365 accounts through OAuth tokens. This poses a critical risk as it allows immediate access to corporate data and resources, potentially leading to business email compromise and persistent access through refresh tokens." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773226808", "to_ids": false, "type": "text", "uuid": "b3ee0856-4918-4e42-ac10-93cd750b0a27", "value": "Name: Microsoft OAuth Device Code Phishing\nAuthor: AlienVault\nAdversary: \nTags: [\"oauth\", \"account takeover\", \"ssl decryption\", \"device code\", \"https\", \"token-based\", \"microsoft 365\", \"phishing\"]\nTgtd countries: [\"United States of America\", \"British Indian Ocean Territory\", \"India\"]\nMlwr families: []\nAttack_ids: [\"T1566\"]\nIndustries: [\"Technology\", \"Education\", \"Manufacturing\", \"Government\"]" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278622", "to_ids": true, "type": "domain", "uuid": "dac36754-7091-406c-84c1-36e5474cf263", "value": "aiinnovationsfly.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278643", "to_ids": true, "type": "domain", "uuid": "36ee3e41-07ff-4f4e-bf21-3339dd09a2de", "value": "astrolinktech.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278665", "to_ids": true, "type": "hostname", "uuid": "db20fc5f-187e-4eb2-9dc9-b3e90e2eef39", "value": "singer-bodners-bau-at-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278686", "to_ids": true, "type": "hostname", "uuid": "499751bd-ecdd-4562-bec2-13bff77b6081", "value": "dibafef289.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278708", "to_ids": true, "type": "hostname", "uuid": "b30056a2-ce5d-4bd9-9fd7-a8acd1c4a937", "value": "ab-monvoisinproduction-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278729", "to_ids": true, "type": "hostname", "uuid": "e7c46b4a-2abc-4247-b230-f3f4c8dafba5", "value": "subzero908.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278750", "to_ids": true, "type": "hostname", "uuid": "dfd6095c-8ca6-4561-8b10-64f4819e0429", "value": "sandra-solorzano-duncanfamilyfarms-net-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278771", "to_ids": true, "type": "hostname", "uuid": "dd085991-ec04-45b1-a4e4-39b2a861db80", "value": "tyler2miler-proton-me-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278794", "to_ids": true, "type": "hostname", "uuid": "4e57eeee-78b2-484b-87e0-2bdf8f120303", "value": "aarathe-ramraj-tipgroup-com-au-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278815", "to_ids": true, "type": "hostname", "uuid": "d27f53c9-e774-4fa1-808a-5bd118ea71d0", "value": "andy-bardigans-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278836", "to_ids": true, "type": "hostname", "uuid": "efed28a6-95c4-4b5a-866f-253b3ef4fa9d", "value": "dennis-saltertrusss-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278857", "to_ids": true, "type": "hostname", "uuid": "52e8192a-2ac5-465b-92a9-4eb0b64ab707", "value": "rockymountainhi.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278878", "to_ids": true, "type": "hostname", "uuid": "76b2b8ed-a396-47bf-9275-dcd030e1eba3", "value": "workspace1717-outlook-com-s-account.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ] } }