{ "type": "Domain", "indicator": "cocinternal.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/cocinternal.com", "alexa": "http://www.alexa.com/siteinfo/cocinternal.com", "indicator": "cocinternal.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4343697608, "indicator": "cocinternal.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "69fb1736879a4a945346b9ba", "name": "Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails", "description": "A sophisticated credential theft campaign targeting over 35,000 users across 13,000 organizations was observed between April 14-16, 2026. The operation primarily impacted the United States, particularly healthcare and financial services sectors. Attackers used code of conduct themed phishing emails masquerading as internal compliance communications, sent through legitimate email delivery services from attacker-controlled domains. Victims received polished HTML emails with PDF attachments containing fake disciplinary logs and CAPTCHA gates to evade automated analysis. The multi-stage attack chain ultimately directed users to counterfeit Microsoft authentication pages operating as adversary-in-the-middle infrastructure, enabling real-time interception of credentials and session tokens while bypassing multi-factor authentication defenses.", "modified": "2026-05-07T08:22:54.725000", "created": "2026-05-06T10:25:58.883000", "tags": [ "aitm", "financial services", "credential theft", "healthcare targeting", "mfa bypass", "captcha evasion", "phishing campaign", "session hijacking" ], "references": [ "https://cyberpress.org/aitm-attack-uses-phishing/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Healthcare", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 3 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 386458, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f8f1230f0bda494499b941", "name": "Breaking the code: Multi-stage 'code of conduct' phishing campaign leads to AiTM token compromise", "description": "A sophisticated large-scale credential theft campaign targeted over 35,000 users across 13,000 organizations, primarily in the United States, between April 14-16, 2026. Attackers distributed fully authenticated emails from legitimate services using code of conduct-themed lures with polished HTML templates. The multi-stage attack chain included PDF attachments with embedded links, multiple CAPTCHA challenges, and intermediate staging pages designed to appear legitimate while filtering automated defenses. Recipients were directed through several layers ultimately leading to an adversary-in-the-middle phishing flow that proxied authentication sessions and captured tokens, bypassing non-phishing-resistant multifactor authentication. The campaign broadly impacted Healthcare, Financial services, Professional services, and Technology industries, using social engineering techniques that created urgency through time-bound prompts and concerning accusations.", "modified": "2026-05-05T10:06:53.896000", "created": "2026-05-04T19:18:59.833000", "tags": [ "authentication token", "credential theft", "captcha filtering", "token compromise", "aitm", "multi-stage attack", "social engineering" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/04/breaking-the-code-multi-stage-code-of-conduct-phishing-campaign-leads-to-aitm-token-compromise/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1588.006", "name": "Vulnerabilities", "display_name": "T1588.006 - Vulnerabilities" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1598.003", "name": "Spearphishing Link", "display_name": "T1598.003 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1557.001", "name": "LLMNR/NBT-NS Poisoning and SMB Relay", "display_name": "T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" } ], "industries": [ "Healthcare", "Finance", "Technology", "Government", "Manufacturing", "Retail", "Telecommunications", "Transportation", "Education", "Media", "Energy", "Aerospace", "Construction", "Hospitality", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 3, "domain": 5, "hostname": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 386456, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552176, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "19 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fc23105d3bac4bb98ec761", "name": "Credit Tr1sha111 Clone [\"Muddying the Tracks: The State-Sponsored Shadow\"]", "description": "", "modified": "2026-05-12T05:32:41.787000", "created": "2026-05-07T05:28:48.237000", "tags": [ "description", "c2 url", "tool", "service binary", "dwservice", "background", "source ip", "microsoft teams", "quick assist" ], "references": [ "https://www.rapid7.com/blog/post/tr-muddying-tracks-state-sponsored-shadow-behind-chaos-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "69fc1914c878d5cc2c6d474b", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 10, "IPv4": 5, "domain": 7, "CVE": 2, "URL": 1 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fd6ace7eb0b90ae5e0bad1", "name": "Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails", "description": "", "modified": "2026-05-08T04:47:10.395000", "created": "2026-05-08T04:47:10.395000", "tags": [ "aitm", "financial services", "credential theft", "healthcare targeting", "mfa bypass", "captcha evasion", "phishing campaign", "session hijacking" ], "references": [ "https://cyberpress.org/aitm-attack-uses-phishing/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Healthcare", "Finance" ], "TLP": "white", "cloned_from": "69fb1736879a4a945346b9ba", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fd6ab1d93fddbc4eca0a5a", "name": "Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails", "description": "", "modified": "2026-05-08T04:46:41.413000", "created": "2026-05-08T04:46:41.413000", "tags": [ "aitm", "financial services", "credential theft", "healthcare targeting", "mfa bypass", "captcha evasion", "phishing campaign", "session hijacking" ], "references": [ "https://cyberpress.org/aitm-attack-uses-phishing/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Healthcare", "Finance" ], "TLP": "white", "cloned_from": "69fb1736879a4a945346b9ba", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fd6a90ea09bac209a0af4a", "name": "Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails", "description": "", "modified": "2026-05-08T04:46:08.596000", "created": "2026-05-08T04:46:08.596000", "tags": [ "aitm", "financial services", "credential theft", "healthcare targeting", "mfa bypass", "captcha evasion", "phishing campaign", "session hijacking" ], "references": [ "https://cyberpress.org/aitm-attack-uses-phishing/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Healthcare", "Finance" ], "TLP": "white", "cloned_from": "69fb1736879a4a945346b9ba", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fd2e30c5d49dc249ab2587", "name": "IBCARD_07_05_2026", "description": "The following is the full list of people who have made an impact on the internet, and what they want to know about it: the people of the world, or, more specifically, their own.", "modified": "2026-05-08T00:28:32.766000", "created": "2026-05-08T00:28:32.766000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cherryid", "id": "383941", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 28, "FileHash-SHA1": 27, "FileHash-SHA256": 27, "IPv4": 356, "URL": 6, "domain": 8 }, "indicator_count": 452, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fbad82234fc33123b0ce6d", "name": "EbeeMay2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-06T21:07:14.769000", "created": "2026-05-06T21:07:14.769000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "localappdata", "cve20250994 cve", "temp", "mutex", "local" ], "references": [ "IOCs-May1.csv" ], "public": 1, "adversary": "Trigona, PowerCod RAT, APT34, PhantomRaven, Hacked sites deliver infostealer, CloudZ RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 80, "CIDR": 3, "CVE": 10, "FileHash-MD5": 154, "FileHash-SHA1": 140, "FileHash-SHA256": 219, "URL": 80, "domain": 82, "email": 8, "hostname": 60 }, "indicator_count": 836, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fad419735635505374a334", "name": "IOC - Breaking the code: Multi-stage \u2018code of conduct\u2019 phishing campaign leads to AiTM token compromise", "description": "Phishing campaigns continue to improve sophistication and refinement in blending social engineering, delivery and hosting infrastructure, and authentication abuse to remain effective against evolving security controls. A large-scale credential theft campaign observed by Microsoft Defender Research exemplifies this trend, using code of conduct-themed lures, a multi-step attack chain, and legitimate email services to distribute fully authenticated messages from attacker-controlled domains.", "modified": "2026-05-06T05:39:37.373000", "created": "2026-05-06T05:39:37.373000", "tags": [ "email address", "domain domain", "awareness case", "log file", "april", "filename name", "pdf attachment", "file hash", "domain", "indicator type" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/04/breaking-the-code-multi-stage-code-of-conduct-phishing-campaign-leads-to-aitm-token-compromise/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 3, "domain": 3 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fabb38dc54c806b7504109", "name": "Breaking the code: Multi-stage 'code of conduct' phishing campaign leads to AiTM token compromise", "description": "", "modified": "2026-05-06T03:53:28.714000", "created": "2026-05-06T03:53:28.714000", "tags": [ "authentication token", "credential theft", "captcha filtering", "token compromise", "aitm", "multi-stage attack", "social engineering" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/04/breaking-the-code-multi-stage-code-of-conduct-phishing-campaign-leads-to-aitm-token-compromise/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1588.006", "name": "Vulnerabilities", "display_name": "T1588.006 - Vulnerabilities" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1598.003", "name": "Spearphishing Link", "display_name": "T1598.003 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1557.001", "name": "LLMNR/NBT-NS Poisoning and SMB Relay", "display_name": "T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" } ], "industries": [ "Healthcare", "Finance", "Technology", "Government", "Manufacturing", "Retail", "Telecommunications", "Transportation", "Education", "Media", "Energy", "Aerospace", "Construction", "Hospitality", "Defense" ], "TLP": "white", "cloned_from": "69f8f1230f0bda494499b941", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 3, "domain": 5, "hostname": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f9fbfae3ba66bbf5cff9d8", "name": "Breaking the code: Multi-stage \u2018code of conduct\u2019 phishing campaign leads to AiTM token compromise | Microsoft Security Blog", "description": "", "modified": "2026-05-05T14:17:30.411000", "created": "2026-05-05T14:17:30.411000", "tags": [ "office", "april", "pdf attachment", "captcha", "defender", "smartscreen", "review", "sign", "microsoft", "email", "phishing", "team", "internal", "code", "twitter", "bluesky" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/04/breaking-the-code-multi-stage-code-of-conduct-phishing-campaign-leads-to-aitm-token-compromise/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 3, "domain": 3, "email": 5 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs-May1.csv", "https://www.microsoft.com/en-us/security/blog/2026/05/04/breaking-the-code-multi-stage-code-of-conduct-phishing-campaign-leads-to-aitm-token-compromise/", "https://www.rapid7.com/blog/post/tr-muddying-tracks-state-sponsored-shadow-behind-chaos-ransomware/", "https://cyberpress.org/aitm-attack-uses-phishing/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [ "Government", "Media", "Technology", "Healthcare", "Hospitality", "Construction", "Telecommunications", "Energy", "Aerospace", "Defense", "Retail", "Transportation", "Education", "Manufacturing", "Finance" ] }, "other": { "adversary": [ "Trigona, PowerCod RAT, APT34, PhantomRaven, Hacked sites deliver infostealer, CloudZ RAT" ], "malware_families": [], "industries": [ "Government", "Media", "Technology", "Healthcare", "Hospitality", "Construction", "Telecommunications", "Energy", "Aerospace", "Defense", "Retail", "Transportation", "Education", "Manufacturing", "Finance" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "69fb1736879a4a945346b9ba", "name": "Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails", "description": "A sophisticated credential theft campaign targeting over 35,000 users across 13,000 organizations was observed between April 14-16, 2026. The operation primarily impacted the United States, particularly healthcare and financial services sectors. Attackers used code of conduct themed phishing emails masquerading as internal compliance communications, sent through legitimate email delivery services from attacker-controlled domains. Victims received polished HTML emails with PDF attachments containing fake disciplinary logs and CAPTCHA gates to evade automated analysis. The multi-stage attack chain ultimately directed users to counterfeit Microsoft authentication pages operating as adversary-in-the-middle infrastructure, enabling real-time interception of credentials and session tokens while bypassing multi-factor authentication defenses.", "modified": "2026-05-07T08:22:54.725000", "created": "2026-05-06T10:25:58.883000", "tags": [ "aitm", "financial services", "credential theft", "healthcare targeting", "mfa bypass", "captcha evasion", "phishing campaign", "session hijacking" ], "references": [ "https://cyberpress.org/aitm-attack-uses-phishing/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Healthcare", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 3 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 386458, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f8f1230f0bda494499b941", "name": "Breaking the code: Multi-stage 'code of conduct' phishing campaign leads to AiTM token compromise", "description": "A sophisticated large-scale credential theft campaign targeted over 35,000 users across 13,000 organizations, primarily in the United States, between April 14-16, 2026. Attackers distributed fully authenticated emails from legitimate services using code of conduct-themed lures with polished HTML templates. The multi-stage attack chain included PDF attachments with embedded links, multiple CAPTCHA challenges, and intermediate staging pages designed to appear legitimate while filtering automated defenses. Recipients were directed through several layers ultimately leading to an adversary-in-the-middle phishing flow that proxied authentication sessions and captured tokens, bypassing non-phishing-resistant multifactor authentication. The campaign broadly impacted Healthcare, Financial services, Professional services, and Technology industries, using social engineering techniques that created urgency through time-bound prompts and concerning accusations.", "modified": "2026-05-05T10:06:53.896000", "created": "2026-05-04T19:18:59.833000", "tags": [ "authentication token", "credential theft", "captcha filtering", "token compromise", "aitm", "multi-stage attack", "social engineering" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/04/breaking-the-code-multi-stage-code-of-conduct-phishing-campaign-leads-to-aitm-token-compromise/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1588.006", "name": "Vulnerabilities", "display_name": "T1588.006 - Vulnerabilities" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1598.003", "name": "Spearphishing Link", "display_name": "T1598.003 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1557.001", "name": "LLMNR/NBT-NS Poisoning and SMB Relay", "display_name": "T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" } ], "industries": [ "Healthcare", "Finance", "Technology", "Government", "Manufacturing", "Retail", "Telecommunications", "Transportation", "Education", "Media", "Energy", "Aerospace", "Construction", "Hospitality", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 3, "domain": 5, "hostname": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 386456, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552176, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "19 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fc23105d3bac4bb98ec761", "name": "Credit Tr1sha111 Clone [\"Muddying the Tracks: The State-Sponsored Shadow\"]", "description": "", "modified": "2026-05-12T05:32:41.787000", "created": "2026-05-07T05:28:48.237000", "tags": [ "description", "c2 url", "tool", "service binary", "dwservice", "background", "source ip", "microsoft teams", "quick assist" ], "references": [ "https://www.rapid7.com/blog/post/tr-muddying-tracks-state-sponsored-shadow-behind-chaos-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "69fc1914c878d5cc2c6d474b", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 10, "IPv4": 5, "domain": 7, "CVE": 2, "URL": 1 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fd6ace7eb0b90ae5e0bad1", "name": "Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails", "description": "", "modified": "2026-05-08T04:47:10.395000", "created": "2026-05-08T04:47:10.395000", "tags": [ "aitm", "financial services", "credential theft", "healthcare targeting", "mfa bypass", "captcha evasion", "phishing campaign", "session hijacking" ], "references": [ "https://cyberpress.org/aitm-attack-uses-phishing/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Healthcare", "Finance" ], "TLP": "white", "cloned_from": "69fb1736879a4a945346b9ba", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fd6ab1d93fddbc4eca0a5a", "name": "Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails", "description": "", "modified": "2026-05-08T04:46:41.413000", "created": "2026-05-08T04:46:41.413000", "tags": [ "aitm", "financial services", "credential theft", "healthcare targeting", "mfa bypass", "captcha evasion", "phishing campaign", "session hijacking" ], "references": [ "https://cyberpress.org/aitm-attack-uses-phishing/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Healthcare", "Finance" ], "TLP": "white", "cloned_from": "69fb1736879a4a945346b9ba", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fd6a90ea09bac209a0af4a", "name": "Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails", "description": "", "modified": "2026-05-08T04:46:08.596000", "created": "2026-05-08T04:46:08.596000", "tags": [ "aitm", "financial services", "credential theft", "healthcare targeting", "mfa bypass", "captcha evasion", "phishing campaign", "session hijacking" ], "references": [ "https://cyberpress.org/aitm-attack-uses-phishing/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Healthcare", "Finance" ], "TLP": "white", "cloned_from": "69fb1736879a4a945346b9ba", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fd2e30c5d49dc249ab2587", "name": "IBCARD_07_05_2026", "description": "The following is the full list of people who have made an impact on the internet, and what they want to know about it: the people of the world, or, more specifically, their own.", "modified": "2026-05-08T00:28:32.766000", "created": "2026-05-08T00:28:32.766000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cherryid", "id": "383941", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 28, "FileHash-SHA1": 27, "FileHash-SHA256": 27, "IPv4": 356, "URL": 6, "domain": 8 }, "indicator_count": 452, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fbad82234fc33123b0ce6d", "name": "EbeeMay2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-06T21:07:14.769000", "created": "2026-05-06T21:07:14.769000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "localappdata", "cve20250994 cve", "temp", "mutex", "local" ], "references": [ "IOCs-May1.csv" ], "public": 1, "adversary": "Trigona, PowerCod RAT, APT34, PhantomRaven, Hacked sites deliver infostealer, CloudZ RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 80, "CIDR": 3, "CVE": 10, "FileHash-MD5": 154, "FileHash-SHA1": 140, "FileHash-SHA256": 219, "URL": 80, "domain": 82, "email": 8, "hostname": 60 }, "indicator_count": 836, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fad419735635505374a334", "name": "IOC - Breaking the code: Multi-stage \u2018code of conduct\u2019 phishing campaign leads to AiTM token compromise", "description": "Phishing campaigns continue to improve sophistication and refinement in blending social engineering, delivery and hosting infrastructure, and authentication abuse to remain effective against evolving security controls. A large-scale credential theft campaign observed by Microsoft Defender Research exemplifies this trend, using code of conduct-themed lures, a multi-step attack chain, and legitimate email services to distribute fully authenticated messages from attacker-controlled domains.", "modified": "2026-05-06T05:39:37.373000", "created": "2026-05-06T05:39:37.373000", "tags": [ "email address", "domain domain", "awareness case", "log file", "april", "filename name", "pdf attachment", "file hash", "domain", "indicator type" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/04/breaking-the-code-multi-stage-code-of-conduct-phishing-campaign-leads-to-aitm-token-compromise/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 3, "domain": 3 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "cocinternal.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "cocinternal.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780180320.364682 }