{ "type": "Domain", "indicator": "ed5ce47d835f-endpoint.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/ed5ce47d835f-endpoint.com", "alexa": "http://www.alexa.com/siteinfo/ed5ce47d835f-endpoint.com", "indicator": "ed5ce47d835f-endpoint.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4358955674, "indicator": "ed5ce47d835f-endpoint.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "6a05af080ae591ea2bf00e87", "name": "Device Code Phishing is an Evolution in Identity Takeover", "description": "Device code phishing attacks have exploded across the threat landscape, with new toolkits emerging weekly. This surge coincides with publicly released criminal toolkits and multiple phishing-as-a-service offerings like EvilTokens and Tycoon. Threat actors abuse the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 and other enterprise accounts by tricking users into authorizing malicious applications. Current implementations use on-demand code generation, addressing the 15-minute expiration limitation of previous techniques. Most activity appears to be generated using AI-based coding techniques. Successful attacks lead to full account takeover, data theft, business email compromise, and potential ransomware deployment. The technique represents the natural evolution of credential phishing as organizations improve their defenses against traditional multifactor authentication bypass methods.", "modified": "2026-05-14T18:09:35.661000", "created": "2026-05-14T11:16:24.673000", "tags": [ "phishing-as-a-service", "account takeover", "clickfix", "artokens", "tycoon 2fa", "credential theft", "oauth abuse", "microsoft 365", "eviltokens", "odx", "kali365", "identity compromise", "device code phishing" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/device-code-phishing-evolution-identity-takeover" ], "public": 1, "adversary": "TA4903", "targeted_countries": [], "malware_families": [ { "id": "EvilTokens", "display_name": "EvilTokens", "target": null }, { "id": "Tycoon 2FA", "display_name": "Tycoon 2FA", "target": null }, { "id": "ODx", "display_name": "ODx", "target": null }, { "id": "Kali365", "display_name": "Kali365", "target": null }, { "id": "ARTokens", "display_name": "ARTokens", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null } ], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1598.003", "name": "Spearphishing Link", "display_name": "T1598.003 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1566.003", "name": "Spearphishing via Service", "display_name": "T1566.003 - Spearphishing via Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 33, "hostname": 2 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 386482, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552472, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a12fbc0117778eaba6e378a", "name": "EbeeMay2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:23:12.428000", "created": "2026-05-24T13:23:12.428000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "rnuarbvf url", "z5brjsogj789", "da6ah3", "goceqc6sk" ], "references": [], "public": 1, "adversary": "Seedworm, Amadey Botnet, Sorry, Leveraging Rclone, Campaign Abuses Google Tag Manager", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 84, "URL": 63, "CVE": 21, "FileHash-MD5": 204, "FileHash-SHA1": 197, "FileHash-SHA256": 220, "domain": 122, "email": 13, "hostname": 99 }, "indicator_count": 1023, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0aef994f294d61a99ed0ab", "name": "Device Code Phishing is an Evolution in Identity Takeover | Proofpoint US", "description": "", "modified": "2026-05-18T10:53:13.949000", "created": "2026-05-18T10:53:13.949000", "tags": [ "microsoft", "eviltokens", "device code", "proofpoint", "urls", "tycoon", "april", "landing page", "phaas", "docusign", "february", "sharepoint", "telegram", "attack" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/device-code-phishing-evolution-identity-takeover" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 33, "hostname": 2 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a06a5645441c8b7dacfe3f8", "name": "Device Code Phishing is an Evolution in Identity Takeover", "description": "", "modified": "2026-05-15T04:47:32.654000", "created": "2026-05-15T04:47:32.654000", "tags": [ "phishing-as-a-service", "account takeover", "clickfix", "artokens", "tycoon 2fa", "credential theft", "oauth abuse", "microsoft 365", "eviltokens", "odx", "kali365", "identity compromise", "device code phishing" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/device-code-phishing-evolution-identity-takeover" ], "public": 1, "adversary": "TA4903", "targeted_countries": [], "malware_families": [ { "id": "EvilTokens", "display_name": "EvilTokens", "target": null }, { "id": "Tycoon 2FA", "display_name": "Tycoon 2FA", "target": null }, { "id": "ODx", "display_name": "ODx", "target": null }, { "id": "Kali365", "display_name": "Kali365", "target": null }, { "id": "ARTokens", "display_name": "ARTokens", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null } ], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1598.003", "name": "Spearphishing Link", "display_name": "T1598.003 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1566.003", "name": "Spearphishing via Service", "display_name": "T1566.003 - Spearphishing via Service" } ], "industries": [], "TLP": "white", "cloned_from": "6a05af080ae591ea2bf00e87", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 33, "hostname": 2 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0688edbfb7df6188a4544b", "name": "IOC - Device Code Phishing is an Evolution in Identity Takeover", "description": "", "modified": "2026-05-15T02:46:05.566000", "created": "2026-05-15T02:46:05.566000", "tags": [ "phishing-as-a-service", "account takeover", "clickfix", "artokens", "tycoon 2fa", "credential theft", "oauth abuse", "microsoft 365", "eviltokens", "odx", "kali365", "identity compromise", "device code phishing" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/device-code-phishing-evolution-identity-takeover" ], "public": 1, "adversary": "TA4903", "targeted_countries": [], "malware_families": [ { "id": "EvilTokens", "display_name": "EvilTokens", "target": null }, { "id": "Tycoon 2FA", "display_name": "Tycoon 2FA", "target": null }, { "id": "ODx", "display_name": "ODx", "target": null }, { "id": "Kali365", "display_name": "Kali365", "target": null }, { "id": "ARTokens", "display_name": "ARTokens", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null } ], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1598.003", "name": "Spearphishing Link", "display_name": "T1598.003 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1566.003", "name": "Spearphishing via Service", "display_name": "T1566.003 - Spearphishing via Service" } ], "industries": [], "TLP": "white", "cloned_from": "6a05af080ae591ea2bf00e87", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 33, "hostname": 2 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/device-code-phishing-evolution-identity-takeover" ], "related": { "alienvault": { "adversary": [ "TA4903" ], "malware_families": [ "Clickfix", "Odx", "Kali365", "Tycoon 2fa", "Eviltokens", "Artokens" ], "industries": [] }, "other": { "adversary": [ "Seedworm, Amadey Botnet, Sorry, Leveraging Rclone, Campaign Abuses Google Tag Manager", "TA4903" ], "malware_families": [ "Clickfix", "Odx", "Kali365", "Tycoon 2fa", "Eviltokens", "Artokens" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "6a05af080ae591ea2bf00e87", "name": "Device Code Phishing is an Evolution in Identity Takeover", "description": "Device code phishing attacks have exploded across the threat landscape, with new toolkits emerging weekly. This surge coincides with publicly released criminal toolkits and multiple phishing-as-a-service offerings like EvilTokens and Tycoon. Threat actors abuse the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 and other enterprise accounts by tricking users into authorizing malicious applications. Current implementations use on-demand code generation, addressing the 15-minute expiration limitation of previous techniques. Most activity appears to be generated using AI-based coding techniques. Successful attacks lead to full account takeover, data theft, business email compromise, and potential ransomware deployment. The technique represents the natural evolution of credential phishing as organizations improve their defenses against traditional multifactor authentication bypass methods.", "modified": "2026-05-14T18:09:35.661000", "created": "2026-05-14T11:16:24.673000", "tags": [ "phishing-as-a-service", "account takeover", "clickfix", "artokens", "tycoon 2fa", "credential theft", "oauth abuse", "microsoft 365", "eviltokens", "odx", "kali365", "identity compromise", "device code phishing" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/device-code-phishing-evolution-identity-takeover" ], "public": 1, "adversary": "TA4903", "targeted_countries": [], "malware_families": [ { "id": "EvilTokens", "display_name": "EvilTokens", "target": null }, { "id": "Tycoon 2FA", "display_name": "Tycoon 2FA", "target": null }, { "id": "ODx", "display_name": "ODx", "target": null }, { "id": "Kali365", "display_name": "Kali365", "target": null }, { "id": "ARTokens", "display_name": "ARTokens", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null } ], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1598.003", "name": "Spearphishing Link", "display_name": "T1598.003 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1566.003", "name": "Spearphishing via Service", "display_name": "T1566.003 - Spearphishing via Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 33, "hostname": 2 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 386482, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552472, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a12fbc0117778eaba6e378a", "name": "EbeeMay2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:23:12.428000", "created": "2026-05-24T13:23:12.428000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "rnuarbvf url", "z5brjsogj789", "da6ah3", "goceqc6sk" ], "references": [], "public": 1, "adversary": "Seedworm, Amadey Botnet, Sorry, Leveraging Rclone, Campaign Abuses Google Tag Manager", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 84, "URL": 63, "CVE": 21, "FileHash-MD5": 204, "FileHash-SHA1": 197, "FileHash-SHA256": 220, "domain": 122, "email": 13, "hostname": 99 }, "indicator_count": 1023, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0aef994f294d61a99ed0ab", "name": "Device Code Phishing is an Evolution in Identity Takeover | Proofpoint US", "description": "", "modified": "2026-05-18T10:53:13.949000", "created": "2026-05-18T10:53:13.949000", "tags": [ "microsoft", "eviltokens", "device code", "proofpoint", "urls", "tycoon", "april", "landing page", "phaas", "docusign", "february", "sharepoint", "telegram", "attack" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/device-code-phishing-evolution-identity-takeover" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 33, "hostname": 2 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a06a5645441c8b7dacfe3f8", "name": "Device Code Phishing is an Evolution in Identity Takeover", "description": "", "modified": "2026-05-15T04:47:32.654000", "created": "2026-05-15T04:47:32.654000", "tags": [ "phishing-as-a-service", "account takeover", "clickfix", "artokens", "tycoon 2fa", "credential theft", "oauth abuse", "microsoft 365", "eviltokens", "odx", "kali365", "identity compromise", "device code phishing" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/device-code-phishing-evolution-identity-takeover" ], "public": 1, "adversary": "TA4903", "targeted_countries": [], "malware_families": [ { "id": "EvilTokens", "display_name": "EvilTokens", "target": null }, { "id": "Tycoon 2FA", "display_name": "Tycoon 2FA", "target": null }, { "id": "ODx", "display_name": "ODx", "target": null }, { "id": "Kali365", "display_name": "Kali365", "target": null }, { "id": "ARTokens", "display_name": "ARTokens", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null } ], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1598.003", "name": "Spearphishing Link", "display_name": "T1598.003 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1566.003", "name": "Spearphishing via Service", "display_name": "T1566.003 - Spearphishing via Service" } ], "industries": [], "TLP": "white", "cloned_from": "6a05af080ae591ea2bf00e87", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 33, "hostname": 2 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0688edbfb7df6188a4544b", "name": "IOC - Device Code Phishing is an Evolution in Identity Takeover", "description": "", "modified": "2026-05-15T02:46:05.566000", "created": "2026-05-15T02:46:05.566000", "tags": [ "phishing-as-a-service", "account takeover", "clickfix", "artokens", "tycoon 2fa", "credential theft", "oauth abuse", "microsoft 365", "eviltokens", "odx", "kali365", "identity compromise", "device code phishing" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/device-code-phishing-evolution-identity-takeover" ], "public": 1, "adversary": "TA4903", "targeted_countries": [], "malware_families": [ { "id": "EvilTokens", "display_name": "EvilTokens", "target": null }, { "id": "Tycoon 2FA", "display_name": "Tycoon 2FA", "target": null }, { "id": "ODx", "display_name": "ODx", "target": null }, { "id": "Kali365", "display_name": "Kali365", "target": null }, { "id": "ARTokens", "display_name": "ARTokens", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null } ], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1598.003", "name": "Spearphishing Link", "display_name": "T1598.003 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1566.003", "name": "Spearphishing via Service", "display_name": "T1566.003 - Spearphishing via Service" } ], "industries": [], "TLP": "white", "cloned_from": "6a05af080ae591ea2bf00e87", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 33, "hostname": 2 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ed5ce47d835f-endpoint.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "ed5ce47d835f-endpoint.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780204479.121146 }