{ "type": "Domain", "indicator": "macmamo.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/macmamo.com", "alexa": "http://www.alexa.com/siteinfo/macmamo.com", "indicator": "macmamo.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4287850677, "indicator": "macmamo.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "69cbf2e593a215d1c46c988a", "name": "New widespread EvilTokens kit: device code phishing as-a-service", "description": "EvilTokens is a new Phishing-as-a-Service offering a turnkey Microsoft device code phishing kit. It enables attackers to harvest access and refresh tokens, granting unauthorized access to victims' Microsoft accounts. The kit supports post-compromise operations, allowing data exfiltration from various Microsoft services. EvilTokens has been rapidly adopted by cybercriminals since March 2026, impacting organizations globally. The service provides advanced capabilities for account takeover, including token conversion to Primary Refresh Tokens and browser cookies for persistent access. Phishing campaigns using EvilTokens target employees in finance, HR, logistics, and sales, primarily for Business Email Compromise attacks.", "modified": "2026-03-31T18:37:13.687000", "created": "2026-03-31T16:14:29.842000", "tags": [ "device code phishing", "token harvesting", "microsoft 365", "phishing-as-a-service", "business email compromise", "oauth 2.0", "eviltokens", "account takeover" ], "references": [ "https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "British Indian Ocean Territory", "Canada", "France", "India", "Switzerland", "United Arab Emirates" ], "malware_families": [], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1537", "name": "Transfer Data to Cloud Account", "display_name": "T1537 - Transfer Data to Cloud Account" }, { "id": "T1526", "name": "Cloud Service Discovery", "display_name": "T1526 - Cloud Service Discovery" } ], "industries": [ "Finance", "Government", "Manufacturing", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 26, "hostname": 7 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 386463, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a185d9306f3d82816f40ebe", "name": "Kali365 Device Code Phishing-as-a-Service (M365)", "description": "Kali365 (aka Kali365 Live) is a multi-tenant Microsoft 365 phishing-as-a-service platform first seen April 2026, promoted via Telegram, ~$250/30 days or $2,000/year via the non-KYC processor Trocador. It abuses the OAuth 2.0 device authorization grant (\"device code flow\") to capture access and refresh tokens, bypassing MFA without handling a password, and offers a separate AitM \"Cookie Link\" mode for session-cookie theft. Features: AI-generated lures, Cloudflare Worker-hosted pages impersonating Adobe Acrobat Sign, DocuSign, SharePoint, OneDrive and Teams, token sharing between affiliates, and an Electron desktop client. Post-compromise activity includes malicious inbox rules to suppress alerts and rogue Entra ID device registration. Arctic Wolf documented hundreds of attacks across North America and EMEA; the FBI issued advisory PSA260521 on 21 May 2026. Kali365 shares infrastructure and lineage with the EvilTokens/CLURE device-code kits.", "modified": "2026-05-28T15:52:57.863000", "created": "2026-05-28T15:21:50.271000", "tags": [ "Kali365", "EvilTokens", "CLURE", "Device code phishing", "phishing", "Phaas", "phising-as-a-service", "0auth", "device code flow", "Microsoft 365", "M365", "Entra ID", "AitM", "Adversary-in-the-middle", "token theft", "BEC", "account takeover", "MFA bypass", "Cloudflare Workers", "FBI" ], "references": [ "https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/", "https://www.bitdefender.com/en-us/blog/hotforsecurity/fbi-kali365-phishing-kit-breaks-microsoft-365-accounts-no-password-required", "https://arcticwolf.com/resources/blog/token-bingo-dont-let-your-code-be-the-winner/" ], "public": 1, "adversary": "", "targeted_countries": [ "United Arab Emirates", "United States of America", "Australia", "Canada", "France", "India", "Switzerland" ], "malware_families": [ { "id": "Kali365", "display_name": "Kali365", "target": null }, { "id": "EvilToken", "display_name": "EvilToken", "target": null }, { "id": "CLURE", "display_name": "CLURE", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1550.001", "name": "Application Access Token", "display_name": "T1550.001 - Application Access Token" } ], "industries": [ "Manufacturing", "Education", "Government", "Insurance", "Financial Services", "Healthcare", "Transportation/Logistics" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "KorporateKevin", "id": "318270", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 56, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 6, "IPv4": 6, "hostname": 18 }, "indicator_count": 94, "is_author": false, "is_subscribing": null, "subscriber_count": 9, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd4ab845e4c43edd557b92", "name": "EbeeMar2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:41:28.726000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "GhostSocks, Resoker, DeepLoad Malware, Pawn Storm Campaign, St.M.Trojan, CrySome RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 77, "FileHash-MD5": 156, "FileHash-SHA1": 159, "FileHash-SHA256": 186, "CVE": 1, "URL": 19, "email": 6, "hostname": 53 }, "indicator_count": 657, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cbc4a0acb1c2a51d100341", "name": "New widespread EvilTokens kit: device code phishing as-a-service", "description": "", "modified": "2026-03-31T12:57:04.413000", "created": "2026-03-31T12:57:04.413000", "tags": [ "eviltokens", "microsoft", "march", "phaas", "post request", "adobe acrobat", "oauth", "entra id", "onedrive", "docusign", "sharepoint", "telegram", "first", "example", "tycoon" ], "references": [ "https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 26, "hostname": 7 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 865, "modified_text": "60 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cb6646f07ea686c6b7997c", "name": "IOC - New widespread EvilTokens kit: device code phishing as-a-service \u2013 Part 1", "description": "In March 2026, through our monitoring of phishing-focused cybercrime communities, Sekoia\u2019s Threat Detection & Research (TDR) team uncovered EvilTokens, a new turnkey Microsoft device code phishing kit sold as Phishing-as-a-Service (PhaaS). These phishing pages have been circulating since mid-February 2026, and were rapidly adopted by cybercriminals specialising in Adversary-in-the-Middle (AitM) phishing and Business Email Compromise (BEC).", "modified": "2026-03-31T06:14:30.440000", "created": "2026-03-31T06:14:30.440000", "tags": [], "references": [ "https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 26, "hostname": 7 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "60 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cb5127f27635be54143fb1", "name": "New widespread EvilTokens kit: device code phishing as-a-service", "description": "", "modified": "2026-03-31T04:44:23.417000", "created": "2026-03-31T04:44:23.417000", "tags": [ "eviltokens", "microsoft", "march", "phaas", "post request", "adobe acrobat", "oauth", "entra id", "onedrive", "docusign", "sharepoint", "telegram", "first", "example", "tycoon" ], "references": [ "https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 26, "hostname": 7 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "60 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.bitdefender.com/en-us/blog/hotforsecurity/fbi-kali365-phishing-kit-breaks-microsoft-365-accounts-no-password-required", "https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/", "IOCs.2026.pdf", "https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1", "https://arcticwolf.com/resources/blog/token-bingo-dont-let-your-code-be-the-winner/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [ "Finance", "Transportation", "Government", "Manufacturing" ] }, "other": { "adversary": [ "GhostSocks, Resoker, DeepLoad Malware, Pawn Storm Campaign, St.M.Trojan, CrySome RAT" ], "malware_families": [ "Kali365", "Eviltoken", "Clure" ], "industries": [ "Insurance", "Government", "Healthcare", "Financial services", "Transportation/logistics", "Education", "Manufacturing" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "69cbf2e593a215d1c46c988a", "name": "New widespread EvilTokens kit: device code phishing as-a-service", "description": "EvilTokens is a new Phishing-as-a-Service offering a turnkey Microsoft device code phishing kit. It enables attackers to harvest access and refresh tokens, granting unauthorized access to victims' Microsoft accounts. The kit supports post-compromise operations, allowing data exfiltration from various Microsoft services. EvilTokens has been rapidly adopted by cybercriminals since March 2026, impacting organizations globally. The service provides advanced capabilities for account takeover, including token conversion to Primary Refresh Tokens and browser cookies for persistent access. Phishing campaigns using EvilTokens target employees in finance, HR, logistics, and sales, primarily for Business Email Compromise attacks.", "modified": "2026-03-31T18:37:13.687000", "created": "2026-03-31T16:14:29.842000", "tags": [ "device code phishing", "token harvesting", "microsoft 365", "phishing-as-a-service", "business email compromise", "oauth 2.0", "eviltokens", "account takeover" ], "references": [ "https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "British Indian Ocean Territory", "Canada", "France", "India", "Switzerland", "United Arab Emirates" ], "malware_families": [], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1537", "name": "Transfer Data to Cloud Account", "display_name": "T1537 - Transfer Data to Cloud Account" }, { "id": "T1526", "name": "Cloud Service Discovery", "display_name": "T1526 - Cloud Service Discovery" } ], "industries": [ "Finance", "Government", "Manufacturing", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 26, "hostname": 7 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 386463, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a185d9306f3d82816f40ebe", "name": "Kali365 Device Code Phishing-as-a-Service (M365)", "description": "Kali365 (aka Kali365 Live) is a multi-tenant Microsoft 365 phishing-as-a-service platform first seen April 2026, promoted via Telegram, ~$250/30 days or $2,000/year via the non-KYC processor Trocador. It abuses the OAuth 2.0 device authorization grant (\"device code flow\") to capture access and refresh tokens, bypassing MFA without handling a password, and offers a separate AitM \"Cookie Link\" mode for session-cookie theft. Features: AI-generated lures, Cloudflare Worker-hosted pages impersonating Adobe Acrobat Sign, DocuSign, SharePoint, OneDrive and Teams, token sharing between affiliates, and an Electron desktop client. Post-compromise activity includes malicious inbox rules to suppress alerts and rogue Entra ID device registration. Arctic Wolf documented hundreds of attacks across North America and EMEA; the FBI issued advisory PSA260521 on 21 May 2026. Kali365 shares infrastructure and lineage with the EvilTokens/CLURE device-code kits.", "modified": "2026-05-28T15:52:57.863000", "created": "2026-05-28T15:21:50.271000", "tags": [ "Kali365", "EvilTokens", "CLURE", "Device code phishing", "phishing", "Phaas", "phising-as-a-service", "0auth", "device code flow", "Microsoft 365", "M365", "Entra ID", "AitM", "Adversary-in-the-middle", "token theft", "BEC", "account takeover", "MFA bypass", "Cloudflare Workers", "FBI" ], "references": [ "https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/", "https://www.bitdefender.com/en-us/blog/hotforsecurity/fbi-kali365-phishing-kit-breaks-microsoft-365-accounts-no-password-required", "https://arcticwolf.com/resources/blog/token-bingo-dont-let-your-code-be-the-winner/" ], "public": 1, "adversary": "", "targeted_countries": [ "United Arab Emirates", "United States of America", "Australia", "Canada", "France", "India", "Switzerland" ], "malware_families": [ { "id": "Kali365", "display_name": "Kali365", "target": null }, { "id": "EvilToken", "display_name": "EvilToken", "target": null }, { "id": "CLURE", "display_name": "CLURE", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1550.001", "name": "Application Access Token", "display_name": "T1550.001 - Application Access Token" } ], "industries": [ "Manufacturing", "Education", "Government", "Insurance", "Financial Services", "Healthcare", "Transportation/Logistics" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "KorporateKevin", "id": "318270", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 56, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 6, "IPv4": 6, "hostname": 18 }, "indicator_count": 94, "is_author": false, "is_subscribing": null, "subscriber_count": 9, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd4ab845e4c43edd557b92", "name": "EbeeMar2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:41:28.726000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "GhostSocks, Resoker, DeepLoad Malware, Pawn Storm Campaign, St.M.Trojan, CrySome RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 77, "FileHash-MD5": 156, "FileHash-SHA1": 159, "FileHash-SHA256": 186, "CVE": 1, "URL": 19, "email": 6, "hostname": 53 }, "indicator_count": 657, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cbc4a0acb1c2a51d100341", "name": "New widespread EvilTokens kit: device code phishing as-a-service", "description": "", "modified": "2026-03-31T12:57:04.413000", "created": "2026-03-31T12:57:04.413000", "tags": [ "eviltokens", "microsoft", "march", "phaas", "post request", "adobe acrobat", "oauth", "entra id", "onedrive", "docusign", "sharepoint", "telegram", "first", "example", "tycoon" ], "references": [ "https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 26, "hostname": 7 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 865, "modified_text": "60 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cb6646f07ea686c6b7997c", "name": "IOC - New widespread EvilTokens kit: device code phishing as-a-service \u2013 Part 1", "description": "In March 2026, through our monitoring of phishing-focused cybercrime communities, Sekoia\u2019s Threat Detection & Research (TDR) team uncovered EvilTokens, a new turnkey Microsoft device code phishing kit sold as Phishing-as-a-Service (PhaaS). These phishing pages have been circulating since mid-February 2026, and were rapidly adopted by cybercriminals specialising in Adversary-in-the-Middle (AitM) phishing and Business Email Compromise (BEC).", "modified": "2026-03-31T06:14:30.440000", "created": "2026-03-31T06:14:30.440000", "tags": [], "references": [ "https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 26, "hostname": 7 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "60 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cb5127f27635be54143fb1", "name": "New widespread EvilTokens kit: device code phishing as-a-service", "description": "", "modified": "2026-03-31T04:44:23.417000", "created": "2026-03-31T04:44:23.417000", "tags": [ "eviltokens", "microsoft", "march", "phaas", "post request", "adobe acrobat", "oauth", "entra id", "onedrive", "docusign", "sharepoint", "telegram", "first", "example", "tycoon" ], "references": [ "https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 26, "hostname": 7 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "60 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "macmamo.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "macmamo.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780189054.9203503 }