{ "type": "Domain", "indicator": "yankeepine.co", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/yankeepine.co", "alexa": "http://www.alexa.com/siteinfo/yankeepine.co", "indicator": "yankeepine.co", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4287850689, "indicator": "yankeepine.co", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69cbf2e593a215d1c46c988a", "name": "New widespread EvilTokens kit: device code phishing as-a-service", "description": "EvilTokens is a new Phishing-as-a-Service offering a turnkey Microsoft device code phishing kit. It enables attackers to harvest access and refresh tokens, granting unauthorized access to victims' Microsoft accounts. The kit supports post-compromise operations, allowing data exfiltration from various Microsoft services. EvilTokens has been rapidly adopted by cybercriminals since March 2026, impacting organizations globally. The service provides advanced capabilities for account takeover, including token conversion to Primary Refresh Tokens and browser cookies for persistent access. Phishing campaigns using EvilTokens target employees in finance, HR, logistics, and sales, primarily for Business Email Compromise attacks.", "modified": "2026-03-31T18:37:13.687000", "created": "2026-03-31T16:14:29.842000", "tags": [ "device code phishing", "token harvesting", "microsoft 365", "phishing-as-a-service", "business email compromise", "oauth 2.0", "eviltokens", "account takeover" ], "references": [ "https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "British Indian Ocean Territory", "Canada", "France", "India", "Switzerland", "United Arab Emirates" ], "malware_families": [], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1537", "name": "Transfer Data to Cloud Account", "display_name": "T1537 - Transfer Data to Cloud Account" }, { "id": "T1526", "name": "Cloud Service Discovery", "display_name": "T1526 - Cloud Service Discovery" } ], "industries": [ "Finance", "Government", "Manufacturing", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 26, "hostname": 7 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 377541, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd4ab845e4c43edd557b92", "name": "EbeeMar2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-01T16:41:28.726000", "created": "2026-04-01T16:41:28.726000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "GhostSocks, Resoker, DeepLoad Malware, Pawn Storm Campaign, St.M.Trojan, CrySome RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "domain": 77, "FileHash-MD5": 156, "FileHash-SHA1": 159, "FileHash-SHA256": 186, "CVE": 1, "URL": 19, "email": 6, "hostname": 53 }, "indicator_count": 693, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cbc4a0acb1c2a51d100341", "name": "New widespread EvilTokens kit: device code phishing as-a-service", "description": "", "modified": "2026-03-31T12:57:04.413000", "created": "2026-03-31T12:57:04.413000", "tags": [ "eviltokens", "microsoft", "march", "phaas", "post request", "adobe acrobat", "oauth", "entra id", "onedrive", "docusign", "sharepoint", "telegram", "first", "example", "tycoon" ], "references": [ "https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 26, "hostname": 7 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 848, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cb6646f07ea686c6b7997c", "name": "IOC - New widespread EvilTokens kit: device code phishing as-a-service \u2013 Part 1", "description": "In March 2026, through our monitoring of phishing-focused cybercrime communities, Sekoia\u2019s Threat Detection & Research (TDR) team uncovered EvilTokens, a new turnkey Microsoft device code phishing kit sold as Phishing-as-a-Service (PhaaS). These phishing pages have been circulating since mid-February 2026, and were rapidly adopted by cybercriminals specialising in Adversary-in-the-Middle (AitM) phishing and Business Email Compromise (BEC).", "modified": "2026-03-31T06:14:30.440000", "created": "2026-03-31T06:14:30.440000", "tags": [], "references": [ "https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 26, "hostname": 7 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 120, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cb5127f27635be54143fb1", "name": "New widespread EvilTokens kit: device code phishing as-a-service", "description": "", "modified": "2026-03-31T04:44:23.417000", "created": "2026-03-31T04:44:23.417000", "tags": [ "eviltokens", "microsoft", "march", "phaas", "post request", "adobe acrobat", "oauth", "entra id", "onedrive", "docusign", "sharepoint", "telegram", "first", "example", "tycoon" ], "references": [ "https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 26, "hostname": 7 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 264, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/", "IOCs.2026.pdf", "https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [ "Manufacturing", "Government", "Transportation", "Finance" ] }, "other": { "adversary": [ "GhostSocks, Resoker, DeepLoad Malware, Pawn Storm Campaign, St.M.Trojan, CrySome RAT" ], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69cbf2e593a215d1c46c988a", "name": "New widespread EvilTokens kit: device code phishing as-a-service", "description": "EvilTokens is a new Phishing-as-a-Service offering a turnkey Microsoft device code phishing kit. It enables attackers to harvest access and refresh tokens, granting unauthorized access to victims' Microsoft accounts. The kit supports post-compromise operations, allowing data exfiltration from various Microsoft services. EvilTokens has been rapidly adopted by cybercriminals since March 2026, impacting organizations globally. The service provides advanced capabilities for account takeover, including token conversion to Primary Refresh Tokens and browser cookies for persistent access. Phishing campaigns using EvilTokens target employees in finance, HR, logistics, and sales, primarily for Business Email Compromise attacks.", "modified": "2026-03-31T18:37:13.687000", "created": "2026-03-31T16:14:29.842000", "tags": [ "device code phishing", "token harvesting", "microsoft 365", "phishing-as-a-service", "business email compromise", "oauth 2.0", "eviltokens", "account takeover" ], "references": [ "https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "British Indian Ocean Territory", "Canada", "France", "India", "Switzerland", "United Arab Emirates" ], "malware_families": [], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1537", "name": "Transfer Data to Cloud Account", "display_name": "T1537 - Transfer Data to Cloud Account" }, { "id": "T1526", "name": "Cloud Service Discovery", "display_name": "T1526 - Cloud Service Discovery" } ], "industries": [ "Finance", "Government", "Manufacturing", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 26, "hostname": 7 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 377541, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd4ab845e4c43edd557b92", "name": "EbeeMar2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-01T16:41:28.726000", "created": "2026-04-01T16:41:28.726000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "GhostSocks, Resoker, DeepLoad Malware, Pawn Storm Campaign, St.M.Trojan, CrySome RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "domain": 77, "FileHash-MD5": 156, "FileHash-SHA1": 159, "FileHash-SHA256": 186, "CVE": 1, "URL": 19, "email": 6, "hostname": 53 }, "indicator_count": 693, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cbc4a0acb1c2a51d100341", "name": "New widespread EvilTokens kit: device code phishing as-a-service", "description": "", "modified": "2026-03-31T12:57:04.413000", "created": "2026-03-31T12:57:04.413000", "tags": [ "eviltokens", "microsoft", "march", "phaas", "post request", "adobe acrobat", "oauth", "entra id", "onedrive", "docusign", "sharepoint", "telegram", "first", "example", "tycoon" ], "references": [ "https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 26, "hostname": 7 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 848, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cb6646f07ea686c6b7997c", "name": "IOC - New widespread EvilTokens kit: device code phishing as-a-service \u2013 Part 1", "description": "In March 2026, through our monitoring of phishing-focused cybercrime communities, Sekoia\u2019s Threat Detection & Research (TDR) team uncovered EvilTokens, a new turnkey Microsoft device code phishing kit sold as Phishing-as-a-Service (PhaaS). These phishing pages have been circulating since mid-February 2026, and were rapidly adopted by cybercriminals specialising in Adversary-in-the-Middle (AitM) phishing and Business Email Compromise (BEC).", "modified": "2026-03-31T06:14:30.440000", "created": "2026-03-31T06:14:30.440000", "tags": [], "references": [ "https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 26, "hostname": 7 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 120, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cb5127f27635be54143fb1", "name": "New widespread EvilTokens kit: device code phishing as-a-service", "description": "", "modified": "2026-03-31T04:44:23.417000", "created": "2026-03-31T04:44:23.417000", "tags": [ "eviltokens", "microsoft", "march", "phaas", "post request", "adobe acrobat", "oauth", "entra id", "onedrive", "docusign", "sharepoint", "telegram", "first", "example", "tycoon" ], "references": [ "https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 26, "hostname": 7 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 264, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "yankeepine.co", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "yankeepine.co", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776622436.136082 }