ANY.RUN

๐Ÿšจ ๐— ๐Ÿฏ๐Ÿฒ๐Ÿฑ ๐—”๐—ฐ๐—ฐ๐—ผ๐˜‚๐—ป๐˜ ๐—ง๐—ฎ๐—ธ๐—ฒ๐—ผ๐˜ƒ๐—ฒ๐—ฟ ๐—ช๐—ถ๐˜๐—ต๐—ผ๐˜‚๐˜ ๐—–๐—ฟ๐—ฒ๐—ฑ๐—ฒ๐—ป๐˜๐—ถ๐—ฎ๐—น ๐—ง๐—ต๐—ฒ๐—ณ๐˜: ๐—ฆ๐˜‚๐—ฟ๐—ด๐—ฒ ๐—ถ๐—ป ๐—ข๐—”๐˜‚๐˜๐—ต ๐—ฃ๐—ต๐—ถ๐˜€๐—ต๐—ถ๐—ป๐—ด
Weโ€™re seeing a spike in activity from a #phishing campaign abusing Microsoftโ€™s OAuth Device Code flow, with 180+ phishing URLs detected in just one week โš ๏ธ

Attackers display a verification code and ask the victim to enter it on microsoft[.]com/devicelogin. Microsoft then issues OAuth tokens directly to the attacker, granting access to M365 resources without compromising credentials on the phishing page.

โ—๏ธ This shifts the risk from credential harvesting to token abuse. Because it runs over encrypted HTTPS, the activity blends into normal web traffic, delaying detection, extending investigations, and increasing escalation pressure. The window for early response keeps shrinking.

โšก๏ธ #ANYRUN Sandbox now automatically decrypts HTTPS traffic by extracting SSL keys directly from process memory, without certificate substitution. This gives SOC teams wider phishing coverage, faster confirmation by Tier 2 and Tier 3 analysts, and improved MTTD & MTTR.

โœ… In this case, SSL decryption exposed hidden JavaScript and revealed high-confidence tool-specific network #IOCs such as /api/device/start, /api/device/status/*, and the X-Antibot-Token header, which become high-signal when observed in HTTP requests to non-legitimate hosts.

๐Ÿ‘จโ€๐Ÿ’ป โ€See analysis session: https://app.any.run/tasks/885afc1c-b616-46d7-9bc3-81185ee07fe3?utm_source=mastodon&utm_medium=post&utm_campaign=oauth_phishing_surge&utm_content=linktoservice&utm_term=040326

๐Ÿ” Use this TI Lookup query to review related activity and validate your detection coverage: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=oauth_phishing_surge&utm_content=linktotilookup&utm_term=040326#%7B%22query%22:%22threatName:%5C%22oauth-ms-phish%5C%22%22,%22dateRange%22:7%7D

๐ŸŽฏ Find the IOCs in the comments. A full breakdown of this campaign is coming soon, stay tuned.

โšก๏ธ Encrypted traffic is no longer a blind spot. Learn how SSL decryption expands phishing detection and reduces risk: https://any.run/cybersecurity-blog/automatic-ssl-decryption/?utm_source=mastodon&utm_medium=post&utm_campaign=oauth_phishing_surge&utm_content=linktoblog&utm_term=040326

#cybersecurity #infosec

Mar 4 at 12:57pmWeb
Show threadANY.RUNMar 4
IOCs:
singer-bodners-bau-at-s-account[.]workers[.]dev
dibafef289[.]workers[.]dev
ab-monvoisinproduction-com-s-account[.]workers[.]dev
subzero908[.]workers[.]dev
sandra-solorzano-duncanfamilyfarms-net-s-account[.]workers[.]dev
tyler2miler-proton-me-s-account[.]workers[.]dev
aarathe-ramraj-tipgroup-com-au-s-account[.]workers[.]dev
andy-bardigans-com-s-account[.]workers[.]dev
dennis-saltertrusss-com-s-account[.]workers[.]dev
rockymountainhi[.]workers[.]dev
workspace1717-outlook-com-s-account[.]workers[.]dev
aiinnovationsfly[.]com
astrolinktech[.]com
s-union[.]workers[.]dev
aurorahomellc[.]com
ajansfly[.]com[.]tr
steve-mike8777[.]workers[.]dev
pelangiservice[.]com
evobothub[.]org
energycelllabsbl[.]com
augmentedchiptech[.]com
adventureshaven[.]com