Mastodawn

Show thread

Saltmyhash 2h ago

Patrick Wardle at Objective-See has reverse engineered the functionality within xprotectd:

https://objective-see.org/blog/blog_0x87.html

#macos #clickfix

No Paste for You!

Saltmyhash 10h ago

O RLY CYBER 13h ago

(pushsecurity.com) Device Code Phishing Enters Mainstream Adoption: 10 Active Kits, PhaaS Proliferation, and the Bypass of All Authentication Controls

Device code phishing has surged 37.5x, becoming a mainstream criminal attack vector—bypassing MFA, passkeys, and all authentication controls via OAuth 2.0 Device Authorization Grant abuse.

In brief - Ten phishing kits, including the PhaaS EvilTokens, now weaponize this technique. Russia-linked Storm-2372 and Scattered Lapsus$ Hunters are actively targeting Microsoft 365 and Salesforce. Block device code flows via Conditional Access and monitor for anomalous token grants.

Technically - Attackers initiate an unauthenticated POST to the device authorization endpoint, phish victims to enter the user_code on a legitimate page, then poll for tokens. Kits like EvilTokens (Railway/Cloudflare Workers) abuse first-party Microsoft apps (FOCI-enabled) to harvest Primary Refresh Tokens. Mitigate by pre-creating service principals, enforcing user assignment, and deploying browser-level detection for device_code polling loops.

Source: https://pushsecurity.com/blog/device-code-phishing/

#Cybersecurity #ThreatIntel

Analysing the rise in device code phishing attacks in 2026

Device code phishing is an account takeover technique that steals access tokens while bypassing standard access controls.

Push Security

Saltmyhash 2d ago

Kevin Beaumont 2d ago

Probably going to get a viral blog out of this experience, I'm trying to report a 4tb exposed cloud bucket to a company using their responsible disclosure programme... but they replaced the people with a GenAI ticket system that refuses to discuss the case as it thinks exploring open buckets is unethical and against its rules.

Saltmyhash 3d ago

Has anyone been able to successfully replicate copying and pasting ClickFix/TerminalFix/*Fix commands into macOS Terminal to trigger this new-fangled malware warning? I have attempted numerous commands, from base64-encoded content to osascripts mimicking macOS infostealer prompts to cURL commands downloading remote content. I even replicated the command documented in the Toms Guide article using the same tool in the same browser and it ran flawlessly in Terminal with no popup. And yes, I’m running Tahoe 26.4 on an M3. I’d like to think this would be a useful ‘stop-and-think’ mitigation but I can’t even consistently trigger it. And, per usual, Apple is tight-lipped on HOW they are detecting malicious commands so it’s likely to remain a black box mitigation. And yeah, I get it, the end user can just click right through the warning via a sneaky social engineering prompt. My goal was to try and build out detection logic to ID when a user gets hit with a prompt so I can at least investigate what the user tried to do and dig deeper into the threat. Since theoretically the user won’t run the command, it won’t get logged in SIEM/EDR tools. I need to rely on other mechanisms for detecting the paste event.

https://www.tomsguide.com/computing/online-security/i-tried-apples-new-security-feature-in-macos-that-warns-you-about-potential-clickfix-attacks-and-windows-should-take-note?utm_source=flipboard&utm_medium=activitypub

#macos #clickfix #terminalfix #threatintel #pastejacking #detectionengineering #threathunting

I put Apple’s new macOS ClickFix warnings to the test and they actually worked — now I want them on Windows too

New warning stops you before you potentially paste something dangerous

Tom's Guide

Saltmyhash 3d ago

Your org should be activating Entra ID conditional access policies to outright block device code authorizations with a carveout for very limited use cases such as meeting room conferencing devices. Even Microsoft knows this and has specific guidance on how to enforce it. Device code phishing is hot right now and these device code phishing-as-a-service platforms will likely lower the barrier of entry.

https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/

https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-authentication-flows

#phishing #eviltokens #soc #dfir #threathunting #cti #threatintel

New widespread EvilTokens kit: device code phishing as-a-service - Part 1

Uncover the new sophisticated EvilTokens device code phishing as-a-service, with AI-augmented features facilitating BEC fraud

Sekoia.io Blog

Saltmyhash 6d ago

chmod -R a-w /Users/home

Saltmyhash 6d ago

9to5Mac 6d ago

Security Bite: Apple takes aim at cybercriminals’ more desperate tactic to infect Mac users https://9to5mac.com/2026/03/28/security-bite-apple-takes-aim-at-cybercriminals-more-desperate-tactic-to-infect-mac-users/?utm_source=dlvr.it&utm_medium=mastodon

Can't wait to use and promote illegal operating systems that do not verify age.

Saltmyhash Mar 12

Ian Campbell 🏴Mar 12

I know it will be a shock to all of you that malicious actors are using Cloudflare services to delay detection in order to victimize more targets. New research brief from us yesterday!

https://dti.domaintools.com/securitysnacks/securitysnack-cloudflare-anti-security-for-phishing

DomainTools Investigations | SecuritySnack - CloudFlare Anti-Security For Phishing

A Microsoft 365 credential harvesting campaign is exploiting CloudFlare's anti-bot and human verification features to evade detection. Learn how attackers use IP blocklists, user-agent filtering, and obfuscated scripts to bypass security scanners—and what it means for the industry.

Saltmyhash Mar 12

Virus Bulletin Mar 12

Huntress researcher Chad Hudson reveals that abuse of remote monitoring & management (RMM) tools surged 277% last year, accounting for nearly a quarter (24%) of all observed incidents, operating comfortably in the space between legitimate and malicious. https://www.huntress.com/blog/daisy-chaining-rogue-rmm-tools