Device Code Phishing is an Evolution in Identity Takeover

    Wednesday, May 27, 2026 In: Threat Research Print

    Date: 05/27/2026

    Severity: High

    Summary

    Device code phishing has rapidly evolved into a major identity-focused attack technique, driven by publicly available phishing toolkits, phishing-as-a-service (PhaaS) offerings, and AI-assisted “vibe coded” tools. By abusing OAuth device authorization flows, attackers use social engineering to trick users into granting access to malicious applications, bypassing traditional MFA protections. The use of dynamic code generation and account takeover chaining has increased the effectiveness and scalability of these campaigns, enabling outcomes such as account compromise, business email compromise, lateral movement, and ransomware deployment. 

    Indicators of Compromise (IOC) List

    Domains/URLs

    onedrive-7tu.techroboticslabmade-techie-com-s-account.workers.dev 

    voicemail-59f.admin-treyripple-com-s-account.workers.dev 

    voicemail-wx7.mark-squires-expressrancnes-com-s-account.workers.dev 

    voicemail-lyr.nbuckley-cambek-com-s-account.workers.dev 

    f8uh-dwam-j4l5.pvasquez-princetonpartners-com-s-account.workers.dev 

    ytgw-9n30-xlwd.pvasquez-princetonpartners-com-s-account.workers.dev 

    z6e43e5886fe-endpoint.com 

    019d442e-endpoint.com 

    jo2c9ada427c6-endpoint.com 

    7806d4cf9366-endpoint.com 

    ee10bbf6c689-endpoint.com 

    yaga9b286ae2c101-endpoint.com 

    f36c2774f013-endpoint.com 

    2dc62559e005-endpoint.com 

    4daa2aea93db-endpoint.com 

    ed5ce47d835f-endpoint.com 

    6dd5fd945b34-endpoint.com 

    0fdba029e6a5-endpoint.com 

    019d442a-endpoint.com 

    019d6860-endpoint.com 

    stablewebsystems.de 

    marktkarree-langenfeld.de 

    crediblebizextension.de 

    servicewithoutinterruption.de 

    marketcredibilitysignals.de 

    kohlhoff-edelstahlverarbeitung.de 

    reliablesupport.de 

    europetrustwave.de 

    trustedengagement.de 

    methodicalness.de 

    extendyourcredibility.de 

    europesignaltrust.de 

    consistentdigital.de 

    uninterruptedperformance.de 

    digitalcontinuity.de 

    digitalreliability.de 

    heilbronner-fruehlingssymposium.de 

    reliableinteractions.de 

    euromarketsignal.de 

    audit-report-9767d3.fullerjp09.workers.dev 

    hti-245401512.hs-sites-na2.com 

    7740f766-8d1d-46ad-a6bc-onedrive.p-9jluifuu.workers.dev 

    panel.hewktree.net 

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "0fdba029e6a5-endpoint.com" or url like "0fdba029e6a5-endpoint.com" or siteurl like "0fdba029e6a5-endpoint.com" or domainname like "trustedengagement.de" or url like "trustedengagement.de" or siteurl like "trustedengagement.de" or domainname like "methodicalness.de" or url like "methodicalness.de" or siteurl like "methodicalness.de" or domainname like "audit-report-9767d3.fullerjp09.workers.dev" or url like "audit-report-9767d3.fullerjp09.workers.dev" or siteurl like "audit-report-9767d3.fullerjp09.workers.dev" or domainname like "marktkarree-langenfeld.de" or url like "marktkarree-langenfeld.de" or siteurl like "marktkarree-langenfeld.de" or domainname like "heilbronner-fruehlingssymposium.de" or url like "heilbronner-fruehlingssymposium.de" or siteurl like "heilbronner-fruehlingssymposium.de" or domainname like "hti-245401512.hs-sites-na2.com" or url like "hti-245401512.hs-sites-na2.com" or siteurl like "hti-245401512.hs-sites-na2.com" or domainname like "kohlhoff-edelstahlverarbeitung.de" or url like "kohlhoff-edelstahlverarbeitung.de" or siteurl like "kohlhoff-edelstahlverarbeitung.de" or domainname like "jo2c9ada427c6-endpoint.com" or url like "jo2c9ada427c6-endpoint.com" or siteurl like "jo2c9ada427c6-endpoint.com" or domainname like "2dc62559e005-endpoint.com" or url like "2dc62559e005-endpoint.com" or siteurl like "2dc62559e005-endpoint.com" or domainname like "marketcredibilitysignals.de" or url like "marketcredibilitysignals.de" or siteurl like "marketcredibilitysignals.de" or domainname like "crediblebizextension.de" or url like "crediblebizextension.de" or siteurl like "crediblebizextension.de" or domainname like "019d442a-endpoint.com" or url like "019d442a-endpoint.com" or siteurl like "019d442a-endpoint.com" or domainname like "ee10bbf6c689-endpoint.com" or url like "ee10bbf6c689-endpoint.com" or siteurl like "ee10bbf6c689-endpoint.com" or domainname like "consistentdigital.de" or url like "consistentdigital.de" or siteurl like "consistentdigital.de" or domainname like "onedrive-7tu.techroboticslabmade-techie-com-s-account.workers.dev" or url like "onedrive-7tu.techroboticslabmade-techie-com-s-account.workers.dev" or siteurl like "onedrive-7tu.techroboticslabmade-techie-com-s-account.workers.dev" or domainname like "reliablesupport.de" or url like "reliablesupport.de" or siteurl like "reliablesupport.de" or domainname like "6dd5fd945b34-endpoint.com" or url like "6dd5fd945b34-endpoint.com" or siteurl like "6dd5fd945b34-endpoint.com" or domainname like "panel.hewktree.net" or url like "panel.hewktree.net" or siteurl like "panel.hewktree.net" or domainname like "019d442e-endpoint.com" or url like "019d442e-endpoint.com" or siteurl like "019d442e-endpoint.com"

    Detection Query 2 :

    domainname like "f36c2774f013-endpoint.com" or url like "f36c2774f013-endpoint.com" or siteurl like "f36c2774f013-endpoint.com" or domainname like "4daa2aea93db-endpoint.com" or url like "4daa2aea93db-endpoint.com" or siteurl like "4daa2aea93db-endpoint.com" or domainname like "voicemail-59f.admin-treyripple-com-s-account.workers.dev" or url like "voicemail-59f.admin-treyripple-com-s-account.workers.dev" or siteurl like "voicemail-59f.admin-treyripple-com-s-account.workers.dev" or domainname like "ed5ce47d835f-endpoint.com" or url like "ed5ce47d835f-endpoint.com" or siteurl like "ed5ce47d835f-endpoint.com" or domainname like "yaga9b286ae2c101-endpoint.com" or url like "yaga9b286ae2c101-endpoint.com" or siteurl like "yaga9b286ae2c101-endpoint.com" or domainname like "voicemail-lyr.nbuckley-cambek-com-s-account.workers.dev" or url like "voicemail-lyr.nbuckley-cambek-com-s-account.workers.dev" or siteurl like "voicemail-lyr.nbuckley-cambek-com-s-account.workers.dev" or domainname like "f8uh-dwam-j4l5.pvasquez-princetonpartners-com-s-account.workers.dev" or url like "f8uh-dwam-j4l5.pvasquez-princetonpartners-com-s-account.workers.dev" or siteurl like "f8uh-dwam-j4l5.pvasquez-princetonpartners-com-s-account.workers.dev" or domainname like "stablewebsystems.de" or url like "stablewebsystems.de" or siteurl like "stablewebsystems.de" or domainname like "z6e43e5886fe-endpoint.com" or url like "z6e43e5886fe-endpoint.com" or siteurl like "z6e43e5886fe-endpoint.com" or domainname like "7740f766-8d1d-46ad-a6bc-onedrive.p-9jluifuu.workers.dev" or url like "7740f766-8d1d-46ad-a6bc-onedrive.p-9jluifuu.workers.dev" or siteurl like "7740f766-8d1d-46ad-a6bc-onedrive.p-9jluifuu.workers.dev" or domainname like "ytgw-9n30-xlwd.pvasquez-princetonpartners-com-s-account.workers.dev" or url like "ytgw-9n30-xlwd.pvasquez-princetonpartners-com-s-account.workers.dev" or siteurl like "ytgw-9n30-xlwd.pvasquez-princetonpartners-com-s-account.workers.dev" or domainname like "uninterruptedperformance.de" or url like "uninterruptedperformance.de" or siteurl like "uninterruptedperformance.de" or domainname like "digitalreliability.de" or url like "digitalreliability.de" or siteurl like "digitalreliability.de" or domainname like "7806d4cf9366-endpoint.com" or url like "7806d4cf9366-endpoint.com" or siteurl like "7806d4cf9366-endpoint.com" or domainname like "extendyourcredibility.de" or url like "extendyourcredibility.de" or siteurl like "extendyourcredibility.de" or domainname like "euromarketsignal.de" or url like "euromarketsignal.de" or siteurl like "euromarketsignal.de" or domainname like "019d6860-endpoint.com" or url like "019d6860-endpoint.com" or siteurl like "019d6860-endpoint.com" or domainname like "voicemail-wx7.mark-squires-expressrancnes-com-s-account.workers.dev" or url like "voicemail-wx7.mark-squires-expressrancnes-com-s-account.workers.dev" or siteurl like "voicemail-wx7.mark-squires-expressrancnes-com-s-account.workers.dev" or domainname like "europetrustwave.de" or url like "europetrustwave.de" or siteurl like "europetrustwave.de" or domainname like "digitalcontinuity.de" or url like "digitalcontinuity.de" or siteurl like "digitalcontinuity.de" or domainname like "reliableinteractions.de" or url like "reliableinteractions.de" or siteurl like "reliableinteractions.de" or domainname like "servicewithoutinterruption.de" or url like "servicewithoutinterruption.de" or siteurl like "servicewithoutinterruption.de" or domainname like "europesignaltrust.de" or url like "europesignaltrust.de" or siteurl like "europesignaltrust.de"

    Reference:    

    https://www.proofpoint.com/us/blog/threat-insight/device-code-phishing-evolution-identity-takeover                     


    Tags

    MalwarePhishingPhaaSAISocial Engineering

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.