Device Code-based OAuth Phishing

    Wednesday, March 25, 2026 In: Threat Research Print

    Date: 03/25/2026

    Severity: High

    Summary

    An active phishing campaign is impersonating a cloud file storage service and major e-signature platforms. Instead of stealing passwords, it exploits Microsoft’s legitimate Device Code OAuth flow. Victims are tricked into entering a verification code on Microsoft’s real login page. The attacker intercepts OAuth tokens, gaining persistent access to accounts and data. Advanced evasion tactics include obfuscated payloads, DevTools detection, and debugger traps.

    Indicators of Compromise (IOC) List

    Domains\URLs : 

    securviews.calangodesign.com

    index-v0c.11alia-tiffincrane-com-s-account.workers.dev

    c2a2c75c3979.pages.dev

    Docu-signatureeuser-accessnet.customerserredr.click

    veriqoe.dev/new

    esmen.sbs/AI2zzh-bhOZId-R2d9vE-O63r9b-Vbvkl5-csIhSs-2I97hD-OyViP8-VVLefo-wpqiHu-n45G

    index-r3t.ohbagski601-quicksend-ch-s-account.workers.devcom.up.microsoft-device-login-adobe.boloniai.com

    logost.cfd/F3kL8m-N0pQ4r-T6uV9w-X1yZ2a-B5cD7e-F9gH0i-J2kL4m-N6oP8q-R0sT3u-V5wX7y-Z9aB1c-D4eF

    index-328.223bad1b7ee1b4341dc280c5.workers.dev/

    index-w3h.223bad1b7ee1b4341dc280c5.workers.dev/

    index-u76.mercedes-hcandersonroofing-com-s-account.workers.dev/

    index-ap3.tyler2miler-proton-me-s-account.workers.dev/

    com.up.microsoft-device-login-adobe.boloniai.com

    adobes-secureedocument.hestra65kidig.click

    chronos-sarl-xbw.1c4a473a7a5c2da254228e99.workers.dev

    Index-81n.account-valuation-statement.workers.dev

    dataroom-access-ymo.1c4a473a7a5c2da254228e99.workers.dev

    adobe-qox.jermaine-totalwarehouse-com-s-account.workers.dev

    page-adobe-hx0.kay-7b4.workers.dev/46da9899

    adobe-5zj.nova-tooleyoil-com-s-account.workers.dev

    adobe-t6u.kira-schneider-sanjunranchtx-com-s-account.workers.dev

    jtkmetalcraft.com.au/wp-admin/wp-userfiles

    Index-xx3.mathieu-renon-lachal-org-s-account.workers.dev

    index-uk3.arianewman33-proton-me-s-account.workers.dev

    www.vranet.site

    click.mg.gorilladesk.com/c/eJwczktyhCAQANDTyE4LuvkuWGTjNVJAN44lykTNTI6fSk7wHsWiA1YjOCrnUDpECWKhz7tvfERT2RinVCnVSpC-OKkDO9a1YkIH4hGldagcWXIcKtqqbYUE3ivy5DBnsUaQYCXKoCwoDZPOCrPxTAapWpKDlvsyLf1cW0vE1zaVvosWH_f9vAb8GGAeYK7pZ_RnmxLt6zHS1916f46l7-M1plL693FP735ufF4T8WuAOefgSQGaZK3VgUV_H3xGr2UA76w447a2nvlOf4VlT2v7l18RfgMAAP__sQJTiw

    www.glitter.io/guides/cdb21b00-a14b-4313-96fb-7612f4c33538

    Hash : 

    ec60df6045e6f347a9237a5c7d60db0ccf0bac39c4484fc1dba50be39b7c6452

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "www.vranet.site" or url like "www.vranet.site" or siteurl like "www.vranet.site" or domainname like "adobes-secureedocument.hestra65kidig.click" or url like "adobes-secureedocument.hestra65kidig.click" or siteurl like "adobes-secureedocument.hestra65kidig.click" or domainname like "Index-xx3.mathieu-renon-lachal-org-s-account.workers.dev" or url like "Index-xx3.mathieu-renon-lachal-org-s-account.workers.dev" or siteurl like "Index-xx3.mathieu-renon-lachal-org-s-account.workers.dev" or domainname like "c2a2c75c3979.pages.dev" or url like "c2a2c75c3979.pages.dev" or siteurl like "c2a2c75c3979.pages.dev" or domainname like "Index-81n.account-valuation-statement.workers.dev" or url like "Index-81n.account-valuation-statement.workers.dev" or siteurl like "Index-81n.account-valuation-statement.workers.dev" or domainname like "com.up.microsoft-device-login-adobe.boloniai.com" or url like "com.up.microsoft-device-login-adobe.boloniai.com" or siteurl like "com.up.microsoft-device-login-adobe.boloniai.com" or domainname like "securviews.calangodesign.com" or url like "securviews.calangodesign.com" or siteurl like "securviews.calangodesign.com" or domainname like "index-v0c.11alia-tiffincrane-com-s-account.workers.dev" or url like "index-v0c.11alia-tiffincrane-com-s-account.workers.dev" or siteurl like "index-v0c.11alia-tiffincrane-com-s-account.workers.dev" or domainname like "Docu-signatureeuser-accessnet.customerserredr.click" or url like "Docu-signatureeuser-accessnet.customerserredr.click" or siteurl like "Docu-signatureeuser-accessnet.customerserredr.click" or domainname like "veriqoe.dev/new" or url like "veriqoe.dev/new" or siteurl like "veriqoe.dev/new" or domainname like "esmen.sbs/AI2zzh-bhOZId-R2d9vE-O63r9b-Vbvkl5-csIhSs-2I97hD-OyViP8-VVLefo-wpqiHu-n45G" or url like "esmen.sbs/AI2zzh-bhOZId-R2d9vE-O63r9b-Vbvkl5-csIhSs-2I97hD-OyViP8-VVLefo-wpqiHu-n45G" or siteurl like "esmen.sbs/AI2zzh-bhOZId-R2d9vE-O63r9b-Vbvkl5-csIhSs-2I97hD-OyViP8-VVLefo-wpqiHu-n45G" or domainname like "index-r3t.ohbagski601-quicksend-ch-s-account.workers.devcom.up.microsoft-device-login-adobe.boloniai.com" or url like "index-r3t.ohbagski601-quicksend-ch-s-account.workers.devcom.up.microsoft-device-login-adobe.boloniai.com" or siteurl like "index-r3t.ohbagski601-quicksend-ch-s-account.workers.devcom.up.microsoft-device-login-adobe.boloniai.com" or domainname like "logost.cfd/F3kL8m-N0pQ4r-T6uV9w-X1yZ2a-B5cD7e-F9gH0i-J2kL4m-N6oP8q-R0sT3u-V5wX7y-Z9aB1c-D4eF" or url like "logost.cfd/F3kL8m-N0pQ4r-T6uV9w-X1yZ2a-B5cD7e-F9gH0i-J2kL4m-N6oP8q-R0sT3u-V5wX7y-Z9aB1c-D4eF" or siteurl like "logost.cfd/F3kL8m-N0pQ4r-T6uV9w-X1yZ2a-B5cD7e-F9gH0i-J2kL4m-N6oP8q-R0sT3u-V5wX7y-Z9aB1c-D4eF" or domainname like "index-328.223bad1b7ee1b4341dc280c5.workers.dev/" or url like "index-328.223bad1b7ee1b4341dc280c5.workers.dev/" or siteurl like "index-328.223bad1b7ee1b4341dc280c5.workers.dev/"

    Detection Query 2 :

    domainname like "index-w3h.223bad1b7ee1b4341dc280c5.workers.dev/" or url like "index-w3h.223bad1b7ee1b4341dc280c5.workers.dev/" or siteurl like "index-w3h.223bad1b7ee1b4341dc280c5.workers.dev/" or domainname like "index-u76.mercedes-hcandersonroofing-com-s-account.workers.dev/" or url like "index-u76.mercedes-hcandersonroofing-com-s-account.workers.dev/" or siteurl like "index-u76.mercedes-hcandersonroofing-com-s-account.workers.dev/" or domainname like "index-ap3.tyler2miler-proton-me-s-account.workers.dev/" or url like "index-ap3.tyler2miler-proton-me-s-account.workers.dev/" or siteurl like "index-ap3.tyler2miler-proton-me-s-account.workers.dev/" or domainname like "chronos-sarl-xbw.1c4a473a7a5c2da254228e99.workers.dev" or url like "chronos-sarl-xbw.1c4a473a7a5c2da254228e99.workers.dev" or siteurl like "chronos-sarl-xbw.1c4a473a7a5c2da254228e99.workers.dev" or domainname like "dataroom-access-ymo.1c4a473a7a5c2da254228e99.workers.dev" or url like "dataroom-access-ymo.1c4a473a7a5c2da254228e99.workers.dev" or siteurl like "dataroom-access-ymo.1c4a473a7a5c2da254228e99.workers.dev" or domainname like "adobe-qox.jermaine-totalwarehouse-com-s-account.workers.dev" or url like "adobe-qox.jermaine-totalwarehouse-com-s-account.workers.dev" or siteurl like "adobe-qox.jermaine-totalwarehouse-com-s-account.workers.dev" or domainname like "page-adobe-hx0.kay-7b4.workers.dev/46da9899" or url like "page-adobe-hx0.kay-7b4.workers.dev/46da9899" or siteurl like "page-adobe-hx0.kay-7b4.workers.dev/46da9899" or domainname like "adobe-5zj.nova-tooleyoil-com-s-account.workers.dev" or url like "adobe-5zj.nova-tooleyoil-com-s-account.workers.dev" or siteurl like "adobe-5zj.nova-tooleyoil-com-s-account.workers.dev" or domainname like "adobe-t6u.kira-schneider-sanjunranchtx-com-s-account.workers.dev" or url like "adobe-t6u.kira-schneider-sanjunranchtx-com-s-account.workers.dev" or siteurl like "adobe-t6u.kira-schneider-sanjunranchtx-com-s-account.workers.dev" or domainname like "jtkmetalcraft.com.au/wp-admin/wp-userfiles" or url like "jtkmetalcraft.com.au/wp-admin/wp-userfiles" or siteurl like "jtkmetalcraft.com.au/wp-admin/wp-userfiles" or domainname like "index-uk3.arianewman33-proton-me-s-account.workers.dev" or url like "index-uk3.arianewman33-proton-me-s-account.workers.dev" or siteurl like "index-uk3.arianewman33-proton-me-s-account.workers.dev" or domainname like "click.mg.gorilladesk.com/c/eJwczktyhCAQANDTyE4LuvkuWGTjNVJAN44lykTNTI6fSk7wHsWiA1YjOCrnUDpECWKhz7tvfERT2RinVCnVSpC-OKkDO9a1YkIH4hGldagcWXIcKtqqbYUE3ivy5DBnsUaQYCXKoCwoDZPOCrPxTAapWpKDlvsyLf1cW0vE1zaVvosWH_f9vAb8GGAeYK7pZ_RnmxLt6zHS1916f46l7-M1plL693FP735ufF4T8WuAOefgSQGaZK3VgUV_H3xGr2UA76w447a2nvlOf4VlT2v7l18RfgMAAP__sQJTiw" or url like "click.mg.gorilladesk.com/c/eJwczktyhCAQANDTyE4LuvkuWGTjNVJAN44lykTNTI6fSk7wHsWiA1YjOCrnUDpECWKhz7tvfERT2RinVCnVSpC-OKkDO9a1YkIH4hGldagcWXIcKtqqbYUE3ivy5DBnsUaQYCXKoCwoDZPOCrPxTAapWpKDlvsyLf1cW0vE1zaVvosWH_f9vAb8GGAeYK7pZ_RnmxLt6zHS1916f46l7-M1plL693FP735ufF4T8WuAOefgSQGaZK3VgUV_H3xGr2UA76w447a2nvlOf4VlT2v7l18RfgMAAP__sQJTiw" or siteurl like "click.mg.gorilladesk.com/c/eJwczktyhCAQANDTyE4LuvkuWGTjNVJAN44lykTNTI6fSk7wHsWiA1YjOCrnUDpECWKhz7tvfERT2RinVCnVSpC-OKkDO9a1YkIH4hGldagcWXIcKtqqbYUE3ivy5DBnsUaQYCXKoCwoDZPOCrPxTAapWpKDlvsyLf1cW0vE1zaVvosWH_f9vAb8GGAeYK7pZ_RnmxLt6zHS1916f46l7-M1plL693FP735ufF4T8WuAOefgSQGaZK3VgUV_H3xGr2UA76w447a2nvlOf4VlT2v7l18RfgMAAP__sQJTiw" or domainname like "www.glitter.io/guides/cdb21b00-a14b-4313-96fb-7612f4c33538" or url like "www.glitter.io/guides/cdb21b00-a14b-4313-96fb-7612f4c33538" or siteurl like "www.glitter.io/guides/cdb21b00-a14b-4313-96fb-7612f4c33538"

    Detection Query 3 :

    sha256hash IN ("ec60df6045e6f347a9237a5c7d60db0ccf0bac39c4484fc1dba50be39b7c6452")

    Reference: 

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-03-23-%20Device-Code-based-OAuth-Phishing.txt


    Tags

    MalwarePhishingMicrosoftExploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.