Find notable cyber news and cases, enriched with sources, timelines, and signals.

OAuth device-code phishing campaign targeting SaaS accounts

Campaign
First reported
Last updated
Happening score
H score 43
3 unique sources, 4 articles

Summary

Hide ▲

A device code phishing campaign now includes EvilTokens, a phishing-as-a-service kit sold on Telegram that uses the OAuth 2.0 device authorization flow to hijack Microsoft accounts and steal access tokens and refresh tokens for persistent access and BEC. Sekoia reported that the infrastructure had global reach, with the most affected countries including the United States, Canada, France, Australia, India, Switzerland, and the UAE, and the operator says support for Gmail and Okta phishing pages is planned.

Related Happenings

O-UNC-066 / Pink Microsoft Entra passkey vishing campaign

Campaign
H score37 First: 08.07.2026 19:47 Last: 08.07.2026 19:47 Sources 1

About this happening: The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...

Microsoft Azure CLI password-spray campaign using ROPC

Campaign
H score24 First: 01.07.2026 08:46 Last: 01.07.2026 08:46 Sources 1

About this happening: A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...

DCloud Uni-App scam website campaign

Campaign
H score70 First: 29.06.2026 14:57 Last: 29.06.2026 14:57 Sources 1

About this happening: The **DCloud Uni-App** scam-site campaign has grown into a **236,493-domain** fraud network that steals credentials, drains crypto wallets, and impersonates major brands. The site...

Poisoned Tenant OpenAI organization invite campaign

Campaign
H score35 First: 26.06.2026 20:49 Last: 26.06.2026 20:49 Sources 1

About this happening: The **Poisoned Tenant** campaign is using fraudulent **OpenAI organizations** to lure targeted employees into shared **ChatGPT workspaces**, creating a risk of sensitive company d...

Enterprise browser users face a rising shadow AI, credential abuse, and browser-native attack trend

Trend
H score22 First: 05.06.2026 17:00 Last: 05.06.2026 17:00 Sources 1

About this happening: **Enterprise users** are showing a sharp rise in **shadow AI**, **credential abuse**, and **browser-native attack exposure**, increasing risk at the browser layer. The trend matte...

Timeline

  1. 04.04.2026 17:17 4 articles · 3mo ago

    Device code phishing campaign expands across SaaS-themed phishing kits

    Campaign Scope Update

    Push Security reported that device code phishing abusing the OAuth 2.0 Device Authorization Grant flow had risen 37.5x this year, with EvilTokens identified as a major driver and at least 11 kits circulating across SaaS-themed lures and cloud-hosted infrastructure. Sekoia separately published research on EvilTokens earlier that week, and Push recommended disabling device-code flow where unnecessary through conditional access policies and monitoring for unexpected device code authentication events, unusual IP addresses, and unfamiliar sessions.

    Show sources