DISCARDED: Tales From the Threat Research Trenches
DISCARDED: Tales from the Threat Research Trenches is a podcast for security practitioners, intelligence analysts, and threat hunters looking to learn more about the threat behaviors and attack patterns. Each episode you’ll hear real world insights from our researchers about the latest trends in malware, threat actors, TTPs, and more.
Welcome to DISCARDED
DISCARDED: Tales From the Threat Research Trenches
A Device Code Explosion: The New Era of AI-Enabled Phishing
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Hello to all our Cyber Sunbeams!
Host Selena Larson is joined by guest host, Sarah Sabotka as they chat with Jake Gionet to unpack one of the fastest-growing threats in today’s cyber landscape: device code phishing.
What started as a niche technique used in red team exercises has quickly evolved into a widely adopted method for account takeover—fueled by publicly available phishing kits and accelerated by AI-assisted tooling. The trio breaks down how device code phishing works, why it’s suddenly everywhere, and how attackers are exploiting legitimate authentication flows to bypass traditional defenses.
They also explore the rise of “phishing-as-a-service” platforms like Evil Tokens, the surprising lack of sophistication behind many campaigns, and how AI is both enabling attackers and exposing their mistakes. Along the way, they dig into real-world examples, threat actor missteps, and the blurry line between innovation and imitation in cybercrime.
If you’ve been hearing the buzz around device code phishing and want a clear, grounded explanation—without the hype—this episode delivers. Plus, practical insights on what defenders should actually focus on as these techniques continue to evolve.
Resources Mentioned:
https://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover
For more information about Proofpoint, check out our website.
Subscribe & Follow:
Stay ahead of emerging threats, and subscribe! Happy hunting!
You're listening to Discarded: Tales from the Threat Research Trenches, a podcast by Proof Point for security practitioners. Each episode you'll hear from security researchers, malware analysts, threat hunters, and more as we dive into what's going on in the world of cyber attacks and how defenders safeguard us from threats. Let's get into the show. Hello to all our cyber sunbeams, and welcome to the Discarded Podcast. I'm your host, Selena Larson, a threat researcher at Proof Point, and I am joined today by fellow threat researcher Sarah Sabatka. Hello. And we have a very special guest today who I am absolutely delighted to bring on because he is one of my favorite people to bother all day long with messages about fishing. So today we are joined by Jake GNA. Welcome to the podcast. Welcome back, actually. It's been a while, but we've had you on once before.
SPEAKER_02Once before talking about BEC.
SPEAKER_01Well, you're here today to talk about something that we have gotten a lot of questions on. Before we dive into device code phishing and how AI slop fishing is ruining my life. Jake, why don't you introduce yourself and explain what you do here at Proof Point?
SPEAKER_02Sure. So I am a threat researcher at Proof Point, and I spend most of my time looking at credential phishing, trying to figure out what's going on in that landscape, which most of the time is boring or at the very least not super exciting, but uh has been busy for the last I don't know eight, eight to twelve weeks or so.
SPEAKER_01So it's a mess. It's messy. I I keep using that gif. I love mess, but I don't. I hate it. It's so annoying. Sarah, are you feeling overwhelmed with all of the fishing too?
SPEAKER_00Yeah. Overwhelmed is like the theme of my mental health right now for the last like, I don't know, easily a month, we'll say. And some days I'm like, this feels great. And then other days I'm like, it does not feel great. But yes, there's a lot happening. It's messy.
SPEAKER_01There's so much happening. And I think so. Today we are going to talk about one subset of the fishing landscape which has exploded. Sarah, do you want to introduce device code fishing?
SPEAKER_00Yeah, we're coming out with some new research on device code fishing and the current landscape, which we will include a link to in the show notes. And it's actually something we Jake and I worked on a report and published in December before it was cool, apparently, to talk about out there. So yeah, so the blog is called Access Granted, Fishing with Device Code Authorization for Account Takeover. It is something that we observed an increase in use on the landscape. I think probably like last year, mid-last year, right, Jake?
SPEAKER_02Yeah, it started, you know, it's it's been around, it's been a thing, I guess, since uh around 2020 is when I think we first started seeing it, or at least started seeing reports of, you know, and this is how it might be used. At that time, it was basically red team activity, is what we'd see, because it was it's pretty impractical with some of the early implementations to do at scale.
SPEAKER_01So well, before we get into now how things have changed and the evolution, let's define device code phishing. For any of our listeners who are not familiar, um, we often forget to do this because it's so much a part of our life. But basically, what device code phishing is, is it will abuse Microsoft's OAuth device uh authorization grant flow to compromise Microsoft user accounts by approving access for various applications. The example that's always used is you know how when you have a new TV and you're installing Netflix, you have a little QR code design. This is enter device code to get approval for this application. And then bam, you're logged into Netflix and can watch TV at your Airbnb. Well, that is very similar to what we see with uh device code phishing and trying to get into emails. And we mostly see it with Microsoft, of course, Microsoft email accounts. And now back to you, Jake, for talking about the history of this particular threat type.
SPEAKER_02Sure. So since it is designed to work on, you know, you're authenticating a device that you're not actually doing the authentication from, uh, it it works out pretty good for uh threat actors. So, you know, we first some of some of the early blogs, I guess, and threat researchers writing on this topic, uh, the earliest I know was Dr. Azure AD back in 2020. And one of the key features of this device code flow, uh, device authorization grant flow, you know, the fancy name that takes forever to say. Uh, one of the key features is that the codes that they issue are time bound, they're only good for 15 minutes. Uh well, 15 minutes is the default for Microsoft. Uh, I think different services have different lengths. The vast majority of what we're going to be talking about today is going to be Microsoft focused because that's what 99% of what we see is. So those codes have a short, short lifespan from an attacker standpoint. You have to create the code, send it to your victim, and get them to click in 15 minutes. That would work sometimes, but not all the time. So at the time it was kind of reported as possible, didn't see much use of it.
SPEAKER_01I mean, you mentioned the red team was really what we saw, the original device code searching.
SPEAKER_02But even then, it still wasn't that prominent, or at least what not in our data uh that we tracked. So fast forward to 2022. Um, and Secure Works releases a tool that makes it a little bit easier to do. It solves the tool was called Squarefish, and it really solved the time-bound aspect of it. Um, so they would the the main way it worked is it wouldn't generate the code until you began interacting with the phishing email. The flow was a little weird, but the lures they used for it were really good, fit in really well with MFA registration with QR code scanning and stuff. And once again, we saw quite a bit of red team activity with that.
SPEAKER_00Why would a company like SecureWorks create a tool like that for red teaming?
SPEAKER_02Well, because they have a red team business and it is something that helps them do their job. And so actually actually the vast majority of what we saw, I'm pretty sure it was Secure Works when that first came out. Eventually, we did start seeing other threat actors using it. It was still pretty limited, though. Wasn't the the actual flow itself wasn't the cleanest because it required two emails the way it was implemented, but it did solve that time problem and was kind of enhanced what what attackers were doing, right?
SPEAKER_01Well, it was an email where they would reach out and be like, You have you know, this there's some sort of alert or security notification, like you know, reply to this email or or click this link and we'll send you the code. And so they would click the link and have a follow-up.
SPEAKER_02Yeah, so by default, it was you need to re-register your MFA device by scanning this QR code, which is why it was called SquareFish. Yeah. So so re-registering, you know, scanning a QR code to register your MFA that fits in very well with you know how you join the TOTP authenticators. You scan the QR code so that it, you know, it gets that seed. It was a really good red team tool, but uh, we didn't see it used widely. There were a handful of thread actors that seemed to experiment with it, but no widespread adoption. So that was 2022. Fast forward all the way up to now 2025, end of the year last year. We saw, you know, in that time we saw a handful of ATP actors start using it. We saw a handful of one of our cybercrime actors started using device codes right around the time that a kit seemed to be somewhat open sourced on a on a crime forum. So that was kind of, I think, the genesis of what we're seeing now. Without that kit being put publicly, I don't think we would have been seeing the explosion of it that we are now.
SPEAKER_01I think we would have eventually, but well, and there was it was a kit that was basically like maybe they had previously sold it or something, and then the threat actor on a crime forum was just like, you know what, I'm just giving this to everyone for free. Here's this device code authorization flow fishing kit. And then that was in what November of last year, I believe was when it was posted on the forum.
SPEAKER_02So it might have been before no we we got the blog out in December, so it was yeah, the blog took a little while too, because it was like super it took a while because we compiled some other stuff into it, but yeah, it was like a super deep dive.
SPEAKER_01Yeah, yeah.
SPEAKER_02So yeah, so since then but it was it was late fall or early winter or so when it when it came out, so yeah, and now it's exploded. Yeah, so it was interesting after you know, we put after that kit was released in 2025, uh, you know, monitoring it, the kit changed over time, but it seemed to be a pretty consistent change. Like there was only a you know, a group or a small small group of people using it. You know, the vast majority of the changes were CSS to the pages. It was changing the themes, changing some some images, but it wasn't anything drastic. And even today, the core authentication flow is basically the same. The way all of these kits works or work are essentially identical, they just change API endpoints, and you know, the code is minuscuely different in what the client sees, which makes detection annoying sometimes. But but yeah, so it it took three, three or four months or so of very slow changes where it didn't look like it was getting widely picked up. And in February, the evil tokens channel started, and it was it was about a week after that start that we started seeing it used more widely and more broadly. So I think at that point is when other actors started copying, I guess. And and some of them, you know, I forget what it's called, where you know, you can have several people working on something and they all kind of seem to reach the same conclusion at the same time. Right. So so it's possible that the other actors didn't just outright copy this kit or evil tokens, but they they clearly all had the same idea to work on that general flow and the same mechanisms at the same time. And since then, now I think people are just stealing it from each other.
SPEAKER_01Yeah. Well, and I think it's important to note too the overall look of it. I don't know, Sarah, if you have noticed what the campaigns actually look like and what these kits like what what a user will actually see, but have you noticed any patterns and what those look like?
SPEAKER_00Nothing. They're not exciting, right? They're they're like, I mean, I think this is being advertised as something super advanced and super scary and super, you know, because it's like AI powered and all this stuff, like all the buzzwords are being packed into the marketing on this on this thing, but it's not anything different, I guess.
SPEAKER_01Well, and it's all like blue and black, which are the hallmarks, the hallmarks of AI generated, like it's not it's not different, right?
SPEAKER_00The social engineering aspect of it, the thing that the end user is gonna see is not completely different than anything else that's on the threat landscape. So it's not not like a novel, technically a novel thing.
SPEAKER_01Yeah. Well, and what I find really interesting and funny too is talking about one of our threat actors, Jake, TA4903, that started using device code phishing. And they did actually either clone or, you know, copycat something like Evil Tokens, or they bought a service that was copying Evil tokens because they don't use Evil tokens, as we mentioned. And we can actually, Jake, I think it would be kind of cool to sort of dive into some of the hallmarks of what defines Evil Tokens for some of the other things, you know, with the HTTP headers and stuff. But yeah, so this actor started using device code, which was completely different TTPs for them, but it looked literally identical to what all the other device code phishing looks like. But when this is really important, is the lures were terrible. Like the actual emails that this actor was sending were just blank, like blank email bodies. And we're actually seeing that uh quite a bit with some of the actors that are using this device code phishing type of fish kits or creating their own, where they'll send, like, okay, maybe they have some sort of like automated email spammer or you know, they had just a list that they're working off of, but like, you know, literally the email body is blank and it just has an attachment with the QR code. And it and like to me, that's like a step back in terms of like like sophistication and progress. Cause if you're trying to achieve a successful fish, like you don't just leave the email body blank. I mean, I don't know. Right.
SPEAKER_00That would not flag a detection. I mean, like a very basic kind of detection would be would look at something like that, like, oh, this is kind of sketchy. It's an empty email body and it has a weird attachment, right?
SPEAKER_01And a crazy subject name that's just like a bunch of letters and numbers, like yeah, yeah.
SPEAKER_00Right. It is a step back. I agree with that, Selena.
SPEAKER_01Yeah. So I don't know, Jake. Do you so one thing I thought was cool when we first started looking into this because I think it was I think it was Evil Tokens and one other that sort of came on our radar at exactly the same time. And I know there's a lot of back and forth discussion. Is this evil tokens? Is it not evil tokens? But you were able to sort of differentiate a wide variety variety of clusters. Can you talk a little bit about how you were able to find the initial sort of groupings and then how has it just really changed from two weeks ago or three weeks ago when we first started looking at this?
SPEAKER_02Sure. So, you know, as as I mentioned before, you know, we started looking at this way back in you know fall of last year. And we since the actual pages and the flow are so similar, we've had a couple signatures that are that are really solid for picking this up. They're really really solid for picking up the actual pages they're using, not so solid for differentiating them because of how similar so many of them are. So when evil tokens came into existence and we started trying to kind of categorize what we were seeing and what these larger um clusters were, a lot of times there were small enough differences in the way that configurations were provided or the APIs were called, or some of the I guess I'll say protection headers, how how they prevent you from just spamming some of these endpoints and causing them to get an excessive amount of resource usage. So some of those aspects of it were enough to kind of differentiate these kits. And even so, I don't know, it throughout March, which man, that was only like three weeks ago. Throughout March, there was there were only a handful of these. And so at that point, I I thought it was, you know, it was worth trying to categorize these and stay on top of them. And throughout the end of March and into April now, it's kind of exploded in terms of how many kits we see, uh how many variants there are, how how quickly they seem to be changing. I think in the last 10 days, we've seen six or seven unique takes on this. Um, in this unique enough that it's clearly not just copy paste, and that they're at least doing some effort to change what they have. They're you know, we're seeing actors start to add in some of those annoyances for for us, things like um click-throughs and captchas and cloud flare protection and things like that.
SPEAKER_01But browser in browser, I think we saw um one.
SPEAKER_02Yeah, that one was an interesting one because I uh this this is an example of attackers of threat actors uh implementing things that don't always make sense. Uh, you know, browser in the browser was an interesting technique for kind of popping up that fake fake authentication window. Um, the most interesting or useful part about device codes for threat actors is that you actually go authenticate to a real Microsoft endpoint. And there is zero reason to do browser in the browser if you're gonna do that. But we saw an actor implement a part of their page that way for some reason. Uh no idea why. I if anything, that makes it easier to detect. Um, more likely for a person to realize there's something wrong with that web page. But but yeah, uh, we saw them do it. And I'm sure they did it by uh just you know saying, hey LLM, can you roll this feature into this webpage for me?
SPEAKER_01Yep. So before we dive into some of the fun little characteristics of each of these kits, and we have seen actor errors, which I think is really important to note. I think it's very dangerous when we use words like sophisticated or groundbreaking or even even things like impressive, right? Because it it these those are sort of those are sort of weird words to use to describe some pretty basic functionality of a lot of what we're seeing. But for those who might be a little bit confused in terms of like, well, you know, why are they just all copying each other? Or like what, like, how how come you can't necessarily like differentiate? I like to think of it as a handbag. So let's say you have your Louis Vuitton handbag, and it's the real Louis Vuitton handbag that is the the brown and gold handbag. But then you're walking down Canal Street and you see 10 different vendors that are all selling Louis Vuitton knockoffs, and they all look very similar. Some of the letters look different, some of the like little stars might be in different places, maybe the handles are brown or gold, but they're all the same rectangle bag, they're all the same like zipper functions, they're all the same brown and gold feature, and they're all mimicking Louis Vuitton. And just by looking at them quickly as you're walking down Canal Street, you wouldn't be able to identify the differences. You would just be like, okay, I know my Louis Vuitton handbag, but all of these other handbags look really like my Louis Vuitton handbag, even though there's like maybe a little bit of slight differences and they're all being sold and used by different people. But this is kind of what the fishing device code fishing landscape is it's knock off Louis Vuitton handbags.
SPEAKER_00You got that from Tim. Tim's the Tim, Tim's the king of those what metaphors, right? So oh my gosh, that was such a good one.
SPEAKER_01I mean, look, Tim inspired me in the last podcast to try and come up with real-world applications for yes, and look, I want my Louis Vuitton handbag, so I don't want these other knockoffs, please. I would just like to keep my authentic and original one. But yeah, I mean, I think that's kind of what like what we're seeing in the device code phishing throughout landscape is like a lot of copycats, a lot of knockoffs. Some are being sold, some are being just developed, some are just, you know, kind of throwing it out there. Some might even be stolen. And I think, you know, one of the fun things that we have found recently to Jake's point, as he mentioned, some of these errors, like why would you put a browser in browser for like a device code phishing authentication blow? That's so stupid. But you've also seen like exposed panels and like coding errors and like key characteristics in the actual kits themselves that show probably more than the threat actor really means to.
SPEAKER_02Yes. So there's there's been multiple instances. So one of one of the things that you need to do when you're doing a device code authentication flow is you need to pull whether or not the code has been activated. And that's how you know that the you know your victim has entered the code and you can move on with with your process. In I'd say roughly a third of the cases that we've seen, the code that they're using to do this polling reveals a fair amount amount about the systems that they're using. They're posting file paths, they're posting infrastructure information for some of their servers and services on the back end, just as kind of like a deep some debug info that's been, you know, included in their presumably generated code that, you know, has no reason to be there other than debugging, but they didn't know that they needed to take that out ahead of time. And that those errors extend all the way to the panels that some of them are using as well, where they will essentially send the entirety of their panel back on requests. And you know, it doesn't show it to you if you don't know what the page is doing. You might think that you're at a login page when really it's telling a whole bunch of information about the kit, the way it works, the features it has, things like that, which is which is one of the ways that it's possible to classify these kits is to see infrastructure-wise, these are the panels they're using. This is the information we can gather from there. And in some cases, it can be helpful because those panels will tell you here are all of the other deployments that you know this service is doing at the time.
SPEAKER_01So yeah, I thought it was really interesting how in coinciding with this big spike of uh device code phishing, and and this extends beyond just this particular threat, right? We see it with a lot of sort of AI generated malware, AI generated toolkits, like attack flows, where you have actors that are using LLMs to create things for them, but not actually understanding the back end or actually how to how to build, like turns out it's actually really hard to build malware. It's like actually pretty difficult to build a secure backend for your like phishing delivery infrastructure. And you know, if you are just someone who isn't a maybe you're not a web developer, maybe you're not, you know, an infrastructure security person, like you can very, very easily sort of add some of these errors in. And and Sarah, I'm curious, like, is this something that you're saying too, in terms of the like increase in the general, like, I don't know, just the explosion of threats, it feels like lately is it's kind of like a decrease in sophistication a little bit.
SPEAKER_00Yeah, no, you're I you're totally right to point this out because I I just immediately came to mind the predictions that we all made like last year about how AI truly is lowering the barrier to entry for people who want to dabble in cybercrime. But just because You're making it through the entry doesn't mean you're good at it at all. Like it doesn't mean like you're actually like it in in it, right? So, or any good at it. It is just allowing people to get the the basics uh in. But yes, I think you're just getting the knockoff handbags. You're not doing the good ones. You are, and you're I mean, it's it's uh yeah, it's a whole thing. But yes, from my perspective on like where I the area that I kind of live in, like the BEC fraud landscape and the and and explosion of that, those messages and the the changing techniques. And I'm not gonna say sophisticated or advanced, and I'll just call it evolving because that's what the threat landscape does, right? It evolves. We see evolving techniques. This Avle Tokens is a great example of one. Um, the social engineering evolution from the BEC fraud side is a great example of one. And we're seeing, yes, these amazing social engineering lures, the the convincing attachments, but on the back end, like a lot of um things that are kind of exposed, like OPSEC failures, right? Like I can see, in some cases, without giving away too much, like an email, like a very unique personal email address for domains that have been registered for specific websites that are real guy, and you can find him on LinkedIn. Yes, you can do all like it and it's just like okay, wow, he or he or she, they did a really great job with this campaign, like curating the social engineering aspect and targeting and everything. But like it takes 30 seconds to figure out who this person is in this case. So uh, and that is like that's just like threat actor 101, right? Cover your cover yourself, cover your butt. Um and yeah, it's just I mean, LLMs aren't gonna tell you to do that, aren't gonna tell you to say, hey, you know, register this anonymously or blah, blah, blah. So yeah, I think it is, it's it's like making it making threat actors dumber, which actually works to our advantage. Yeah. I I do think so.
SPEAKER_01And and also what I find really interesting is a lot of this stuff is is available to see to actually kind of enter the the threat actor ecosystem. So with evil tokens in particular, Jake, I know that you've been tracking their telegram and taking a look at okay, what are they talking about? And they're talking about blogs about evil tokens, right?
SPEAKER_02Like you're letting our secrets out, Selena.
SPEAKER_01Yes, you're supposed to say that.
SPEAKER_02How could they know that people in public channels might retract?
SPEAKER_00Yeah, so again, they're dumber, they're getting dumber.
SPEAKER_02So one one of one of the interesting things that evil tokens has done, um, and this is the first case that I know of like proving this essentially, but you know, as as Sarah was talking about BEC, and you know, all we have for a long time held that the vast majority of credential phishing is uh, you know, the end goals of that is essentially BEC and invoice fraud. Evil tokens, uh, you can see in their panel is actually implemented AI workflows for uh related to BEC for post-compromise, uh, you know, hooking all of the mail from these compromise mailboxes up to an LLM so they can ask it questions. Things like how uh who manages payments in this organization? Who who do I need to send invoices to? Can you make me an invoice that mimics the invoices that this person sees? Is there any thread hijacking opportunities? So it it is interesting to see uh see that use of AI because I don't think we've actually seen that, or at least had evidence that that was for sure happening at any sort of scale previously. So it's interesting to see this rolled into a service um that is trying to differentiate itself. And I do think it's somewhat telling that we're seeing that on a service where the vast majority of the infrastructure appears to have been created and generated by AI, that they're rolling some of those workflows into it. So, you know, it is it is somewhat apparent that whoever is behind this has a lot of experience and enthusiasm for these AI workflows and using it to their advantage.
SPEAKER_01Well, and I think it's interesting too because like evil tokens is pretty unique in that because a lot of the other ones that we're seeing like don't have that additional capability of okay, you're buying, you're buying the kit, you're just getting the device, the device code flow, or people that are doing the copycats, you're just getting the device code flow. Whereas with evil tokens, again, it is a little bit more involved. You can get more uh help with with targeting and and email creation and stuff. So you're not getting those blank email bodies that you're seeing with a lot of the other uh device code phishing campaigns.
SPEAKER_00Wait, I just want to call out real quick though. So it's interesting that you talk about how we can see that like the credential phishing aspect of this type of threat kind of leads to downstream BEC and fraud, but it's so much bigger than that, too, right? Because it leads to essentially account takeover. And I think, you know, going back to Selena and I, you we've hosted uh quite a few intercepteds at this point, and account takeover is like one of the bigger concerns from audience feedback and you know, with kind of things happening on the landscape that perhaps we don't have necessarily any visibility into, but other things like happen, you know, big incidents at certain organizations that, you know, were wiped out, you know, just thinking about like a month ago of things that happened. I don't want to call anybody out, but the suspicion was that that had been um carried out from an account that had been taken over or credentials that had been fished. So it's not just BEC and fraud that is like the threat here uh from this type of thing, from this tactic or this tool, it could lead to so many other worse things. Like any anything, like just use your imagination if you have a compromised account, it could do anything.
SPEAKER_01So well, yeah, and and evil tokens in particular is kind of like has those prompts. But one thing that I thought was interesting was we saw yesterday a campaign that had a PDF attachment with a URL that led to Evil Tokens device code phishing, where you know, when you click on the URL, it generates the device code that you then input and gain access to the threat actor. But I I pinged Jake, I was like, Jake, like this PDF has like a tycoon domain in it, like one of those like.es old older um tycoon URLs. And I was like, wait a second, like are they doing Tycoon and Evil Tokens in the same like campaign? But then we looked at the were really smart and looked at looked at the domain tools, uh, looked it up on domain tools and saw the history of the of the domain, and we're like, okay, wait, no, this is this is this is old.
SPEAKER_02Yeah, so that domain was that URL was 16, 7, 17 months old. So, you know, our our suspicion is that they're reusing their PDF wars. Um, and uh the this domain was not in the main part of the PDF, it was stuck in the metadata, so it just didn't get updated. Um, it was confusing to see, but it does show that you know actors that were using traditional AITM services previously are using device code. And on that note, we have seen evidence that Tycoon does support or appears to support device codes in some capacity. Uh when it first showed up, you know, I wasn't sure if it was just happened to be getting deployed to the same infrastructure or something that they're testing, but we've seen enough of it fairly regularly now that it I that I think it's fair to assume it's part of the service offering. So, you know, the the kits are evolving to in to include this flow, which they need to to continue to exist long term because of the advancements in phishing protections, you know, the same way that AITM was created to essentially deal with multi-factor authentication, device codes and in general Oath abuse will be the future future as past keys and FIDO tokens become more and more standard in in the environment.
SPEAKER_01I also wanted to note too, um, you know, listeners of our podcast might be like, wait, Tycoon, wasn't Tycoon disrupted? And yes, so Tycoon activity is way, way, way down. And there is, you know, ongoing efforts to continue disrupting um this particular threat actor and their activities. So there it is no longer the the biggest threat by any means that we're seeing in our data. But I do find it extremely notable that they only added device code after the after they were targets of of takedown for attacker in the middle MFA fishing.
SPEAKER_02So key word for that, for that campaign is disruption, not you know, not complete, not arrested and put in prison or anything like that. So they were disrupted.
SPEAKER_01Yes. But it has shown, you know, this this sort of like pivot to to additional, like uh additional use cases, right? Like I think you made an absolutely excellent point where the future of fishing is something like device code fish and you know, moving as as more organizations are a lot more protected and more well educated and are doing better with, you know, MFA everywhere, threat actors also have to adapt. And so, you know, the protections against MFA fishing have gotten really good now that they have to try and do something else. I do want to point out too, you know, the PDF example that we saw where it was like an evil tokens, an evil tokens URL with the tycoon, the tycoon URL. So that indicates that the threat actor isn't using the tycoon device code potential opportunity. They have just gone and gone to a different, you know, provider. So I think that's also kind of cool to see like, okay, you know, it's possible we don't know for sure because we don't, you know, know who this particular actor is, but it's definitely possible that when disruptions happen, customers of that, you know, provider will then go somewhere else because there's trust lost, there's a disruption to the actual infrastructure, their their campaigns get totally messed up. And so, you know, in addition to doing something like an infrastructure takedown and targeting their, you know, domain registrations and and things like that, there's also that follow-on repercussion of all right, customers got to pivot to something else now. Like we're gonna try something new. So I think that's also really, really interesting. And I and I do, you know, like I'm curious, Jake, what you think about some of the public reporting that's coming out, talking about these, you know, device code. And Sarah too, I know you've gotten a lot of questions from customers about public reporting on some of this stuff. Spicy question and incoming.
SPEAKER_02So, you know, some of some of the initial reporting as as uh this stuff came out, you know, some of the initial blogs and articles that went up definitely conflated a few different services, I guess I'll call them kits, you know, they are incredibly similar, really, really easy to do. So, you know, there are definitely some of them that conflated some of them, and you know, some of the TTPs for that were reported for evil tokens will actually be associated with other kits. And and you know, the the sheer similarity of them makes makes that kind of bound to happen when it's something new. But it's it's interesting uh having I guess kind of watched that space as time has moved on. You know, we we saw just kind of that explosion of different services and kits. So it'll be really interesting moving forward if if even having that that distinction matters that much because uh as it is now with so many of them springing up, it doesn't really matter what the name is. The basic attack is basically the same. The lures are very similar because most of these kits actually include the lure generation in the in, or not the lure generation, but the landing page generation. Um so so yeah, it's it'll be interesting to see how much it matters moving forward. Like the the basic functionality here is being cloned and copied so much that it could just be kind of back to the yeah, it's a page that loads Microsoft phishing.
SPEAKER_01Yeah, like we did, oh gosh, yeah, like the like like we have had for phishing an MFA for so long. And I think you know it it really does. So you bring up a great philosophical CTI point, Jake.
SPEAKER_00Sarah, do you are you thinking the same thing that I'm thinking? Probably. I'm like biting my tongue right now, just waiting. Does attribution matter? Right. And like I okay, so like Jake did also bring up an amazing point with regards to techniques. Like, it doesn't matter the tools, the the marketing of the threat actors or how these blogs and reports are being marketed with all this FUD. Like what it boils down to is the technique itself, which I'm I don't want to, you know, get on my soapbox about it, but we published this in December, right? When we started to see it emerge on the threat landscape. And I'm go, I can't help but kind of relate this also back to ClickFix when we first started talking about ClickFix on the threat landscape, and we published a report and it it was, you know, we it a couple months went by and now all of a sudden customer, like everybody's like, oh my god, clickfix, right? Like we we told you about this a couple months ago. Like, not to be that person, but we told we warned everybody, like this is what we do. We publish research. I think that the big difference is we don't give it some exotic, crazy, like fancy, you know, fire everywhere kind of name, like some that's gonna get it marketed and and reshared and and so on and so forth. But what it boils down to is these are the techniques that are coming, these are the emerging threats. Like it was emerging at the end of the middle to the end of last year, and now it's here, and everybody's kind of freaking out about it. So that's why intelligence and research is important when things are slow on the threat land, not slow, but they're just emerging. And you're, you know, we report on them. That's when that's when you take action and get ahead of it. Not when it's given some crazy sexy name and you're scared of it and it's targeted and AI powered, and all the buzzwords are thrown into the marketing of it.
SPEAKER_02So that's my fair that's my two cents. Evil tokens was named by the creators.
SPEAKER_01Yeah, evil tokens. They're own marketing, their own, their own marketing, yeah.
SPEAKER_02They have to make it sound cool for themselves. They have to associate it with all of the, you know, all of the history of these tools and and uh yeah, they market too.
SPEAKER_00We forget that cybercrime is a business, like we don't forget, but I think as an industry and as consumers of the industry, people forget like cybercrime is just as much of a business as CTI is or cybersecurity is, right? Like you might even call cybercrime the opposite of cybersecurity, right? Like if we're in the upside, they're in the the downside, right? Or the upside down or whatever. Upside down, whatever it references.
SPEAKER_01There's a chair in the fabric of reality where all of us are actually cyber criminals.
SPEAKER_00I say we have doppelgangers. We do have doppelgangers and under the down, whatever. I'm done with movie references, show references right now. You got me all like tizzied up with that that question. I know, Sarah.
SPEAKER_01I I you've had so much coffee this morning. I my mason jar is bigger than my head. It's getting a lot less coffee in that mason jar as we go. It's been a week, as we all know. I I do want to point out real quick, Jake, and then I'll hand it back over to you. Uh attribution does matter for things like disruptions, for things like putting handcuffs on threat actors. So, yes, that is true. But if you look at the overall threat landscape, there are hundreds of millions of credential phishing attacks, literally, that we see all the time in our data, like every day. And, you know, all day, every day. All day, every day, hundreds of millions. And, you know, we we attribute a small percentage of those. So, you know, we're able to do attribution on things like Tycoon, which then leads to things like disruptions. We're able to do, you know, at potentially do some attribution on things like Evil Tokens, because it is a pretty sophisticated, not sophisticated. I hate I can't believe I use that word. I should throw it in. It's evolved. It's an evolved job. A curse jar. Put it in the put it in the curse jar, a swear jar. It's an evolved, yeah, it's an evolved kit. And so I think, you know, things like that where we do have good visibility, solid detect because because evil tokens is a very unique with the headers and the and the Annabot token that we're able to sort of like cluster on. And no, yeah, yes, this is them. But what you're gonna see is a lot of different ones, a lot of copycats. Even you see this with malware too, right? So, for example, um, with Stellerium, Stellerium was totally open source on GitHub, and then Phantom Stealer literally just stole the Silirium code, repackaged it, and sold it as Phantom Steeler. So you see this a lot with you know, code overlap, shared tooling and resources, a lot of this stuff. So, so sometimes it doesn't really matter, and you do want to highlight and and be defended against the technique. But on the flip side, if you are trying to go after and disrupt some of these tools and the people behind them, then yes, attribution does matter. And we here at Proof Point, of course, will do our best to do both. So we have excellent coverage on all things device code, regardless of who the actor is. And we do have a type for our customers that is tracking evil tokens specifically.
SPEAKER_02Yeah, my my opinions on CTI have evolved over time. You know, my my background was incident response, so you know, historically, I didn't care when it, you know, what the kits or you know what what have you were. I I just needed to know what it was so I could go remediate it, uh, which is you know, for the vast majority of our customers, should be the top of mind thing is how do I remediate things when I'm impacted by them. But there are customers where it definitely matters more who is targeting you, why they're targeting you, what they're after. And that's that's where that attribution definitely becomes a lot more important. That was eye-opening, I guess I'll say, when I started to see how how how different how differently that matters to certain customers compared to others.
SPEAKER_01Jake, can I just take some credit for that for your for your growth as a person?
SPEAKER_02If you want to.
SPEAKER_01I remember, I think it was it was you, maybe was it you and another person who no longer is at proof point RIP? Not they didn't they didn't die, they just aren't here. And I and you guys were trying to argue with me about just like automating everything and just like you know, cluster it, like automated clustering and like attribution doesn't matter, blah, blah, blah. And I was like, let me get, let me put on my CTI hat. And I have to say, I do, I do actually go, you know, I can understand both arguments. So I think that there, like I said, there are times when attribution is good, and there are times when frankly, you just gotta know what to what what to look for, what to detect, and block. So I have also evolved as a person from you, Jake. So she's teaching me that maybe it doesn't always matter. Yeah.
SPEAKER_00So it all matters, right? It all really does matter. I think I came from the CTI on the enterprise side and Jake incident response. So kind of one in one tied together, one on one side, one on the other, but still under the same happy hat. But yeah, I mean, uh attribution matter to an extent, especially when you're talking about nation state actors, I think, um, specifically, certainly. Um, but the techniques that they're using are what you action, right? So it all boils down to tools and techniques.
SPEAKER_01A hundred percent. And I do want to shout out um Jake has done some incredible work with our detection team to write SIGs for this stuff, to find it, to make sure that we're blocking it, um, to surface it in our detection data and make sure all of our customers are protected. And on the emerging threats side, actually, I want to give a shout out to Isaac because he's done some great work um on some of this, as Janina as well, both of whom have been on our podcast before and they are on the emerging threats team and are writing signatures, both ET open, which is totally for the community. So anyone, anyone listening can uh use the ET open signatures in their own IDS IPS tooling for network detection. And then, of course, we also have some ET pro rules, which are um just for you know uh emerging threats customers, so you are protected and blocked with that as well. So yeah, great work team, great work collaboration. And you know, I'm just gonna give a shout out to myself because I've been campaigning some of these. I'm just gonna take this opportunity. I'm just gonna take this opportunity.
SPEAKER_00Uh um because it's well reserved. Shout out to Selena, right? Jake and I will check out.
SPEAKER_02I will look at these and say, oh man, I have 15 more to look at uh in the next, you know. I I wanted to be done working in an hour, and I got 15 more things that look different or unique to look at today. And Selena's like, I'm looking for something to campaign. And I'm like, Well, here you go. Here's this is helpful because now I can move on to trying to figure out why why on earth this thing doesn't look like you know the last five.
SPEAKER_01Right, exactly. We we have a good we have a good relationship. We're like plants and sunlight, you know, like like Jake, Jake just finds weird things. I campaign it, and and I go back and say, here's another weird thing I found. What's this doing? Yeah, it's it's super fun. So we will so we will um be continuing to take a look at at that stuff. So it is exploding. So yes, I I totally get why a lot of people have questions on it. But hopefully this podcast helped to answer some of those. And definitely check out uh the rule signatures and yeah, and uh Sarah, any any last thoughts for our listeners?
SPEAKER_00I do. And this is like uh I do have a last thought, and I've been I've had, and I mentioned it, you know, a couple minutes ago, but I think that these are kind of like the device code phishing, like the evolution of it being a technique we start to observe and now it becoming like as a service, essentially, or this evil tokens tool, like the evolution of that, like the timetable that it took from observation to now kind of like formal business. Comparing that with ClickFix, because if we're like air air tokens, er tokens, however you pronounce it, or what is it? No, air traffic. Air traffic or E-R traffic. Oh my God. Can we? This is so evil tokens, air traffic, or tra okay, ET phone home. But like looking at the timeline from when ClickFix popped up on the landscape, slowly, slowly, slowly. It was adopted by APT actors and cybercrime. And then now it's a like a we were seeing like formal tools on it compared to evil tokens and device code fishing. It's a much shorter timeline. And we know now because we Jake's been able to observe it, we can see it. The LLM support with evil tokens, is that like a thing to look at? Because was LLM a thing with ClickFix so much? No. But I mean these are two examples.
SPEAKER_01Or is it maybe yeah, there's definitely um clickfix actors were definitely using LLM to generate their ClickFix. I don't I don't necessarily know if the ClickFix as a service necessarily was um quite as LLM heavy. I haven't I haven't quite looked at it, but we could definitely get get Tommy on the pod if we want to dive into some of that stuff. But I do think it's I do think it's important to note though, yeah, because there, you know, there there are ways that AI and LLM are changing the cybercrime threat landscape. And I think one of the biggest things that I like to say is it's just the the rate of speeding it up. Speeding it. It's it's it's it's quicker and it's noisier.
SPEAKER_00So another takeaway here too is that once we start seeing techniques tested or used on the threat landscape, maybe not in explosively high volumes, but we're seeing them, we can pretty much count on the fact that they're going to be adopted by both APC and cybercrime and a formal business tool and sold. So just keep that in mind. Like I think people just need to keep that in mind in general. Don't wait for something to be marketed by every threat research team and their brothers to, you know, in some crazy fancy way that things are exploding. Don't wait for that to have those headlines. Look for like the smaller, maybe lower volume things that are being reported on that are new, perhaps that maybe proof points reporting on from our blog. But yes, that's that's my final thought.
SPEAKER_01I you know, I have to say, one of my favorite proof point stories is Jake with the Vice Code Fishing, because he was tracking it, I guess, almost when you first started working. How I didn't know how long you've been here. Four years, four years? Yeah, five years.
SPEAKER_02Uh five years. It's been over five now.
SPEAKER_00Five years.
SPEAKER_02It's been a while.
SPEAKER_00Oh, yeah. I've been here for five. So it's you've got you're both at before more than that, longer than that from wow.
SPEAKER_01It's been 84 years. Uh no, but yeah, he does feel like it, yeah. No, when Jake started, he he was, you know, surfacing some device code stuff. It was very low volume from Red Team. You created a bunch of signatures and detections for it. And then uh some cyber criminals, you know, we kind of talked about in the history of device code, and and Jake had created more signatures for it and was pretty low volume. And a Russian espionage actor started using device code, and everyone was like, Oh my god, device code! And Jake's like, guys, I got six for it.
SPEAKER_02It worked out well because all of the um, you know, some of a lot we had a lot of signatures in place just for informational purposes that that really helped our espionage team fight like find and find those things when they happened so that they weren't completely caught off guard by you know some random new thing they were doing.
SPEAKER_01Yeah, a hundred percent. So, you know, we talk a lot about you know, espionage versus cybercrime. What does the landscape look like? Here's a perfect example of espionage stealing from cybercrime, and to be fair, red team tools that were you know published, but yeah.
SPEAKER_02I it it's interesting because you know, at least on the this lower barrier of entry side, a lot I harp I harp on red teams. I hate it when they publish tools because it doesn't take long before they start being used widely by actors. I get why it happens, it's kind of in the same vein as responsible declose disclosure of vulnerabilities and stuff. Uh, but it's it's uh it's frustrating when you know you you have a technique that is challenging for an actor to overcome and then it becomes simple.
SPEAKER_00One thing too, though, the social engineering, right? These techniques are user-centric. So this is a really great opportunity for user awareness and education. But Jake echoing that, like I wish there was like um, you know, how like you get advanced notice, you know, kind of not to like trigger everybody on a Friday, but talking about Glasswing and Mythos, like advanced notice of like closed groups that are able to see these things before they actually are out in the open in public. I wish we could do that with red team tools, right? I really wish we could. Just give us like six months, like you know, six months is all. Um, or even 30 days. I mean a week, anything, just just to like kind of take a deep breath and assess it before the threat is knocking on the door using it because we know that happens.
SPEAKER_01So yeah, I mean freaking click fix. What's for quick on GitHub? And then it exploded. Yeah. Yeah. Yeah. Wow. Clickfix. Real quick though, before we sign off, I do want to mention, I will throw a link to our original blog in the show notes that does have recommendations for defenders. Number one, of course, being block device code flow where possible. Um, the strongest mitigation is to create a conditional access policy to block device code flow. So that's really the number one thing that you should be doing. There are, of course, multiple other options for defense and security for requiring compliant or join devices. And then, of course, you user awareness regarding device code phishing attacks. I do think it's actually really helpful to share the screenshots of what these blows look like because they are so identical right now, is what we're seeing. So, even just like awareness of what they look like, like awareness of general AI generated threats. Like, don't trust anything that's black and blue, you know? Like this particular blue and black color really just uh the LLMs love it. I don't know why, but and the purple too.
SPEAKER_00There's like the purple, yeah, yeah.
SPEAKER_01I think they're they must have an idea of like this is what hackers look like, and like it's the matrix, but blue.
SPEAKER_02Uh no, and and we have mostly talked about Microsoft base. And actually, I think in our original blog, most of our recommendations probably reference Microsoft's controls, but it is worth noting, you know, some of these kits are building out support for um OAuth at other providers. The most significant one we've seen is Google. Um, so these all you know, all of these concerns still apply if you're not using O365 and you're using Google Workspace. And, you know, we we we probably need to update some of our documentation to ensure that we have mitigation and remediation for those uh other services as well. But don't think it is just Microsoft. It is absolutely apparent at Google as well as probably other locations as well, depending on how impactful that may or may not be for your business.
SPEAKER_01Yeah, I think you know, it that's a that's an excellent point. And threat actors just go where the money is. So whatever the most profitable thing for threat actors will be, they will they will pretend to uh pretend to be Google or Microsoft to get into those accounts for sure. Cool. Awesome. Well, this has been a fantastic conversation. Jake, I'm so glad that I cyberbullied you onto coming on the podcast. Yay, Jake. I'm just kidding, it didn't take anything at all. I Jake has a lot to say about that.
SPEAKER_02I figured if there was a time to talk about it, it was going to be now because so much of so much of what's been talked about has been focused on evil tokens, and it is far from the only service, and it is, you know, if if you're entirely focused on that, you might not observe some of the other aspects of it, some of the other kits, the other flows, especially if you find some of those easier to identify aspects of it and really hone in on that. You'll you will miss other ones.
SPEAKER_01Yep, absolutely. Well, thanks, Jake, for coming on. Thank you, Sarah, for joining us as well. I know that this is a this is something that we all care about and work on here at Proof Point. So it was a great, a great crew to to kind of come on and yap about it. Jake, we'll have you back in another year and a half uh to talk about whatever the next big thing in fishing is, I'm sure. Uh get you uh get our our international man of mystery back on back on the podcast from his uh his Midwest HQ. Cool. Well, thanks to all our listeners as well. We hope you learned something and took away something that you can apply in your own workflows or share with a friend who might need a little information as well. As always, until next time, happy hunting. You've been listening to Discarded Tales from the Threat Research Trenches, a podcast by Proof Point. Never miss an episode by subscribing to the show in your favorite podcast player. Happy hunting.