Trusted Design

Device Code Phishing is an Evolution in Identity Takeover

概要

Device code phishing attacks have exploded across the threat landscape, with new toolkits emerging weekly. This surge coincides with publicly released criminal toolkits and multiple phishing-as-a-service offerings like EvilTokens and Tycoon. Threat actors abuse the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 and other enterprise accounts by tricking users into authorizing malicious applications. Current implementations use on-demand code generation, addressing the 15-minute expiration limitation of previous techniques. Most activity appears to be generated using AI-based coding techniques. Successful attacks lead to full account takeover, data theft, business email compromise, and potential ransomware deployment. The technique represents the natural evolution of credential phishing as organizations improve their defenses against traditional multifactor authentication bypass methods.

Created: 2026-05-14

Indicators

類似Pulses

類似するPulseは見つかりませんでした。

このPulseに関連する脅威アクター (事実ベース)

Turla

Score: 19.67
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1099 - Timestomp
  • T1063 - Security Software Discovery
  • T1543.003 - Windows Service
  • T1684 - Social Engineering
  • T1131 - Authentication Package
  • T1597 - Search Closed Sources
  • T1027.004 - Compile After Delivery
MITREへのリンク →

APT32

Score: 25.33
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1543.003 - Windows Service
  • T1566.002 - Spearphishing Link
  • T1684 - Social Engineering
  • T1547.005 - Security Support Provider
  • T1131 - Authentication Package
  • T1592.004 - Client Configurations
  • T1562.001 - Disable or Modify Tools
  • T1484 - Domain or Tenant Policy Modification
MITREへのリンク →

Saint Bear

Score: 3.77
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1597 - Search Closed Sources
MITREへのリンク →

FIN6

Score: 7.39
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1063 - Security Software Discovery
  • T1597 - Search Closed Sources
MITREへのリンク →

Sidewinder

Score: 5.88
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1543.003 - Windows Service
  • T1566.002 - Spearphishing Link
MITREへのリンク →

MuddyWater

Score: 14.44
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1543.003 - Windows Service
  • T1518.002 - Backup Software Discovery
  • T1547.011 - Plist Modification
  • T1597 - Search Closed Sources
  • T1027.004 - Compile After Delivery
MITREへのリンク →

Earth Lusca

Score: 9.61
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1543.003 - Windows Service
  • T1110.003 - Password Spraying
  • T1027.004 - Compile After Delivery
MITREへのリンク →

TA577

Score: 3.42
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1543.003 - Windows Service
MITREへのリンク →

Silence

Score: 13.01
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1684 - Social Engineering
  • T1547.011 - Plist Modification
  • T1048 - Exfiltration Over Alternative Protocol
  • T1562.001 - Disable or Modify Tools
MITREへのリンク →

Contagious Interview

Score: 21.78
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1547.005 - Security Support Provider
  • T1131 - Authentication Package
  • T1021.006 - Windows Remote Management
  • T1597 - Search Closed Sources
  • T1562.001 - Disable or Modify Tools
  • T1027.004 - Compile After Delivery
  • T1565.002 - Transmitted Data Manipulation
MITREへのリンク →

LazyScripter

Score: 3.42
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1543.003 - Windows Service
MITREへのリンク →

TA505

Score: 15.02
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1527 - Application Access Token
  • T1543.003 - Windows Service
  • T1016.002 - Wi-Fi Discovery
  • T1597 - Search Closed Sources
  • T1027 - Obfuscated Files or Information
MITREへのリンク →

FIN7

Score: 10.50
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1543.003 - Windows Service
  • T1009 - Binary Padding
  • T1562.001 - Disable or Modify Tools
  • T1027 - Obfuscated Files or Information
MITREへのリンク →

Cobalt Group

Score: 14.55
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1543.003 - Windows Service
  • T1684 - Social Engineering
  • T1518.002 - Backup Software Discovery
  • T1598.004 - Spearphishing Voice
MITREへのリンク →

Kimsuky

Score: 48.11
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1213.006 - Databases
  • T1543.003 - Windows Service
  • T1566.002 - Spearphishing Link
  • T1684 - Social Engineering
  • T1546.011 - Application Shimming
  • T1009 - Binary Padding
  • T1131 - Authentication Package
  • T1546.008 - Accessibility Features
  • T1609 - Container Administration Command
  • T1608 - Stage Capabilities
  • T1654 - Log Enumeration
  • T1597 - Search Closed Sources
  • T1027.004 - Compile After Delivery
  • T1197 - BITS Jobs
  • T1565.002 - Transmitted Data Manipulation
MITREへのリンク →

Indrik Spider

Score: 6.11
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1597 - Search Closed Sources
  • T1027 - Obfuscated Files or Information
MITREへのリンク →

Molerats

Score: 3.42
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1543.003 - Windows Service
MITREへのリンク →

Leafminer

Score: 6.51
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1101 - Security Support Provider
MITREへのリンク →

Mustang Panda

Score: 32.74
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1543.003 - Windows Service
  • T1566.002 - Spearphishing Link
  • T1546.011 - Application Shimming
  • T1102 - Web Service
  • T1608 - Stage Capabilities
  • T1169 - Sudo
  • T1136.003 - Cloud Account
  • T1565.002 - Transmitted Data Manipulation
  • T1055.005 - Thread Local Storage
MITREへのリンク →

Evilnum

Score: 6.35
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1543.003 - Windows Service
  • T1565.002 - Transmitted Data Manipulation
MITREへのリンク →

Star Blizzard

Score: 10.80
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1566.002 - Spearphishing Link
  • T1547.005 - Security Support Provider
  • T1609 - Container Administration Command
MITREへのリンク →

Magic Hound

Score: 26.62
Matched TTPs:
  • T1099 - Timestomp
  • T1543.003 - Windows Service
  • T1566.002 - Spearphishing Link
  • T1021.008 - Direct Cloud VM Connections
  • T1016.002 - Wi-Fi Discovery
  • T1547.005 - Security Support Provider
  • T1009 - Binary Padding
  • T1597 - Search Closed Sources
  • T1562.001 - Disable or Modify Tools
  • T1027 - Obfuscated Files or Information
MITREへのリンク →

HEXANE

Score: 5.67
Matched TTPs:
  • T1099 - Timestomp
  • T1547.005 - Security Support Provider
MITREへのリンク →

APT29

Score: 31.92
Matched TTPs:
  • T1099 - Timestomp
  • T1584.008 - Network Devices
  • T1543.003 - Windows Service
  • T1202 - Indirect Command Execution
  • T1547.011 - Plist Modification
  • T1177 - LSASS Driver
  • T1592.004 - Client Configurations
  • T1568 - Dynamic Resolution
  • T1556.008 - Network Provider DLL
  • T1027.004 - Compile After Delivery
MITREへのリンク →

Gamaredon Group

Score: 21.22
Matched TTPs:
  • T1099 - Timestomp
  • T1527 - Application Access Token
  • T1684 - Social Engineering
  • T1608 - Stage Capabilities
  • T1554 - Compromise Host Software Binary
  • T1597 - Search Closed Sources
  • T1562.001 - Disable or Modify Tools
MITREへのリンク →

TA2541

Score: 8.45
Matched TTPs:
  • T1099 - Timestomp
  • T1543.003 - Windows Service
  • T1684 - Social Engineering
  • T1597 - Search Closed Sources
MITREへのリンク →

FIN13

Score: 12.40
Matched TTPs:
  • T1099 - Timestomp
  • T1584.008 - Network Devices
  • T1547.005 - Security Support Provider
  • T1134.001 - Token Impersonation/Theft
MITREへのリンク →

HAFNIUM

Score: 6.88
Matched TTPs:
  • T1099 - Timestomp
  • T1055.008 - Ptrace System Calls
MITREへのリンク →

Volt Typhoon

Score: 20.71
Matched TTPs:
  • T1099 - Timestomp
  • T1547.005 - Security Support Provider
  • T1083 - File and Directory Discovery
  • T1102 - Web Service
  • T1488 - Disk Content Wipe
  • T1584.002 - DNS Server
MITREへのリンク →

FIN8

Score: 6.53
Matched TTPs:
  • T1099 - Timestomp
  • T1543.003 - Windows Service
  • T1027 - Obfuscated Files or Information
MITREへのリンク →

GALLIUM

Score: 5.34
Matched TTPs:
  • T1584.008 - Network Devices
  • T1547.011 - Plist Modification
MITREへのリンク →

Dragonfly

Score: 18.00
Matched TTPs:
  • T1584.008 - Network Devices
  • T1566.002 - Spearphishing Link
  • T1009 - Binary Padding
  • T1654 - Log Enumeration
  • T1531 - Account Access Removal
  • T1027.004 - Compile After Delivery
MITREへのリンク →

Ke3chang

Score: 7.13
Matched TTPs:
  • T1584.008 - Network Devices
  • T1198 - SIP and Trust Provider Hijacking
MITREへのリンク →

Agrius

Score: 4.39
Matched TTPs:
  • T1584.008 - Network Devices
  • T1597 - Search Closed Sources
MITREへのリンク →

APT41

Score: 22.50
Matched TTPs:
  • T1584.008 - Network Devices
  • T1684 - Social Engineering
  • T1177 - LSASS Driver
  • T1048 - Exfiltration Over Alternative Protocol
  • T1208 - Kerberoasting
  • T1027 - Obfuscated Files or Information
  • T1564.003 - Hidden Window
MITREへのリンク →

APT5

Score: 12.33
Matched TTPs:
  • T1584.008 - Network Devices
  • T1180 - Screensaver
  • T1684 - Social Engineering
  • T1102 - Web Service
MITREへのリンク →

menuPass

Score: 9.18
Matched TTPs:
  • T1584.008 - Network Devices
  • T1527 - Application Access Token
  • T1547.011 - Plist Modification
MITREへのリンク →

Threat Group-3390

Score: 6.72
Matched TTPs:
  • T1584.008 - Network Devices
  • T1218.003 - CMSTP
MITREへのリンク →

Wizard Spider

Score: 11.92
Matched TTPs:
  • T1584.008 - Network Devices
  • T1543.003 - Windows Service
  • T1684 - Social Engineering
  • T1083 - File and Directory Discovery
  • T1597 - Search Closed Sources
MITREへのリンク →

Ember Bear

Score: 10.23
Matched TTPs:
  • T1584.008 - Network Devices
  • T1102 - Web Service
  • T1597 - Search Closed Sources
  • T1562.001 - Disable or Modify Tools
MITREへのリンク →

Scattered Spider

Score: 34.78
Matched TTPs:
  • T1685.004 - Disable or Modify Linux Audit System Log
  • T1566.002 - Spearphishing Link
  • T1547.005 - Security Support Provider
  • T1609 - Container Administration Command
  • T1083 - File and Directory Discovery
  • T1556.008 - Network Provider DLL
  • T1597 - Search Closed Sources
  • T1027 - Obfuscated Files or Information
  • T1197 - BITS Jobs
  • T1564.003 - Hidden Window
  • T1565.002 - Transmitted Data Manipulation
MITREへのリンク →

Storm-0501

Score: 13.94
Matched TTPs:
  • T1685.004 - Disable or Modify Linux Audit System Log
  • T1027 - Obfuscated Files or Information
  • T1565.002 - Transmitted Data Manipulation
  • T1158 - Hidden Files and Directories
MITREへのリンク →

Sandworm Team

Score: 28.40
Matched TTPs:
  • T1063 - Security Software Discovery
  • T1484.002 - Trust Modification
  • T1543.003 - Windows Service
  • T1566.002 - Spearphishing Link
  • T1016.002 - Wi-Fi Discovery
  • T1546.008 - Accessibility Features
  • T1562.001 - Disable or Modify Tools
  • T1027 - Obfuscated Files or Information
  • T1075 - Pass the Hash
MITREへのリンク →

Sea Turtle

Score: 7.24
Matched TTPs:
  • T1063 - Security Software Discovery
  • T1528 - Steal Application Access Token
MITREへのリンク →

Leviathan

Score: 13.56
Matched TTPs:
  • T1484.002 - Trust Modification
  • T1543.003 - Windows Service
  • T1554 - Compromise Host Software Binary
  • T1488 - Disk Content Wipe
MITREへのリンク →

Rocke

Score: 12.72
Matched TTPs:
  • T1180 - Screensaver
  • T1009 - Binary Padding
  • T1597 - Search Closed Sources
  • T1562.001 - Disable or Modify Tools
  • T1027.004 - Compile After Delivery
MITREへのリンク →

APT38

Score: 32.76
Matched TTPs:
  • T1180 - Screensaver
  • T1566.001 - Spearphishing Attachment
  • T1684 - Social Engineering
  • T1009 - Binary Padding
  • T1528 - Steal Application Access Token
  • T1590 - Gather Victim Network Information
  • T1048 - Exfiltration Over Alternative Protocol
  • T1597 - Search Closed Sources
  • T1027 - Obfuscated Files or Information
  • T1493 - Transmitted Data Manipulation
MITREへのリンク →

Machete

Score: 3.79
Matched TTPs:
  • T1543.003 - Windows Service
  • T1027.004 - Compile After Delivery
MITREへのリンク →

APT3

Score: 7.48
Matched TTPs:
  • T1543.003 - Windows Service
  • T1547.011 - Plist Modification
  • T1177 - LSASS Driver
MITREへのリンク →

Lazarus Group

Score: 19.40
Matched TTPs:
  • T1543.003 - Windows Service
  • T1009 - Binary Padding
  • T1547.011 - Plist Modification
  • T1069.001 - Local Groups
  • T1597 - Search Closed Sources
  • T1562.001 - Disable or Modify Tools
  • T1055.005 - Thread Local Storage
MITREへのリンク →

APT33

Score: 3.84
Matched TTPs:
  • T1543.003 - Windows Service
  • T1562.001 - Disable or Modify Tools
MITREへのリンク →

ZIRCONIUM

Score: 9.69
Matched TTPs:
  • T1543.003 - Windows Service
  • T1566.002 - Spearphishing Link
  • T1027.004 - Compile After Delivery
  • T1197 - BITS Jobs
MITREへのリンク →

OilRig

Score: 11.07
Matched TTPs:
  • T1543.003 - Windows Service
  • T1566.001 - Spearphishing Attachment
  • T1009 - Binary Padding
  • T1048 - Exfiltration Over Alternative Protocol
MITREへのリンク →

RedCurl

Score: 7.41
Matched TTPs:
  • T1543.003 - Windows Service
  • T1016.002 - Wi-Fi Discovery
  • T1027.004 - Compile After Delivery
MITREへのリンク →

Storm-1811

Score: 11.25
Matched TTPs:
  • T1543.003 - Windows Service
  • T1027 - Obfuscated Files or Information
  • T1486 - Data Encrypted for Impact
  • T1565.002 - Transmitted Data Manipulation
MITREへのリンク →

Patchwork

Score: 3.91
Matched TTPs:
  • T1543.003 - Windows Service
  • T1566.002 - Spearphishing Link
MITREへのリンク →

APT39

Score: 10.38
Matched TTPs:
  • T1543.003 - Windows Service
  • T1566.001 - Spearphishing Attachment
  • T1547.011 - Plist Modification
  • T1027.004 - Compile After Delivery
MITREへのリンク →

Silent Librarian

Score: 9.74
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1546.008 - Accessibility Features
  • T1609 - Container Administration Command
MITREへのリンク →

APT28

Score: 16.06
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1131 - Authentication Package
  • T1547.011 - Plist Modification
  • T1197 - BITS Jobs
  • T1055.008 - Ptrace System Calls
MITREへのリンク →

Moonstone Sleet

Score: 8.24
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1027 - Obfuscated Files or Information
  • T1197 - BITS Jobs
MITREへのリンク →

Akira

Score: 8.68
Matched TTPs:
  • T1137.005 - Outlook Rules
  • T1597 - Search Closed Sources
  • T1027 - Obfuscated Files or Information
MITREへのリンク →

APT37

Score: 4.80
Matched TTPs:
  • T1684 - Social Engineering
  • T1027.004 - Compile After Delivery
MITREへのリンク →

Velvet Ant

Score: 8.99
Matched TTPs:
  • T1684 - Social Engineering
  • T1009 - Binary Padding
  • T1597 - Search Closed Sources
  • T1562.001 - Disable or Modify Tools
MITREへのリンク →

BlackByte

Score: 13.07
Matched TTPs:
  • T1684 - Social Engineering
  • T1009 - Binary Padding
  • T1134.001 - Token Impersonation/Theft
  • T1597 - Search Closed Sources
  • T1027 - Obfuscated Files or Information
MITREへのリンク →

UNC3886

Score: 21.92
Matched TTPs:
  • T1546.011 - Application Shimming
  • T1009 - Binary Padding
  • T1021.006 - Windows Remote Management
  • T1528 - Steal Application Access Token
  • T1597 - Search Closed Sources
  • T1488 - Disk Content Wipe
  • T1027.004 - Compile After Delivery
MITREへのリンク →

Medusa Group

Score: 18.77
Matched TTPs:
  • T1218.003 - CMSTP
  • T1009 - Binary Padding
  • T1528 - Steal Application Access Token
  • T1597 - Search Closed Sources
  • T1027 - Obfuscated Files or Information
  • T1598 - Phishing for Information
MITREへのリンク →

LAPSUS$

Score: 14.06
Matched TTPs:
  • T1547.005 - Security Support Provider
  • T1609 - Container Administration Command
  • T1556.008 - Network Provider DLL
  • T1564.003 - Hidden Window
MITREへのリンク →

Salt Typhoon

Score: 6.19
Matched TTPs:
  • T1009 - Binary Padding
  • T1110.003 - Password Spraying
MITREへのリンク →

TeamTNT

Score: 7.98
Matched TTPs:
  • T1009 - Binary Padding
  • T1110.003 - Password Spraying
  • T1597 - Search Closed Sources
MITREへのリンク →

SilverTerrier

Score: 3.29
Matched TTPs:
  • T1131 - Authentication Package
MITREへのリンク →

Tonto Team

Score: 5.09
Matched TTPs:
  • T1547.011 - Plist Modification
  • T1027.004 - Compile After Delivery
MITREへのリンク →

Deep Panda

Score: 3.29
Matched TTPs:
  • T1177 - LSASS Driver
MITREへのリンク →

Axiom

Score: 3.29
Matched TTPs:
  • T1177 - LSASS Driver
MITREへのリンク →

Fox Kitten

Score: 3.29
Matched TTPs:
  • T1177 - LSASS Driver
MITREへのリンク →

BRONZE BUTLER

Score: 7.98
Matched TTPs:
  • T1592.004 - Client Configurations
  • T1597 - Search Closed Sources
  • T1027.004 - Compile After Delivery
MITREへのリンク →

INC Ransom

Score: 7.76
Matched TTPs:
  • T1083 - File and Directory Discovery
  • T1597 - Search Closed Sources
  • T1027 - Obfuscated Files or Information
MITREへのリンク →

Aquatic Panda

Score: 5.24
Matched TTPs:
  • T1102 - Web Service
  • T1597 - Search Closed Sources
MITREへのリンク →

Tropic Trooper

Score: 4.13
Matched TTPs:
  • T1136.003 - Cloud Account
MITREへのリンク →

Dark Caracal

Score: 3.44
Matched TTPs:
  • T1048 - Exfiltration Over Alternative Protocol
MITREへのリンク →

Chimera

Score: 4.54
Matched TTPs:
  • T1574 - Hijack Execution Flow
MITREへのリンク →

DarkHydrus

Score: 4.13
Matched TTPs:
  • T1531 - Account Access Removal
MITREへのリンク →

SideCopy

Score: 4.13
Matched TTPs:
  • T1584.002 - DNS Server
MITREへのリンク →

このPulseに関連する脅威アクター (推論ベース)

Kimsuky

Score: 0.70
Matched TTPs:
  • T1027.004 - Compile After Delivery
  • T1197 - BITS Jobs
  • T1543.003 - Windows Service
  • T1597 - Search Closed Sources
  • T1213.006 - Databases
  • T1546.008 - Accessibility Features
  • T1131 - Authentication Package
  • T1009 - Binary Padding
  • T1546.011 - Application Shimming
  • T1654 - Log Enumeration
  • T1566.002 - Spearphishing Link
  • T1609 - Container Administration Command
  • T1546.013 - PowerShell Profile
  • T1565.002 - Transmitted Data Manipulation
  • T1608 - Stage Capabilities
  • T1684 - Social Engineering
MITREへのリンク →

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

← Pulse一覧に戻る