🛡️ InfoSec Blue Team Briefing

📰 Articles Covered

• Threats based on Clipboards actions (+ KQL Query) - Sergio Albea . 🔍 Show Kagi Synopsis
  This article discusses how **clipboard actions can be exploited as a cybersecurity threat** by attackers who can capture sensitive information copied to the clipboard. 【1】
  
  **What Happened:**
  Attackers can exploit common user interactions with the clipboard to steal sensitive data. This includes information like passwords, authentication tokens, and cryptocurrency wallet addresses. 【1】
  
  **Who is Affected:**
  **Any user who copies sensitive information to their clipboard** is potentially affected. This is particularly relevant given the Windows Clipboard History feature, which stores multiple items and can sync across devices, increasing the attack surface. 【1】
  
  **Security Implications:**
  The primary security implication is **data exfiltration**. Attackers can gain unauthorized access to credentials, financial information, and other sensitive data by monitoring or manipulating clipboard contents. The ability to inject data into remote clipboards or append to existing clipboard content further enhances the threat. 【1】
  
  **Technical Details:**
  The article highlights the use of **PowerShell commands** for clipboard manipulation. Specifically, `Get-Clipboard -Raw` can be used to silently record clipboard contents, which can then be logged to a file. Attackers can also use `Set-Clipboard -AsOSC52` to inject data into local clipboards from remote sessions, and `Set-Clipboard -Append` to subtly alter clipboard data. 【1】
  
  **What Defenders Should Know:**
  Defenders should be aware that while clipboard usage is common, the direct use of **clipboard-related PowerShell cmdlets is rare**. Therefore, any activity involving these cmdlets should be treated as a **high-priority detection signal**. Recommended detection strategies include:
  - Monitoring for **PowerShell processes** that have "clipboard" in their command line arguments. 【1】
  - In **EDR systems**, looking for specific API calls or service names associated with clipboard functionality, such as `cbdhsvc`. 【1】
• ImageMagick: From Arbitrary File Read to RCE In Every Policy (ZeroDay) - PWN.AI Security Research 🔍 Show Kagi Synopsis
  A security research firm, pwn.ai, discovered multiple zero-day vulnerabilities in **ImageMagick**, a widely used image processing library, that could lead to **Remote Code Execution (RCE)** and arbitrary file reads. These vulnerabilities affect millions of servers by default, including those running major Linux distributions and WordPress installations 【1】.
  
  ### What Happened
  
  The research team's autonomous penetration testing agent, pwn.ai, identified ImageMagick as a potential attack vector on a client's web application that only had an upload box as its primary feature. The agent systematically audited ImageMagick's processing pipeline, discovering a series of vulnerabilities that could be chained together to achieve RCE through a single image upload 【1】.
  
  The vulnerabilities exploit ImageMagick's format detection, delegate invocation, and security policy enforcement mechanisms. Key findings include:
  
  * **Format Detection Bypass**: ImageMagick's reliance on magic bytes over file extensions allows attackers to disguise malicious files (e.g., SVG, PostScript, EPT) as common image types like `.jpg` 【1】.
  * **Policy Bypass**: Various security policies, including the default "open" policy, the recommended "limited" policy, and even the "secure" policy, were found to be bypassable. This was achieved through specific file formats (like PDF and EPT) that invoke the GhostScript delegate, or by exploiting how GhostScript is compiled (as a library vs. an external binary) 【1】.
  * **Arbitrary File Read**: The `text:` coder within SVG processing allows an attacker to read any file accessible by the ImageMagick process, rendering its content into the output image 【1】.
  * **Remote Code Execution (RCE)**: By chaining these vulnerabilities, attackers can execute arbitrary code on the server. This was demonstrated through various methods, including writing files to the filesystem and establishing reverse shells 【1】.
  
  ### Who is Affected
  
  * **Servers with ImageMagick**: The vulnerabilities affect virtually all major Linux distributions (Ubuntu, Debian, Fedora, RHEL, CentOS, Arch Linux, Alpine Linux, openSUSE, Amazon Linux, Google Cloud Shell) that ship ImageMagick with default configurations 【1】.
  * **WordPress Installations**: WordPress uses ImageMagick via the PHP Imagick extension by default for image processing. Most WordPress installations are vulnerable as they rely on the server's default ImageMagick policy, which is often unconfigured or too permissive 【1】.
  * **Specific WordPress Plugins**: Plugins like **Gravity Forms** with Post Image fields can lead to **pre-authenticated RCE** when combined with ImageMagick vulnerabilities. Even users with an "Author" role in WordPress can achieve RCE through the XML-RPC upload path 【1】.
  * **Systems with GhostScript**: The vulnerabilities often rely on the presence of GhostScript, which is a common dependency for ImageMagick on most Linux systems 【1】.
  
  ### Security Implications
  
  The security implications are severe:
  
  * **Remote Code Execution (RCE)**: Attackers can gain full control of the server, leading to data breaches, system compromise, and further network infiltration 【1】.
  * **Arbitrary File Read**: Sensitive information such as configuration files, credentials, and private keys can be exfiltrated 【1】.
  * **Widespread Vulnerability**: The default configurations of numerous operating systems and popular applications mean a vast number of systems are vulnerable out-of-the-box 【1】.
  * **Bypass of Security Measures**: The vulnerabilities bypass ImageMagick's intended security policies, including those recommended for production environments, rendering them ineffective 【1】.
  
  ### Technical Details
  
  The research detailed a multi-stage attack chain:
  
  1. **Format Detection Bypass**: Uploading a file with a `.jpg` extension but containing `<?xml` at the beginning causes ImageMagick to detect it as an SVG, bypassing extension-based filters 【1】.
  2. **Arbitrary File Read**: Within an SVG, an `xlink:href="text:/etc/passwd"` attribute causes ImageMagick to render the content of `/etc/passwd` into the output image 【1】.
  3. **Policy Evasion (EPSI/PDF)**: While PostScript (`PS`) is often blocked by policies, formats like `EPSI` or `PDF` are not, yet they invoke the same GhostScript delegate. A PostScript payload prefixed with a newline (`\n`) bypasses ImageMagick's detection of PostScript while still being executed by GhostScript 【1】.
  4. **GhostScript File Write**: GhostScript, even with the `-dSAFER` flag, allows arbitrary file writes using PostScript's file I/O capabilities. This enables writing a webshell or other malicious payloads to the server's filesystem 【1】.
  5. **EPT Bypass**: The EPT (Encapsulated PostScript with TIFF preview) format has magic bytes (`C5 D0 D3 C6`) that are detected by ImageMagick regardless of the file extension. This allows for RCE via a `.jpg` file even on the "limited" policy, as EPT is not explicitly blocked 【1】.
  6. **Delegate Policy Bypass (gslib)**: On systems where GhostScript is compiled as a library (`gslib`) into ImageMagick, the "secure" policy's delegate block (which targets external processes) is bypassed, allowing RCE via PDF uploads 【1】.
  
  The research also highlighted that a fix for the EPT bypass was silently committed to ImageMagick (version 6.9.13-34) but was not assigned a CVE and has not been backported to older versions like the one shipped with Ubuntu 22.04 LTS 【1】.
  
  ### What Defenders Should Know
  
  * **Default Configurations are Dangerous**: Relying on default ImageMagick policies is highly insecure. Administrators must actively configure `policy.xml` to restrict ImageMagick's capabilities 【1】.
  * **Update ImageMagick**: Ensure ImageMagick is updated to versions that include security fixes, particularly for the EPT bypass. However, note that some bypasses (like the PDF and gslib ones) may not have been fixed in all versions 【1】.
  * **Restrict GhostScript**: If PDF processing is not essential, consider removing GhostScript or processing PDFs in a highly isolated sandbox with read-only filesystems 【1】.
  * **WordPress Hardening**: For WordPress users, disable XML-RPC if not needed and ensure the server's ImageMagick policy is strictly configured. If using plugins like Gravity Forms with image uploads, pay close attention to their security configurations and ImageMagick's policy 【1】.
  * **Vulnerability Testing**: Regularly test your systems for these vulnerabilities, especially if processing untrusted image uploads. The provided PoCs can be used for testing 【1】.
  * **Whitelisting is Key**: Implement strict whitelisting for allowed image formats and delegates rather than relying on blacklists, which are prone to bypasses 【1】.
• CVE-2026-4946: NSA Ghidra Auto-Analysis Annotation Command Execution - **AHA!** controls the content posted at the provided URL . 🔍 Show Kagi Synopsis
  **CVE-2026-4946** is a vulnerability in **NSA Ghidra** that allows for **arbitrary command execution** when an analyst clicks on auto-generated comments within the software 【1】.
  
  **What Happened:**
  The vulnerability arises from Ghidra's improper processing of annotation directives, specifically the `@execute` command. While intended for trusted user-authored comments, this command is also parsed in comments generated during the auto-analysis of binaries. This allows a crafted binary to present seemingly benign clickable text that, when clicked, executes attacker-controlled commands on the analyst's machine 【1】.
  
  **Who is Affected:**
  The vulnerability affects **Ghidra versions prior to 12.0.3** 【1】.
  
  **Security Implications:**
  With a CVSSv3.1 rating of 8.8 (High), the security implications are severe. Exploitation can lead to:
  - Execution of arbitrary binaries
  - File system modification
  - Network exfiltration (e.g., of SSH keys)
  - Reconnaissance
  - Delivery of secondary payloads
  - Social engineering 【1】
  
  **Technical Details:**
  The core of the vulnerability lies in a **trust boundary violation**. Ghidra implicitly treats untrusted binary data as trusted annotation input. Attackers can embed malicious annotation payloads into distributed binaries. When an analyst inspects these binaries in Ghidra and clicks on a deceptive label, the attacker-controlled commands are executed 【1】.
  
  **What Defenders Should Know:**
  Defenders need to be aware that this vulnerability allows for reliable code execution on the systems of analysts who inspect untrusted binaries. This makes it a high-value target for espionage and criminal actors. The minimal user interaction required (a single click) makes it particularly effective in environments where analysts routinely inspect untrusted binaries, such as malware research labs and incident response operations 【1】.
• CVE-2026-4946: NSA Ghidra Auto-Analysis Annotation Command Execution - **AHA!** controls the content posted at the provided URL . 🔍 Show Kagi Synopsis
  **CVE-2026-4946** is a vulnerability in **NSA Ghidra** that allows for **arbitrary command execution** when an analyst clicks on auto-generated comments within the software 【1】.
  
  **What Happened:**
  The vulnerability arises from Ghidra's improper processing of annotation directives, specifically the `@execute` command. While intended for trusted user-authored comments, this command is also parsed in comments generated during the auto-analysis of binaries. This allows a crafted binary to present seemingly benign clickable text that, when clicked, executes attacker-controlled commands on the analyst's machine 【1】.
  
  **Who is Affected:**
  The vulnerability affects **Ghidra versions prior to 12.0.3** 【1】.
  
  **Security Implications:**
  With a CVSSv3.1 rating of 8.8 (High), the security implications are severe. Exploitation can lead to:
  - Execution of arbitrary binaries
  - File system modification
  - Network exfiltration (e.g., of SSH keys)
  - Reconnaissance
  - Delivery of secondary payloads
  - Social engineering 【1】
  
  **Technical Details:**
  The core of the vulnerability lies in a **trust boundary violation**. Ghidra implicitly treats untrusted binary data as trusted annotation input. Attackers can embed malicious annotation payloads into distributed binaries. When an analyst inspects these binaries in Ghidra and clicks on a deceptive label, the attacker-controlled commands are executed 【1】.
  
  **What Defenders Should Know:**
  Defenders need to be aware that this vulnerability allows for reliable code execution on the systems of analysts who inspect untrusted binaries. This makes it a high-value target for espionage and criminal actors. The minimal user interaction required (a single click) makes it particularly effective in environments where analysts routinely inspect untrusted binaries, such as malware research labs and incident response operations 【1】.
• ChatGPT Data Leakage via a Hidden Outbound Channel in the Code Execution Runtime - Check Point Research 🔍 Show Kagi Synopsis
  A hidden outbound communication channel was discovered in ChatGPT's code execution runtime, allowing for the silent exfiltration of sensitive data 【1】.
  
  **What Happened:**
  A malicious prompt could activate this covert channel, enabling the transmission of user messages, content from uploaded files, and AI-generated summaries to an attacker-controlled server 【1】. This vulnerability was also present in custom GPTs, where malicious instructions could be embedded 【1】.
  
  **Who is Affected:**
  **Users of ChatGPT** are affected, especially those who share sensitive information such as medical history, financial data, or personal documents. The attack could also impact users of custom GPTs 【1】. Additionally, the vulnerability could be exploited to establish **remote shell access** within the Linux runtime used for code execution 【1】.
  
  **Security Implications:**
  The primary security implication is the **silent exfiltration of sensitive data**, bypassing user approval and intended safeguards 【1】. This includes personal conversations, uploaded documents, and AI-generated insights 【1】. The ability to gain remote shell access further amplifies the risk, allowing for more direct control and data manipulation 【1】.
  
  **Technical Details:**
  The exfiltration channel utilized **DNS tunneling** 【1】. Although direct internet access from the code execution environment was blocked, DNS resolution was permitted 【1】. Attackers encoded data into subdomain labels, which triggered DNS resolution requests to an attacker-controlled server, effectively using DNS infrastructure as a tunnel for data exfiltration and command execution 【1】.
  
  **What Defenders Should Know:**
  The article emphasizes that **AI systems with capabilities like code execution, file analysis, and web search present an expanding attack surface** 【1】. Defenders must secure all potential outbound communication paths, including those at infrastructure layers not directly visible to users 【1】. OpenAI has confirmed the issue and deployed a fix on February 20, 2026 【1】. The broader lesson is that as AI tools become more powerful and integrated, **security must be a central consideration at every layer of the platform** 【1】.
• Unwind Data Can't Sleep - Introducing InsomniacUnwinding - Lorenzo Meacci 🔍 Show Kagi Synopsis
  The article introduces **InsomniacUnwinding**, a novel technique designed to bypass security defenses by preserving valid stack unwinding information even when a process's memory is encrypted during its sleep cycle. This addresses a limitation of previous "sleep masking" methods that relied on call stack spoofing.
  
  **What Happened:**
  The author developed InsomniacUnwinding to overcome the need for constant call stack spoofing in sleep masking techniques. Traditional sleep masking encrypts a process's memory while it sleeps, but this encryption can corrupt crucial unwind information, leading to invalid call stacks. InsomniacUnwinding preserves this unwind data, allowing the system to correctly resolve the call stack even when memory is encrypted. The technique involves encrypting a beacon's memory from an external process, ensuring that the beacon itself remains in a more legitimate state.
  
  **Who is Affected:**
  This technique primarily affects **security software**, such as **Endpoint Detection and Response (EDR)** systems, that rely on analyzing process memory and call stacks to detect malicious activity. By preserving valid unwind information, InsomniacUnwinding makes it harder for these tools to identify compromised processes that are using sleep masking.
  
  **Security Implications:**
  The main security implication is the **evasion of detection**. By maintaining a legitimate-looking call stack, InsomniacUnwinding can help malicious software, like Cobalt Strike beacons, remain undetected by security solutions that monitor for anomalies in memory and execution flow. This allows attackers to maintain persistence and operate more stealthily.
  
  **Technical Details:**
  - **x64 Unwinding:** Unlike x86, x64 systems use metadata within the Portable Executable (PE) file for stack unwinding. This metadata includes:
  - **PE Headers:** Specifically, the DataDirectory entry for exceptions (index 3), which points to the `.pdata` section.
  - **`.pdata` Section:** Contains `RUNTIME_FUNCTION` structures, one for each function.
  - **`.rdata` Section:** Holds `UNWIND_INFO` structures that describe how to reverse a function's prologue.
  - **How the Unwinder Works:** When `RtlVirtualUnwind` needs to walk the stack, it uses the instruction pointer (RIP) to find the relevant `RUNTIME_FUNCTION`, then locates the `UNWIND_INFO` structure. It then reverses the function's prologue instructions to determine the caller's return address, repeating this process until the stack walk is complete.
  - **Problem with Naive Encryption:** Encrypting the entire beacon memory, including PE headers, `.pdata`, and `.rdata`, breaks the unwinding process because the necessary metadata becomes inaccessible.
  - **InsomniacUnwinding Solution:**
  - **Cross-Process Architecture:** The sleepmasking logic resides in a separate process. This allows the beacon to remain in backed memory with registered `.pdata`, and the sleepmask process also operates from backed memory, avoiding the need for call stack spoofing for the sleepmask's own operations.
  - **Preserving Unwind Data:** The sleepmask process reads the beacon's memory, saves copies of critical sections (PE headers, `.pdata`, `.rdata`), encrypts the rest of the buffer, patches the preserved sections back in, writes the modified buffer back to the beacon process, and then sleeps. The decryption process reverses these steps.
  - **Preserving Sections:** The initial implementation preserves the entire PE headers, `.pdata`, and `.rdata` sections.
  - **The Challenge:** While this preserves stack unwinding, the `.rdata` section can still contain detectable artifacts like string literals, which can be flagged by signature-based detection tools like YARA.
  
  **What Defenders Should Know:**
  - **Beyond Call Stack Spoofing:** Defenders need to be aware that attackers are moving beyond simple call stack spoofing. Techniques like InsomniacUnwinding aim to maintain legitimate-looking call stacks even during memory encryption.
  - **Focus on Memory Artifacts:** While call stack integrity is important, defenders should also focus on detecting other artifacts within memory, particularly in sections like `.rdata`, which can still contain signature-based indicators even when unwind data is preserved.
  - **Cross-Process Analysis:** The cross-process nature of this technique highlights the importance of monitoring inter-process communication and memory access patterns, as the malicious activity is distributed across multiple processes.
  - **Detection of Unwind Data Preservation:** Developing methods to detect the preservation or manipulation of `.pdata` and `.rdata` sections during sleep cycles could be a key defense strategy.
• Drifter: C2 traffic dressed as camera management - Nokia Deepfield Emergency Response Team (ERT) 🔍 Show Kagi Synopsis
  **Drifter** is a newly identified Distributed Denial of Service (DDoS) botnet that specifically targets **Android TV devices** by exploiting exposed **Android Debug Bridge (ADB)** ports 【1】. This botnet operates independently from other known botnets like MossadProxy, Jackskid, and Kimwolf, despite targeting the same vulnerable devices 【1】.
  
  **What Happened:**
  Drifter infects Android TV devices through a dropper that installs an APK disguised as a system update (`com.siliconworks.android.update`). This APK then extracts and launches a native ARM binary (`libcyn.so`) which establishes communication with the botnet's Command and Control (C2) infrastructure 【1】. The botnet is capable of launching various DDoS attacks, with observed attacks including UDP floods, TCP SYN floods, and TCP PSH+ACK floods 【1】.
  
  **Who is Affected:**
  The primary targets are **Android TV devices** that have their ADB ports exposed to the internet. These devices are often found in environments like hotel lobbies or small businesses, where they might share network segments with other devices such as IP cameras 【1】. The botnet has been observed to launch attacks against a diverse range of targets, including game servers, cloud infrastructure, hosting providers, and ISP address spaces globally 【1】.
  
  **Security Implications:**
  Drifter poses a significant threat due to its ability to launch large-scale DDoS attacks, with observations indicating attacks up to **2.6 Tbps from approximately 80,000 sources** 【1】. The botnet's sophisticated C2 infrastructure, including domain generation algorithms and DNS obfuscation techniques, makes it difficult to track and disrupt 【1】. The use of IP camera brand names for C2 domains is a novel evasion technique designed to blend in with legitimate network traffic 【1】.
  
  **Technical Details:**
  - **Infection Vector:** Exploitation of ADB-exposed Android TV devices 【1】.
  - **Payload:** A 71 KB statically linked ARM ELF binary with 8 DDoS attack methods 【1】.
  - **C2 Communication:** Uses custom DNS resolvers, obfuscated DNS A records (16-bit half-swap), a domain generation algorithm, and a Telegram dead-drop resolver as a fallback 【1】.
  - **Evasion Techniques:** C2 domains mimic IP camera brands (`hikvision-cctv[.]su`, `nvms9000[.]su`) to blend with network traffic 【1】. It also uses non-standard high ports for C2 communication and disguises its package name and process name 【1】.
  - **Encryption:** Employs a custom stream cipher for its C2 protocol, which has been decrypted by researchers 【1】.
  - **Attack Methods:** Includes UDP floods, TCP SYN floods, TCP PSH+ACK floods, ICMP echo floods, and GRE floods, often with IP spoofing 【1】.
  - **Scale:** Observed attacks reaching up to 2.6 Tbps from around 80,000 sources 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware of the following indicators and mitigation strategies:
  - **Network Indicators:**
  - Monitor for DNS queries to `*.daylightbomb[.]elite`, `*.hikvision-cctv[.]su`, or `*.nvms9000[.]su` (any subdomain) 【1】.
  - Watch for DNS queries to `connectivity.accesscam[.]org` 【1】.
  - Detect DNS resolution via the custom resolver `194.50.5[.]27` 【1】.
  - Identify TCP connections to non-standard ports: 23004, 25632, 32505, 34532, 36275, 36605, 37610, 44308 【1】.
  - Look for local TCP binds on port 2625, which may be used as an anti-competition lock 【1】.
  - **Host Indicators:**
  - Identify the real package name `io.nexus.drifter` or the installer disguise `com.siliconworks.android.update` 【1】.
  - Detect the native binary `libcyn.so` 【1】.
  - Observe the process name `ntpclient` 【1】.
  - Monitor for `/proc/self/oom_score_adj` set to -1000 for OOM protection 【1】.
  - **DNS Record Analysis:** Defenders should apply a **16-bit half-swap** to any A records returned for the botnet's domains before enrichment to reveal the actual C2 IP addresses 【1】.
  - **Subdomain Monitoring:** Due to the use of a domain generation algorithm, **any subdomain** of the identified base domains should be considered suspicious 【1】.
  - **ADB Security:** It is crucial to **disable ADB or restrict its access** to trusted networks and IP addresses to prevent initial infection vectors 【1】.
• New widespread EvilTokens kit: device code phishing as-a-service - Part 1 - Sekoia TDR 🔍 Show Kagi Synopsis
  The cybersecurity article details the emergence of **EvilTokens**, a new Phishing-as-a-Service (PhaaS) kit that facilitates **Microsoft device code phishing** attacks. This kit enables cybercriminals to conduct large-scale account takeovers and Business Email Compromise (BEC) attacks by automating the process of obtaining access and refresh tokens, and crucially, converting them into Primary Refresh Tokens (PRTs) for persistent, silent access 【1】.
  
  **What Happened:**
  EvilTokens, identified in March 2026, provides a comprehensive solution for device code phishing. Attackers use the kit to trick victims into entering a device code on a legitimate Microsoft login page. This action grants the attacker access to the victim's Microsoft account, allowing them to obtain access and refresh tokens, which can then be converted into PRTs for sustained, undetected access 【1】.
  
  **Who is Affected:**
  The EvilTokens campaigns target employees across various sectors, including **finance, HR, logistics, and sales**, to facilitate BEC attacks. The phishing lures often impersonate financial documents, meeting invitations, shipping orders, payroll information, or generic cloud document requests. These attacks have a global reach, impacting organizations in North, Central, and South America, Europe, the Middle East, Asia, and Oceania, with a notable concentration in the **United States, Australia, Canada, France, India, Switzerland, and the UAE** 【1】.
  
  **Security Implications:**
  The primary security implication is **account takeover**. Harvested access tokens provide short-lived access (60-90 minutes) to victim resources like Exchange Online, SharePoint, and OneDrive. More critically, stolen refresh tokens allow attackers to maintain persistent access for up to 90 days, enabling silent re-authentication and the acquisition of a PRT. This PRT facilitates Single Sign-On (SSO) across Microsoft 365 applications, bypassing multi-factor authentication (MFA) and allowing for lateral movement within an organization's cloud environment. Attackers can then exfiltrate sensitive data and conduct further malicious activities 【1】.
  
  **Technical Details:**
  EvilTokens utilizes the **OAuth 2.0 Device Authorisation Grant flow**. The process involves:
  * The attacker initiating a device code request to Microsoft APIs, obtaining a `user_code` and `verification_uri`.
  * The victim being directed to a phishing page (often hosted on Cloudflare Workers or affiliate-hosted domains) that displays the `user_code` and prompts for Microsoft identity verification.
  * The victim entering the `user_code` on the legitimate Microsoft device login page.
  * The attacker's backend polling Microsoft APIs to retrieve the `access_token` and `refresh_token`.
  * The EvilTokens backend supporting advanced features such as converting refresh tokens to PRTs, generating browser SSO cookies (`x-ms-RefreshTokenCredential`), and performing reconnaissance on Microsoft Graph and Azure 【1】.
  
  Key technical indicators include specific URL patterns for Cloudflare Workers-hosted pages (e.g., `*.workers.dev`), the presence of `/api/device/start` and `/api/device/status/` in network requests, and the `X-Antibot-Token` HTTP header used to bypass bot detection 【1】.
  
  **What Defenders Should Know:**
  Defenders need to be aware of the **device code phishing technique**, which differs from traditional Adversary-in-the-Middle (AitM) phishing. Recommended actions include:
  * **User Education:** Inform users about the Microsoft device code authentication flow and the risks of entering codes from untrusted sources.
  * **Monitor Indicators:** Track identified URL patterns, API endpoints (`/api/device/start`, `/api/device/status/`), and the `X-Antibot-Token` header in network traffic.
  * **Review Logs:** Analyze authentication logs for suspicious device code authorization attempts or unusual token acquisition patterns.
  * **Implement Security Controls:** Ensure robust email filtering and endpoint security solutions are in place to detect and block phishing lures and malicious domains.
  * **Stay Updated on IoCs:** Utilize threat intelligence feeds for updated lists of EvilTokens domains and associated infrastructure. The article provides a YARA rule for detecting EvilTokens phishing pages and lists numerous indicators of compromise (IoCs) 【1】.