All news with #token theft tag

🔐 Security researchers and agencies are warning that phishing campaigns are increasingly targeting Microsoft 365 OAuth device codes and access tokens to bypass multifactor authentication. New commercial services like Kali365 and older kits such as EvilTokens automate token capture, AI‑generated lures, and large-scale campaign management. The FBI and vendors urge admins to restrict device code flows, apply conditional access, monitor token misuse, and adopt identity‑centric controls beyond MFA.

🔐 In February 2026 the EvilTokens PhaaS campaign abused the OAuth consent flow to harvest long‑lived refresh tokens, compromising over 340 Microsoft 365 organizations across five countries. Victims completed legitimate sign‑ins and MFA at microsoft.com/devicelogin, then clicked consent and unknowingly granted broad scopes for mail, drive, calendar, and contacts. Because the attacker received signed, refreshable tokens rather than credentials, MFA and typical SIEM correlation did not detect the intrusion. The incident demonstrates how normalized consent clicks have become a critical security gap.

🔒 The web server in Siemens SENTRON 7KT PAC1261 Data Manager (versions before V2.1.0) contains a request smuggling vulnerability in the Go net/http package that can expose authorization tokens and permit administrative takeover. Siemens has released V2.1.0 to remediate the issue and recommends immediate updating. Mitigations include using encrypted protocols, restricting network exposure, and following vendor operational security guidance.

🔒 Cisco Talos researchers disclosed an intrusion leveraging the CloudZ remote access tool and an undocumented plugin named Pheno to harvest credentials and one‑time passwords. The attackers abused Microsoft's Phone Link PC-to-phone bridge to monitor SMS/OTP data without deploying malware on the mobile device. The campaign, active since at least January 2026, uses a fake ConnectWise ScreenConnect dropper, a .NET loader and modular plugins to establish persistence and encrypted C2 communications.

🔒 Every AI tool, workflow automation, or productivity app that employees connect to Google or Microsoft can leave a persistent OAuth token that does not expire, is not centrally tracked, and bypasses perimeter controls and MFA. Material Security's research shows many organizations are aware but lack effective remediation: some do nothing and others rely on manual spreadsheets. The article argues for continuous behavioral monitoring, blast-radius assessment, and graduated automated responses to revoke risky tokens before they’re weaponized.

🔒 Cisco Talos has identified a stealthy campaign using a CloudZ remote access trojan and a custom Pheno plugin to siphon SMS one‑time passwords and other sensitive mobile data mirrored via Microsoft Phone Link on Windows endpoints. Rather than compromising phones, attackers exploit the PC‑to‑phone trust relationship to access the Phone Link SQLite data stored locally. The malware establishes persistence, performs anti‑analysis checks, fetches plugin modules, and monitors active Phone Link processes to capture OTPs and notifications. Talos published detection signatures, hashes, C2 indicators and Snort rules; attribution is unconfirmed.

🔐 A new CloudZ remote access tool (RAT) variant deploys a previously unseen plugin named Pheno that hijacks Microsoft Phone Link on Windows 10 and 11 to extract SMS messages and one‑time passwords from the application’s local SQLite database. Cisco Talos says the intrusion has been active since at least January and can intercept OTPs mirrored to the desktop without compromising the mobile device. The infection chain begins with a fake ScreenConnect update that drops a Rust loader and a .NET loader which installs CloudZ, establishes persistence via a scheduled task, and performs anti-analysis checks.

🔍Cisco Talos disclosed an active campaign since January 2026 in which an unknown actor deployed a modular .NET RAT called CloudZ and a novel plugin, Pheno. Pheno targets the Windows Phone Link feature to detect an active PC-to-phone bridge and stage Phone Link SQLite files, enabling potential interception of mirrored SMS and OTPs without compromising the phone. CloudZ executes core functions dynamically in memory, performs anti-debug and sandbox checks, and supports plugin-based credential exfiltration.

🔒 Much reporting on cyber risk focuses on AI, but frontline incidents remain grounded in social engineering and identity exploitation. Experts say attackers increasingly abuse legitimate tools — including trojanized RMM clients — and target network security appliances, OAuth flows, and machine identities to bypass defenses. Techniques like ClickFix, phishing, token theft and supply‑chain worms enable lateral movement and ransomware. Defenders should combine user training, RMM allowlists and layered, phishing‑resistant authentication.

⚠️ A new infostealer dubbed Storm surfaced on underground marketplaces in early 2026, offering subscription-based credential and session theft for under $1,000 per month. Storm harvests browser passwords, session cookies, crypto wallets, autofill data, and app tokens, then uploads encrypted artifacts and performs server-side decryption to evade endpoint detection. The platform also automates cookie restoration using supplied Google refresh tokens and geographically matched SOCKS5 proxies, enabling silent session hijacking and persistent access to web services.

🔒 Microsoft Incident Response researchers detail a Storm-2755 campaign that used malvertising and SEO poisoning to phish Canadian users and capture OAuth tokens and credentials via adversary-in-the-middle (AiTM) proxying. The actor replayed tokens (notably using the Axios/1.7.9 user-agent) to hijack authenticated sessions and bypass non-phishing-resistant MFA. Compromised accounts were used to search for payroll and HR data, create hidden inbox rules, and in some cases directly modify Workday payment information, resulting in at least one confirmed payroll diversion. Microsoft urges immediate token revocation, removal of malicious inbox rules, and adoption of phishing-resistant MFA and device-based conditional access.

🔒 Security researchers say hackers linked to Russia’s GRU used known vulnerabilities in end-of-life routers to mass-harvest Microsoft Office authentication tokens. The actor, tracked as Forest Blizzard (aka APT28/Fancy Bear), altered DNS settings on mostly Mikrotik and TP-Link SOHO devices to route traffic through attacker-controlled DNS servers and perform adversary-in-the-middle (AiTM) interception of OAuth tokens and TLS sessions. Microsoft identified more than 200 affected organizations and about 5,000 consumer devices, while Black Lotus Labs observed the campaign touching over 18,000 routers at its December 2025 peak.

🔐 Device-code phishing attacks that exploit the OAuth 2.0 Device Authorization Grant flow have surged sharply this year, driven by commodity phishing kits. Researchers report a 37.5x increase in detected pages and identify at least 11 kits, with the PhaaS offering EvilTokens the most prominent. These kits mimic legitimate SaaS flows, use anti-bot protections and cloud hosting, and trick victims into entering device codes that grant attackers valid access and refresh tokens. Security teams are advised to disable unused device-code flows and monitor authentication logs and sessions closely.

⚠️ Sekoia researchers uncovered a phishing-as-a-service toolkit named EvilTokens that abuses Microsoft's device code authentication flow to capture valid access tokens by tricking victims into entering device codes on official Microsoft login pages. The kit bundles phishing lures, AI-driven automation, inbox harvesting and post-compromise modules to weaponize access. Operators distribute the service through Telegram bots and channels, and Sekoia observed activity since at least mid-February targeting countries including the US, Australia, Canada, France, India, Switzerland and the UAE.

⚠️ EvilTokens is a commercially sold phishing kit that abuses the device code authorization flow to hijack Microsoft accounts and enable advanced BEC operations. Distributed via Telegram, campaigns deliver document lures with QR codes or links to phishing templates impersonating trusted services and workflows. Victims are prompted to authenticate on the real Microsoft device login, producing short-lived access tokens and refresh tokens that give attackers immediate and persistent access. Sekoia reported global campaigns and published IoCs and YARA rules; the author says support for Gmail and Okta is planned.

🔒 The perimeter model has broken down as workforces go hybrid, and many Zero Trust deployments miss a key link between identity and session authorization. Specops Device Trust argues that authentication must be contextualized with real-time device posture checks to prevent token theft and session hijacking. Binding identity to a verified device and continuous monitoring lets organizations enforce dynamic, low-friction policies that reduce risk.

🔍 The 2026 Cloudflare Threat Report from Cloudforce One documents a shift from brute-force intrusion toward high-trust exploitation, introducing a new metric: the Measure of Effectiveness (MOE). The report identifies eight trends — including AI-driven attack automation, token theft that neutralizes MFA, weaponized cloud tooling, and record-setting hyper-volumetric DDoS — that favor speed and throughput over sophistication. It urges organizations to adopt autonomous, real-time defenses and previews an upgraded automated threat-events command center to help harden the connective tissue of modern networks.

🔒 A phishing campaign impersonating Google directs victims to a malicious PWA on google-prism[.]com that harvests contacts, clipboard contents, GPS data, and one-time passcodes. The PWA leverages a service worker, Periodic Background Sync, and the WebOTP API while checking an /api/heartbeat endpoint for commands. It can act as an HTTP proxy via a WebSocket relay and uses push notifications to prompt users to reopen the app so it can access data. An optional Android APK escalates access with dozens of permissions and persistence mechanisms.

🛡️ RoguePilot was a vulnerability in GitHub Codespaces that allowed GitHub Copilot to be manipulated via a crafted GitHub issue, enabling silent execution of hidden AI instructions and potential exfiltration of a privileged GITHUB_TOKEN. Orca Security researcher Roi Nisimi reported that an attacker could embed the prompt inside an HTML comment and direct Copilot to send the token to an external server. Microsoft patched the flaw after responsible disclosure. The disclosure underscores risks from AI-mediated prompt injection and urges better prompt handling, content sanitization, and least-privilege token practices.

🔒 A high-severity vulnerability (CVE-2026-25253, CVSS 8.8) in OpenClaw allowed a crafted link or webpage to exfiltrate a stored gateway token and enable one-click remote code execution. The Control UI trusted the gatewayUrl query parameter and auto-connected on load while the server failed to validate WebSocket Origin headers. The issue was patched in v2026.1.29 (Jan 30, 2026); users should upgrade immediately.