< ciso
brief />
Tag Banner

All news with #token theft tag

49 articles

ARToken PhaaS reveals EvilTokens Microsoft 365 toolkit

🛡️ Cisco Talos uncovered a React-based ARToken management panel exposing 80+ API endpoints and client-side code that reveals expanded phishing capabilities. The platform, tied to the EvilTokens ecosystem, automates Microsoft 365 account compromise by stealing authentication tokens, obtaining persistent Primary Refresh Tokens (PRTs), and accessing Outlook, SharePoint, and OneDrive. ARToken deploys Cloudflare Workers, supports multi-tenant affiliate operations, and includes tools for BEC automation and mailbox monitoring.
read more →

Bluekit adopts browser-in-the-middle for login theft

🛡️ The Bluekit phishing-as-a-service platform has added browser-in-the-middle (BitM) capabilities and nearly 70 new hostnames, enabling attackers to load legitimate login pages and capture valid session tokens. Netcraft found Bluekit uses the open-source rrweb library to serialize and stream page DOM data over WebSockets while fetching assets through phishing infrastructure. The kit also includes advanced anti-analysis features such as randomized CSS filters, large rotating obfuscated JavaScript bundles, custom CAPTCHAs, browser fingerprinting, and WebRTC IP-mismatch checks.
read more →

JaredFromSubway MEV bot suffers $15M crypto theft

🔒 The JaredFromSubway Ethereum MEV bot lost $15 million after an attacker fed it fake pools and tokens to manipulate its opportunity detection and gain ERC-20 approvals. Blockaid detected the drain and JaredFromSubway confirmed the attacker deployed deceptive contracts that tricked the bot into issuing allowances to attacker-controlled helper contracts. The attacker used staged, benign-looking transactions to validate the bot’s routines, later exploiting open approvals via transferFrom to withdraw WETH, USDC, and USDT.
read more →

Claude Code MCP configuration enables token theft

🔒 Researchers disclosed an attack chain against Anthropic’s command-line coding assistant, Claude Code, that abuses the Model Context Protocol (MCP). A malicious npm post-install hook can rewrite the local ~/.claude.json configuration to redirect authenticated MCP traffic to attacker infrastructure, allowing interception of stored OAuth bearer tokens. Anthropic has been notified but has not issued a patch; defenders are advised to monitor the configuration file, treat npm post-install hooks as high risk, and rotate OAuth tokens tied to Claude Code integrations.
read more →

GitHub browser VSCode flaw risks stolen developer tokens

🛡️ A researcher disclosed a vulnerability in GitHub’s browser-based VSCode (github.dev) that could allow an attacker to obtain a developer’s OAuth token and access any repos the developer can reach. The issue involves github.com POSTing a broad-scoped token to github.dev and a bypass in Jupyter notebook-based extension installation that can exfiltrate the token. Microsoft implemented a short-term mitigation requiring notebook confirmation and restoring the trusted-publisher check.
read more →

One-click GitHub.dev attack exposes OAuth tokens

🔒 Security researchers disclosed a one-click attack targeting GitHub.dev in the browser-hosted VS Code environment that can steal a user's GitHub OAuth token. The exploit abuses message passing between the main VS Code window and untrusted webviews to simulate keypresses, open the Command Palette, and install malicious extensions. By leveraging local workspace extensions and configurable keybindings, attackers can bypass trust prompts and extract tokens with access to private repositories. Microsoft has acknowledged the issue and is working on a fix; the vulnerability does not affect VS Code Desktop.
read more →

VS Code zero-day lets attackers steal GitHub tokens

🛡️ A security researcher published exploit code for a Visual Studio Code zero-day that enables attackers to steal GitHub OAuth tokens by tricking users into clicking a link. The flaw abuses VS Code's sandboxed webview message-passing to run JavaScript that simulates keypresses, installs a malicious extension, and exfiltrates tokens sent to github.dev. The vulnerability is unpatched and unassigned a CVE; users can mitigate risk by clearing cookies and site data for github.dev to force reauthentication prompts.
read more →

Experts warn MFA alone won’t stop token phishing

🔐 Security researchers and agencies are warning that phishing campaigns are increasingly targeting Microsoft 365 OAuth device codes and access tokens to bypass multifactor authentication. New commercial services like Kali365 and older kits such as EvilTokens automate token capture, AI‑generated lures, and large-scale campaign management. The FBI and vendors urge admins to restrict device code flows, apply conditional access, monitor token misuse, and adopt identity‑centric controls beyond MFA.
read more →

Consent Phishing: OAuth Grants Enable Token Hijacks

🔐 In February 2026 the EvilTokens PhaaS campaign abused the OAuth consent flow to harvest long‑lived refresh tokens, compromising over 340 Microsoft 365 organizations across five countries. Victims completed legitimate sign‑ins and MFA at microsoft.com/devicelogin, then clicked consent and unknowingly granted broad scopes for mail, drive, calendar, and contacts. Because the attacker received signed, refreshable tokens rather than credentials, MFA and typical SIEM correlation did not detect the intrusion. The incident demonstrates how normalized consent clicks have become a critical security gap.
read more →

Siemens SENTRON PAC1261 Request Smuggling Patch Advisory

🔒 The web server in Siemens SENTRON 7KT PAC1261 Data Manager (versions before V2.1.0) contains a request smuggling vulnerability in the Go net/http package that can expose authorization tokens and permit administrative takeover. Siemens has released V2.1.0 to remediate the issue and recommends immediate updating. Mitigations include using encrypted protocols, restricting network exposure, and following vendor operational security guidance.
read more →

CloudZ RAT Exploits Windows Phone Link to Steal OTPs

🔒 Cisco Talos researchers disclosed an intrusion leveraging the CloudZ remote access tool and an undocumented plugin named Pheno to harvest credentials and one‑time passwords. The attackers abused Microsoft's Phone Link PC-to-phone bridge to monitor SMS/OTP data without deploying malware on the mobile device. The campaign, active since at least January 2026, uses a fake ConnectWise ScreenConnect dropper, a .NET loader and modular plugins to establish persistence and encrypted C2 communications.
read more →

OAuth Backdoor: Persistent Tokens and Enterprise Risk

🔒 Every AI tool, workflow automation, or productivity app that employees connect to Google or Microsoft can leave a persistent OAuth token that does not expire, is not centrally tracked, and bypasses perimeter controls and MFA. Material Security's research shows many organizations are aware but lack effective remediation: some do nothing and others rely on manual spreadsheets. The article argues for continuous behavioral monitoring, blast-radius assessment, and graduated automated responses to revoke risky tokens before they’re weaponized.
read more →

Malware Abuses Microsoft Phone Link to Steal SMS OTPs

🔒 Cisco Talos has identified a stealthy campaign using a CloudZ remote access trojan and a custom Pheno plugin to siphon SMS one‑time passwords and other sensitive mobile data mirrored via Microsoft Phone Link on Windows endpoints. Rather than compromising phones, attackers exploit the PC‑to‑phone trust relationship to access the Phone Link SQLite data stored locally. The malware establishes persistence, performs anti‑analysis checks, fetches plugin modules, and monitors active Phone Link processes to capture OTPs and notifications. Talos published detection signatures, hashes, C2 indicators and Snort rules; attribution is unconfirmed.
read more →

CloudZ RAT Abuses Microsoft Phone Link to Steal OTPs

🔐 A new CloudZ remote access tool (RAT) variant deploys a previously unseen plugin named Pheno that hijacks Microsoft Phone Link on Windows 10 and 11 to extract SMS messages and one‑time passwords from the application’s local SQLite database. Cisco Talos says the intrusion has been active since at least January and can intercept OTPs mirrored to the desktop without compromising the mobile device. The infection chain begins with a fake ScreenConnect update that drops a Rust loader and a .NET loader which installs CloudZ, establishes persistence via a scheduled task, and performs anti-analysis checks.
read more →

CloudZ RAT and Pheno Plugin Abuse Microsoft Phone Link

🔍Cisco Talos disclosed an active campaign since January 2026 in which an unknown actor deployed a modular .NET RAT called CloudZ and a novel plugin, Pheno. Pheno targets the Windows Phone Link feature to detect an active PC-to-phone bridge and stage Phone Link SQLite files, enabling potential interception of mirrored SMS and OTPs without compromising the phone. CloudZ executes core functions dynamically in memory, performs anti-debug and sandbox checks, and supports plugin-based credential exfiltration.
read more →

Top Techniques Attackers Use to Infiltrate Systems

🔒 Much reporting on cyber risk focuses on AI, but frontline incidents remain grounded in social engineering and identity exploitation. Experts say attackers increasingly abuse legitimate tools — including trojanized RMM clients — and target network security appliances, OAuth flows, and machine identities to bypass defenses. Techniques like ClickFix, phishing, token theft and supply‑chain worms enable lateral movement and ransomware. Defenders should combine user training, RMM allowlists and layered, phishing‑resistant authentication.
read more →

Storm infostealer hijacks sessions, decrypts server-side

⚠️ A new infostealer dubbed Storm surfaced on underground marketplaces in early 2026, offering subscription-based credential and session theft for under $1,000 per month. Storm harvests browser passwords, session cookies, crypto wallets, autofill data, and app tokens, then uploads encrypted artifacts and performs server-side decryption to evade endpoint detection. The platform also automates cookie restoration using supplied Google refresh tokens and geographically matched SOCKS5 proxies, enabling silent session hijacking and persistent access to web services.
read more →

Investigating Storm-2755: Payroll pirate attacks in Canada

🔒 Microsoft Incident Response researchers detail a Storm-2755 campaign that used malvertising and SEO poisoning to phish Canadian users and capture OAuth tokens and credentials via adversary-in-the-middle (AiTM) proxying. The actor replayed tokens (notably using the Axios/1.7.9 user-agent) to hijack authenticated sessions and bypass non-phishing-resistant MFA. Compromised accounts were used to search for payroll and HR data, create hidden inbox rules, and in some cases directly modify Workday payment information, resulting in at least one confirmed payroll diversion. Microsoft urges immediate token revocation, removal of malicious inbox rules, and adoption of phishing-resistant MFA and device-based conditional access.
read more →

Russian GRU Used Router Flaws to Steal Office Tokens

🔒 Security researchers say hackers linked to Russia’s GRU used known vulnerabilities in end-of-life routers to mass-harvest Microsoft Office authentication tokens. The actor, tracked as Forest Blizzard (aka APT28/Fancy Bear), altered DNS settings on mostly Mikrotik and TP-Link SOHO devices to route traffic through attacker-controlled DNS servers and perform adversary-in-the-middle (AiTM) interception of OAuth tokens and TLS sessions. Microsoft identified more than 200 affected organizations and about 5,000 consumer devices, while Black Lotus Labs observed the campaign touching over 18,000 routers at its December 2025 peak.
read more →

Device-code phishing attacks surge as kits spread online

🔐 Device-code phishing attacks that exploit the OAuth 2.0 Device Authorization Grant flow have surged sharply this year, driven by commodity phishing kits. Researchers report a 37.5x increase in detected pages and identify at least 11 kits, with the PhaaS offering EvilTokens the most prominent. These kits mimic legitimate SaaS flows, use anti-bot protections and cloud hosting, and trick victims into entering device codes that grant attackers valid access and refresh tokens. Security teams are advised to disable unused device-code flows and monitor authentication logs and sessions closely.
read more →