[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f9Fl-wPY7eiuKuWpSPzQ2QbMdggNGcOYg6cuJy_cIicU":3},{"article":4,"iocs":39},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":24,"category":25,"article_tags":28},"1c459a21-8814-48e7-b4e5-9d6fecfd0ac7","We observed a phishing campaign pivot to evade static analysis, shifting from credential theft to...","we-observed-a-phishing-campaign-pivot-to-evade-static-analysis-shifting-from-cre-7e922a","We observed a phishing campaign pivot to evade static analysis, shifting from credential theft to #OAuth device code phishing. Attackers replaced hardcoded URLs with runtime-fetched landing pages and generated images as blob URLs. Details at: https:\u002F\u002Ft.co\u002FR0zi1o5smS https:\u002F\u002Ft.co\u002FwWk1IgBpKk","Researchers observed a phishing campaign evolving its tactics to evade static analysis by shifting from credential theft to OAuth device code phishing. The attackers replaced hardcoded URLs with dynamically fetched landing pages and used blob URLs for generated images to bypass detection mechanisms.","Phishing campaign pivots to OAuth device code attacks using runtime-fetched landing pages.",null,"https:\u002F\u002Fx.com\u002FUnit42_Intel\u002Fstatus\u002F2052830994885955870","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHH0e1gHWAAYwedE.jpg","2026-05-08T19:20:23+00:00","2026-05-08T20:00:09.483601+00:00",7,[18,21],{"name":19,"type":20},"OAuth Device Code Phishing Campaign","campaign",{"name":22,"type":23},"OAuth Device Code Flow","technology","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":24,"icon":11,"name":26,"slug":27},"Malware","malware",[29,34],{"category":30},{"id":31,"icon":11,"name":32,"slug":33},"2c8f44d4-b56e-47cf-9677-04f22c9ee78d","Identity & Access","identity-access",{"category":35},{"id":36,"icon":11,"name":37,"slug":38},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[]]