alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING EvilTokens Poll for user_code Authentication Status"; flow:established,to_server; flowbits:isset,ET.EvilTokens; http.method; content:"GET"; http.uri; content:"/api/device/status/"; fast_pattern; startswith; reference:url,blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/; classtype:credential-theft; sid:2068630; rev:1; metadata:affected_product MS_Outlook, affected_product Microsoft_OneDrive, affected_product Microsoft_Sharepoint, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2026_04_07, deployment Perimeter, confidence High, signature_severity Critical, tag EvilTokens, updated_at 2026_04_08;)