alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Wahala Microsoft OAuth Device Code Attack, Polling for User Validated Tokens"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/json"; http.response_body; content:"|7b 22|user|5f|code|22|"; nocase; content:"|22|verification|5f|uri|22|"; nocase; distance:0; content:"|22|status|22 3a 22|pending|5f|auth|22|"; nocase; distance:0; content:"waiting|20|for|20|powershell|20|script"; fast_pattern; nocase; distance:0; content:"debug_log"; distance:0; reference:url,blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/; classtype:credential-theft; sid:2068814; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2026_04_17, deployment Perimeter, confidence High, signature_severity Critical, tag Phishing, tag DeviceCodePhish, updated_at 2026_04_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)