Proofpoint tracked state-sponsored and financially motivated clusters using SquarePhish2 and Graphish to bypass the OAuth device code authorization process and gain access to victims’ Microsoft 365 accounts, leading to account takeover and data exfiltration. Researchers collated and analyzed 46 IoCs (21 subdomains including four variations, 22 domains, one IP, and two email addresses) and uncovered additional connected artifacts such as 91 email-connected domains and 23 more IPs. #SquarePhish2 #Graphish
Keypoints
- Threat actors used phishing tools SquarePhish2 and Graphish to trick users into granting access to Microsoft 365 accounts by bypassing the OAuth device code authorization process, resulting in account takeover and data exfiltration.
- Proofpoint initially identified at least 44 IoCs and, after collating unique domains and filtering, analyzed 46 IoCs comprising 21 subdomains (four with multiple variations), 22 domains, one IP address, and two email addresses.
- Jake AI and internal tooling flagged several subdomains and email-connected domains as likely to turn malicious well before public reporting; five domains were identified as likely to become malicious 65–93 days prior to reporting.
- WHOIS queries showed all 22 domains were registered in 2025 (between 15 September and 1 December); 14 were administered by Dominet (HK) and registrations spanned Malaysia, Thailand, Iceland, and the U.S.
- DNS Chronicle analysis found 21 of the 22 domains had historical domain-to-IP resolutions, totaling 823 resolutions; bluecubecapital[.]com recorded the oldest first resolution (5 February 2017).
- Artifact expansion uncovered 91 unique email-connected domains, 23 additional IP addresses (22 of which were malicious), nine domains with 35 historical WHOIS email addresses (including three public emails), and other string-connected domains/subdomains.
MITRE Techniques
- [N/A ] No MITRE ATT&CK technique IDs are explicitly mentioned in the article – The report describes attackers “bypassing the OAuth device code authorization process” but does not cite specific ATT&CK technique names or codes (‘bypassing the OAuth device code authorization process’).
Indicators of Compromise
- [Subdomains ] Phishing/subdomain IoCs used to host phishing pages or impersonate services – onlinedocuments-[OrganisationName][.]vxhwuulcnfzlfmh[.]live, onedrive[.]gov-zm[.]workers[.]dev, and 19 more subdomains (21 total, including four with multiple variations).
- [Domains ] Domains registered and used by the clusters (created in 2025) – bluecubecapital[.]com, blitzcapital[.]net, vxhwuulcnfzlfmh[.]live, and 19 more domains (22 total).
- [IP addresses ] Network IoCs and additional resolved addresses – the single analyzed IP (numeric not provided) geolocated to the Netherlands, plus 23 additional IP addresses discovered (22 flagged as malicious).
- [Email addresses ] Email addresses tied to phishing campaigns and WHOIS records – two email addresses were identified as IoCs (one associated with a phishing campaign); specific addresses not listed in the article.
- [Other artifacts ] Expanded artifact set from WHOIS/DNS/history queries – 91 email-connected domains discovered after filtering, 35 unique historical WHOIS email addresses, and 823 domain-to-IP resolutions across 21 domains (sample artifacts available for download).
Read more: https://circleid.com/posts/analyzing-account-takeover-attacks-leveraging-squarephish2-and-graphish