Spectra Assure Free Trial
Get your 14-day free trial of Spectra Assure for Software Supply Chain Security
Get Free TrialMore about Spectra Assure Free TrialDevice code phishing bypasses password stealing
The Microsoft 365 phishing campaign persuades victims to complete a real authentication process that authorizes an attacker-controlled device.
RL has discovered an active Microsoft 365 device code phishing campaign that abuses Microsoft's legitimate OAuth 2.0 Device Authorization Grant flow to obtain access to victim accounts.
Rather than stealing passwords through a counterfeit login page, the phishing kit persuades victims to complete a legitimate Microsoft authentication process that authorizes an attacker-controlled device.
Here's how it works, complete with phishing lure, attack workflow, landing page code, network indicators, and detection opportunities, including YARA signatures and network-based hunting techniques.
Device code phishing lure
The initial email sent to victims uses a lure that appears to be an approval for an estimate sent from a vendor to one of their customers. The lure is constructed using an image attachment referenced in a second HTML attachment. One example of the lure image is shown in the figure below.
Figure 1: Device Code phishing lure image.
The HTML attachment references the image via a Content ID cid URL wrapped in an anchor tag to make the whole image clickable. The id-left and id-right parts of the Content ID appear to be algorithmically generated.
The HTML attachment along with the referenced JPG image attachment is shown in the following figure.
Figure 2: HTML attachment referencing JPG lure via Content ID URL.
Device code phishing landing page
Clicking the image with the link overlay takes the victim to the device code phishing landing page. This page has the look and feel of many recent ClickFix style phishing kits. The initial landing page is shown below in figure 3.
Figure 3: Device code phishing landing page.
When the victim clicks on the "Review Document" button, a verification code is displayed. The victim is instructed to copy the code to their clipboard and then click the button at the bottom of the page to sign in to their Microsoft account. The verification code page is shown in the next figure.
Figure 4: Verification code copied to victim's clipboard.
If the victim clicks the button to sign in with Microsoft, a genuine login popup is opened. The popup is requesting that a code be entered. This is a real page that is part of the Microsoft authentication flow. This popup is seen in the next figure.
Figure 5: Real Microsoft code entry popup.
If the victim enters the code from the phishing site, the next page in the Microsoft login flow is shown requesting the account username. One clue that this is not a typical login flow is the text: "Microsoft Authentication Broker" and that it refers to "another device". This second popup in the Microsoft authentication flow is shown in the figure below.
Figure 6: Microsoft Authentication Broker username prompt.
Phishing kit code analysis
Looking at the HTML source code of the phishing landing page, a set of defense evasion techniques can be seen. First, is the use of Unicode format characters such as Zero Width Space (ZWS), Word Joiner (WJ), and Zero Width Non-Joiner (ZWNJ). These invisible characters are interspersed in words that are typically red flags used for phishing detection such as "Agreement", "Verify", "Microsoft", "account", and more.
These characters do have legitimate use in benign roles, but the sheer number of them in this phishing kit's landing page is unusual on its own and makes for a component of the YARA detection rule for these landing pages. A whole host of these format characters can be seen in the next figure.
Figure 7: Invisible Unicode format characters used to hide red flag detection strings.
The technique for opening the genuine Microsoft authentication flow starts by calling window.open() on the URL hxxps[://]aka[.]ms/devicelogin which is a URL shortened device login entry point hosted on Akamai. This is a real and legitimate URL used for normal Microsoft authentication flows.
Figure 8: Akamai hosted device login URL.
There are more authentication entry point URLs than just this one, but as of the time of writing, this adversary is not using any other than the Akamai-shortened URL. However, the YARA rule for hunting landing pages for this phishing kit includes these other possibilities in case this particular tactic changes. The YARA rule is provided at the end of the blog.
The core component of this phishing kit is the device code itself. A device code is a part of Microsoft's OAuth 2.0 Device Authorization Grant flow. In non-malicious circumstances, this code is used to authenticate command line tools, smart TVs, and IoT devices that cannot provide a web-based authentication flow on their own.
This phishing kit is requesting a connection to the victim's Microsoft 365 account across this authentication channel. It is trying to trick the victim into completing the authentication flow without knowing that it is authorizing the "device" controlled by the adversary to access the victim's account, therefore completing an account takeover. This adversary is targeting corporate Microsoft 365 users in this way. One example of the device code is shown in the next figure.
Figure 9: Device code POST request to phishing kit host.
This device code is sent to the phishing kit's host via POST on a four second loop. This is to coordinate the OAuth 2.0 flow between the kit's backend code and the authentication flow that the victim is progressing through. The data is sent using URL form encoding format with the device code itself as the value in the "dc" key value pair. The device code binary is encoded here using URL-safe base64.
In addition to the device code content, there is also a bit-shifted string artifact from Microsoft Entra ID's Security Token Service: EvoStsArtifacts. Because it is bitshifted ASCII, it is not visible simply by decoding the base64. To make it visible, the bytes that include it must be left shifted by six bits. After that, the string becomes visible. A small Python program for revealing this string is shown in the figure below.
Figure 10: Bitshifted Entra ID security token service string.
The combination of the bitshift and the URL-safe base64 can be used together in a single YARA detection string to reduce false positives drastically. This string is shown in the next figure.
Figure 11: Entra ID security token YARA detection string.
Network detection
The network traffic pattern generated by this device code phishing kit can be used to detect the two initial phases of the attack flow. This is detected via three clusters of network activity. The traffic pattern is shown in the figure below. The phishing landing page visit and initial Microsoft authentication popup is shown as a cluster in blue, marked 1 to 5.
The next cluster is the second phase of Microsoft authentication after the victim has entered the code. These are shown in red and marked 6 to 10. Finally, the third cluster is the beacon POST sent every four seconds after the first Microsoft authentication phase has started.
Figure 12: Phishing kit network traffic.
The sequence of hostname resolutions in the first two clusters can be used to identify the two phases of this hostile activity on a network. These two sequences are the following:
Sequence 1:
- <phishing page hostname>
- aka.ms
- login.microsoftonline.com
- aadcdn.msftauth.net
- login.live.com
Sequence 2:
- login.microsoftonline.com
- aadcdn.msftauth.net
- login.microsoftonline.com
- browser.events.data.microsoft.com
- login.live.com
The Microsoft authentication alone is not malicious. However, observing it in the same timespan and from the same endpoint as the four-second beaconing identifies this traffic as potentially malicious and requiring closer investigation.
Device code phishing: A growing threat
Device code phishing represents a growing threat because it leverages legitimate Microsoft authentication infrastructure, making the attack more convincing and difficult for users to recognize. In the campaign analyzed here, adversaries combined realistic business-themed lures, a polished phishing kit, and Microsoft's Device Authorization Grant flow to facilitate account takeover without collecting passwords directly.
Recommendations
Organizations should educate users to recognize device code authentication prompts, monitor for unusual device authorization activity, and review Microsoft Entra ID sign-in logs for device code grant usage. Defenders should also deploy detections for the phishing kit artifacts described in this report, including landing page indicators, device code telemetry, and the characteristic network traffic pattern associated with the attack workflow.
YARA rule
rule DeviceCode_Phishing_LandingPageHTML
{
meta:
author = "Malware Utkonos"
date = "2026-05-20"
description = "Detects Device Code phishing kit landing page HTML."
strings:
$login_akam = "aka.ms/devicelogin"
$login_msft = "microsoft.com/devicelogin"
$login_mso1 = "login.microsoftonline.com/common/oauth2/deviceauth"
$login_mso2 = "login.microsoftonline.com/common/oauth2/v2.0/deviceauth"
$login_live = "login.live.com/oauth20_remoteconnect.srf"
$login_link = "microsoft.com/link"
$unicode_zws = { E2808B }
$unicode_zwnj = { E2808C }
$unicode_wj = { E281A0 }
$dc = "\"dc="
$evosts = "\x15\x15\xd9\xbd\x4d\xd1\xcd\x05\xc9\xd1\xa5\x99\x85\x8d\xd1\xcc" base64("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_")
condition:
any of ($login*) and
any of ($unicode*) and
$dc and $evosts and
filesize < 1MB
}Indicators of Compromise (IoCs)
URLs
hxxp[://]ajz-gud[.]lisa-g-h-rn[.]workers[.]dev/
hxxp[://]baquelite[.]ventoraco[.]com/doc98374/
hxxp[://]biotechgroup[.]p-oye8mc0f[.]workers[.]dev/
hxxp[://]bradhallfuel[.]p-oye8mc0f[.]workers[.]dev/
hxxp[://]corpexl[.]nl/mq5qh1xj9/
hxxp[://]corpexl[.]nl/oii/
hxxp[://]corpexl[.]nl/projectorder/
hxxp[://]creditora[.]me[.]uk/HPDGassocies
hxxp[://]dentalstrategies[.]noventragroup[.]app/dntrategie/
hxxp[://]docxfile-share[.]itkljpqn[.]workers[.]dev/
hxxp[://]docxfiletxz-share[.]itkljpqn[.]workers[.]dev/
hxxp[://]dqky7un[.]certaint[.]it[.]com/xiktuemf/
hxxp[://]gsbauwu1hsa[.]legalaro[.]com/nmasn/
hxxp[://]henriquevieira[.]horizoralabs[.]com/doc49390239/
hxxp[://]horizonex[.]it[.]com/confidentialrecord/
hxxp[://]horizonex[.]it[.]com/securedocument
hxxp[://]hsecontractors-project[.]sign-ins[.]workers[.]dev/
hxxp[://]logvault[.]us/jfkydg4of/
hxxp[://]mcagroup[.]horizoralabs[.]com/quote937847/
hxxp[://]meeting[.]corpsfileshare[.]com/quarterly/
hxxp[://]metroraco[.]com/GroupeBergeron/
hxxp[://]metroraco[.]com/Vent/
hxxp[://]microsoft-document[.]adhere[.]it[.]com/Adobe-pdf/
hxxp[://]molinomerano[.]brieflync[.]nl/order9283/
hxxp[://]mysharereport[.]wgmilshyvn[.]workers[.]dev/
hxxp[://]onedrive-document[.]adhere[.]it[.]com/sharedproject/
hxxp[://]osoxsl[.]taskvault[.]nl/binsfe
hxxp[://]retroactive[.]scalevantaco[.]com/adjustments
hxxp[://]review[.]wgmilshyvn[.]workers[.]dev/
hxxp[://]sales[.]p-ct5v25xo[.]workers[.]dev/
hxxp[://]samoen[.]logvault[.]us/engineering
hxxp[://]sparkaxis[.]org/deployment/
hxxp[://]tsk1[.]t31208026[.]workers[.]dev/
hxxp[://]uboralmaxillofacialsurgery[.]noventragroup[.]app/uboralxillofialsurgery/
hxxp[://]uegreil[.]taskvault[.]nl/itiwa2
hxxp[://]v379ge[.]meetrova[.]nl/p9mxbmz2x/
hxxp[://]wpdoi8w[.]elevatecore[.]it[.]com/g4jlitpi/
hxxp[://]wylderhotels[.]sparkaxis[.]org/personaljflannigan/
hxxp[://]zktxnxlh[.]stratavaco[.]com/snzv8wq
hxxps[://]1000bulbs[.]bluevexworks[.]de/quotes9383/
hxxps[://]749489330y[.]growthora[.]app/ndyd9002ew/
hxxps[://]accounting[.]wgmilshyvn[.]workers[.]dev/
hxxps[://]acitransport[.]trenix[.]nl/doc3928480293902/
hxxps[://]adhere[.]it[.]com/verify/
hxxps[://]aeselectric[.]horizoralabs[.]com/quote03942/
hxxps[://]afrgroup[.]brieflync[.]nl/ss20u0uv4x/
hxxps[://]agreement[.]primeforgeco[.]org/document/
hxxps[://]ajz-gud[.]lisa-g-h-rn[.]workers[.]dev/
hxxps[://]alliedmodular[.]p-oye8mc0f[.]workers[.]dev/
hxxps[://]alpion[.]lisa-g-h-rn[.]workers[.]dev/
hxxps[://]am3e3x1l9[.]darnel[.]nl/hk5uvw6rp/
hxxps[://]amczkkl[.]darnel[.]nl/t6f8wvaw/
hxxps[://]anchorly[.]it[.]com/File/
hxxps[://]anchorly[.]it[.]com/projectbrief/
hxxps[://]apexviaco[.]com/code/
hxxps[://]approvals[.]rapidoraco[.]com/final-reports/
hxxps[://]ascory[.]ventoraco[.]com/doc98983/
hxxps[://]asprey[.]primeforgeco[.]org/document/
hxxps[://]at3hsd2[.]logvault[.]us/vnae045/
hxxps[://]avriaone[.]com/doc063482/
hxxps[://]baquelite[.]ventoraco[.]com/doc98374/
hxxps[://]batch[.]rapidoraco[.]com/approved/
hxxps[://]bb9vl9e[.]scalorapro[.]org/xw2p8cy5/
hxxps[://]bcadetrana[.]ventoraco[.]com/quote383/
hxxps[://]bianchiindustrial[.]horizoralabs[.]com/doc0394883/
hxxps[://]biotechgroup[.]p-oye8mc0f[.]workers[.]dev/
hxxps[://]bizfluent[.]it[.]com/code/
hxxps[://]bluevexworks[.]de/otadiving/
hxxps[://]bryruc[.]querybase[.]us/dvbyi5
hxxps[://]c0vvwvr[.]swiftoralabs[.]org/rd2w26/
hxxps[://]capital-call[.]scalevantaco[.]com/investors/
hxxps[://]caxama[.]ventoraco[.]com/Quote28482/
hxxps[://]chestervalve[.]horizoralabs[.]com/doc9374632/
hxxps[://]cncb[.]bluevexworks[.]de/docflle9353/
hxxps[://]combustiblesmurcianos[.]trenix[.]nl/doc3454656450023/
hxxps[://]cornstoncrew[.]com/kzqf53/
hxxps[://]corpexl[.]nl/INV/
hxxps[://]corpexl[.]nl/PO/
hxxps[://]corpexl[.]nl/Paul/
hxxps[://]corpexl[.]nl/Project/
hxxps[://]corpexl[.]nl/Projects/
hxxps[://]corpexl[.]nl/Ray/
hxxps[://]corpexl[.]nl/Shipment/
hxxps[://]corpexl[.]nl/invoice/
hxxps[://]corpexl[.]nl/mq5qh1xj9/
hxxps[://]corpexl[.]nl/projectorder/
hxxps[://]corpexl[.]nl/quote/
hxxps[://]corpexl[.]nl/securee/
hxxps[://]corpexl[.]nl/thelfgroup/
hxxps[://]covenant[.]it[.]com/BryanKunze/
hxxps[://]covenant[.]it[.]com/Hometownlend/
hxxps[://]covenant[.]it[.]com/LegerPalans
hxxps[://]covenant[.]it[.]com/Matthews/
hxxps[://]covenant[.]it[.]com/Outilshop
hxxps[://]covenant[.]it[.]com/Project/
hxxps[://]covenant[.]it[.]com/Texell/
hxxps[://]creditora[.]me[.]uk/ANWebber/
hxxps[://]creditora[.]me[.]uk/HPDGassocies
hxxps[://]creditora[.]me[.]uk/Leinhos/
hxxps[://]creditora[.]me[.]uk/NorthShore/
hxxps[://]creditora[.]me[.]uk/Rizzo/
hxxps[://]cstsoap[.]insightora[.]it[.]com/cstsoapppp/
hxxps[://]ctrk[.]klclick3[.]com/l/01KRH85AW5Q27X71GRZ7QGYYWD_2
hxxps[://]ctrk[.]klclick3[.]com/l/01KRJT31D5PV07Y81MJTYMY99K_2
hxxps[://]ctrk[.]klclick3[.]com/l/01KRNXXBA66DHQ4WVQ4DA3FMAR_0
hxxps[://]cu8hvx[.]taskvault[.]nl/eqtrqy0/
hxxps[://]cykbon[.]querybase[.]us/ollv19do
hxxps[://]d221bko[.]darnel[.]nl/qx87zbwp/
hxxps[://]d96iqilitaly[.]stratavaco[.]com/chp16jwitaly/
hxxps[://]dcpavingconcrete[.]p-oye8mc0f[.]workers[.]dev/
hxxps[://]dnn8homp[.]scalorapro[.]org/l2wkx2/
hxxps[://]documentations[.]apexarolabs[.]com/transfer/
hxxps[://]docusign-arizonacreativeevents[.]nextvexharbor[.]de/review/
hxxps[://]docusign-stlequityhomes[.]nextvexharbor[.]de/review/
hxxps[://]docxfile-share[.]itkljpqn[.]workers[.]dev/
hxxps[://]docxfiletxz-share[.]itkljpqn[.]workers[.]dev/
hxxps[://]dqky7un[.]certaint[.]it[.]com/xiktuemf/
hxxps[://]dy44y4e[.]ridgevale[.]com[.]de/m02c0czr/
hxxps[://]e4rykd3t1[.]darnel[.]nl/ubdxsaxb4/
hxxps[://]eajiuac3[.]insightora[.]it[.]com/ptw9aagd4/
hxxps[://]ecpsolutions[.]horizoralabs[.]com/quote93873/
hxxps[://]editoriale[.]brieflync[.]nl/ygezz6f/
hxxps[://]effepisrl[.]ventoraco[.]com/doc928482/
hxxps[://]enterpriseinv[.]wgmilshyvn[.]workers[.]dev/
hxxps[://]equipup[.]brieflync[.]nl/quote9384/
hxxps[://]excendio-advisors[.]corevantaco[.]com/due_/
hxxps[://]f5oxvi[.]swiftoralabs[.]org/adr9z1/
hxxps[://]farmhomehardware[.]insightora[.]it[.]com/farmhomehardwareeee/
hxxps[://]file-shareesp[.]itkljpqn[.]workers[.]dev/
hxxps[://]flammat[.]trenix[.]nl/doc21673893832083/
hxxps[://]follador[.]ventoraco[.]com/doc98384/
hxxps[://]fortknox[.]noventragroup[.]app/fortknoxxx/
hxxps[://]fotmhc85[.]darnel[.]nl/sshwd0o/
hxxps[://]frigosistema[.]ventoraco[.]com/doc98952/
hxxps[://]ftt5mojfz[.]darnel[.]nl/hqbxfm7ns/
hxxps[://]fugarproduzione[.]horizoralabs[.]com/ordini49833/
hxxps[://]futureanchor[.]it[.]com/Docusign/
hxxps[://]galaxymausa[.]trenix[.]nl/doc4356787867564534/
hxxps[://]ghh89e[.]querybase[.]us/tvvxbk/
hxxps[://]gil2znw7d[.]taskvault[.]nl/hpoocj/
hxxps[://]gilleman[.]brieflync[.]nl/flletw1234348832/
hxxps[://]gmmecnrj[.]darnel[.]nl/jryswhhue/
hxxps[://]gmosh[.]swmodyhj[.]workers[.]dev/
hxxps[://]graciousliving[.]insightora[.]it[.]com/graciousliving/
hxxps[://]grandfield[.]com[.]de/mpg10m8
hxxps[://]greatbarringtonagway[.]insightora[.]it[.]com/tbarrington/
hxxps[://]grouportiz[.]brieflync[.]nl/ewqxc0v9/
hxxps[://]growthora[.]app/doc/
hxxps[://]h7e9nmd8i[.]logvault[.]us/tcmvs1/
hxxps[://]h8uxo5c83h[.]darnel[.]nl/z864cvam/
hxxps[://]heeel1m3[.]darnel[.]nl/o1o3u06/
hxxps[://]henriquevieira[.]horizoralabs[.]com/doc49390239/
hxxps[://]hh-redstone[.]bizfluent[.]it[.]com/verify/
hxxps[://]hjc6x0[.]darnel[.]nl/o0vpv9i/
hxxps[://]hk1o2ouli[.]darnel[.]nl/if8cmdz0/
hxxps[://]hopajet[.]wgmilshyvn[.]workers[.]dev/
hxxps[://]horizonex[.]it[.]com/confidentialfile/
hxxps[://]horizonex[.]it[.]com/confidentialrecord/
hxxps[://]horizonex[.]it[.]com/securedocument/
hxxps[://]hpmy8n[.]stratavaco[.]com/wd0ijt6fk/
hxxps[://]hr-dept[.]woudplrnq[.]workers[.]dev/
hxxps[://]i7mxwon6[.]darnel[.]nl/a79in3e2/
hxxps[://]ibt-bau[.]corevantaco[.]com/BV-LIDL/
hxxps[://]ibwinspolicyrenewalquote-pay[.]p-oye8mc0f[.]workers[.]dev/
hxxps[://]icuebf[.]taskvault[.]nl/rb6vv6/
hxxps[://]ietz4jcu[.]pulseora[.]org/pny8xh04h1/
hxxps[://]ilossc[.]taskvault[.]nl/uncovqs/
hxxps[://]intercommerce[.]trenix[.]nl/file36738832032/
hxxps[://]isseks[.]swmodyhj[.]workers[.]dev/
hxxps[://]joebower[.]p-oye8mc0f[.]workers[.]dev/
hxxps[://]josb-axw[.]wblkerxgsvpt[.]workers[.]dev/
hxxps[://]journeyflight[.]wgmilshyvn[.]workers[.]dev/
hxxps[://]k4lx91xqm[.]darnel[.]nl/vwlhzy6k0/
hxxps[://]kao0wdk[.]darnel[.]nl/s3mezq80/
hxxps[://]kf6j4m4lmo[.]darnel[.]nl/p3pdggsk/
hxxps[://]kivroer[.]sa[.]com/ondrivedocx/
hxxps[://]kivroer[.]sa[.]com/vufpcncs7/
hxxps[://]knlooz[.]taskvault[.]nl/ifyabn/
hxxps[://]kpjcqbjy0[.]darnel[.]nl/m2235w85e/
hxxps[://]kuv7tz5[.]swiftoralabs[.]org/i224v8/
hxxps[://]kzmymvqrt[.]darnel[.]nl/xzi8ft/
hxxps[://]lhptmnd[.]taskvault[.]nl/auslic2/
hxxps[://]ll01inbce[.]darnel[.]nl/i5z8aiww/
hxxps[://]lm3ojeuam[.]darnel[.]nl/e0e78wgov/
hxxps[://]log[.]datavaner[.]us/ver/
hxxps[://]loganoralsurgery[.]noventragroup[.]app/loglsurge/
hxxps[://]login[.]growthora[.]app/document/
hxxps[://]mainosrl[.]horizoralabs[.]com/doc39847234/
hxxps[://]maristellasrl[.]horizoralabs[.]com/quote49484/
hxxps[://]mcq5hr[.]querybase[.]us/iih3ne/
hxxps[://]mecholding[.]ventoraco[.]com/quote9374/
hxxps[://]meeting[.]corpsfileshare[.]com/quarterly/
hxxps[://]metroraco[.]com/Desjardinsh/
hxxps[://]metroraco[.]com/Getpaq/
hxxps[://]metroraco[.]com/GroupeBergeron/
hxxps[://]metroraco[.]com/Immobilier/
hxxps[://]metroraco[.]com/InnovativePipeline/
hxxps[://]metroraco[.]com/LocHabitat/
hxxps[://]metroraco[.]com/MVFinances/
hxxps[://]metroraco[.]com/ServicesImmobiliers/
hxxps[://]metroraco[.]com/Vent/
hxxps[://]mgdofgs[.]certaint[.]it[.]com/bra3dmw2/
hxxps[://]microsoft-document[.]adhere[.]it[.]com/Adobe-pdf/
hxxps[://]miscongroup[.]brieflync[.]nl/h0vkr4/
hxxps[://]molinomerano[.]brieflync[.]nl/order9283/
hxxps[://]momentoraco[.]com/Project-submittal/
hxxps[://]momentoraco[.]com/project-document/
hxxps[://]mountainwater[.]brieflync[.]nl/pddfonline838kb/
hxxps[://]mueroll[.]trenix[.]nl/doc34536475654/
hxxps[://]mv431gg[.]darnel[.]nl/mcno48uig/
hxxps[://]mvunzr[.]taskvault[.]nl/qil8xe/
hxxps[://]my-team-share[.]corpsfileshare[.]com/team/
hxxps[://]myloginsharefile[.]wgmilshyvn[.]workers[.]dev/
hxxps[://]myshare-file[.]sharedfilescorps[.]com/finance/
hxxps[://]myshare-file[.]wgmilshyvn[.]workers[.]dev/
hxxps[://]mysharereport[.]wgmilshyvn[.]workers[.]dev/
hxxps[://]myshares[.]wgmilshyvn[.]workers[.]dev/
hxxps[://]n0o70p41[.]pulseora[.]org/wnrmxmlxs/
hxxps[://]n4mwsr9ra[.]darnel[.]nl/eza7m3u/
hxxps[://]nda2026[.]wgmilshyvn[.]workers[.]dev/
hxxps[://]nextaragroup[.]app/secured-file/
hxxps[://]nexttrail[.]co[.]nl/m365scoft/
hxxps[://]nexusbuildingservices-secure[.]corevantaco[.]com/cleaning_agreement-docusignsij3/
hxxps[://]nordicenergy[.]ventoraco[.]com/quote93347/
hxxps[://]np5m344s[.]darnel[.]nl/rximzp08m/
hxxps[://]nqaxcms[.]swiftoralabs[.]org/v1m1rmeo6n/
hxxps[://]nqk42um4g[.]darnel[.]nl/qqudu2im/
hxxps[://]nuevacocinamediterranea[.]trenix[.]nl/docsw123237832/
hxxps[://]o0abvu[.]taskvault[.]nl/ehcwokk/
hxxps[://]of27feemc[.]darnel[.]nl/srvpzo050/
hxxps[://]offmar-srl[.]couglesrecycilng[.]mom/doc34356732443/
hxxps[://]olfoods[.]brieflync[.]nl/order8374/
hxxps[://]ollmsf[.]taskvault[.]nl/sbncvn/
hxxps[://]onedrive-document[.]adhere[.]it[.]com/sharedproject/
hxxps[://]onedrive-encrypted-online[.]clearledge[.]me[.]uk/avc8xt/
hxxps[://]onedrive-encrypted[.]clearledge[.]me[.]uk/aar0cphl/
hxxps[://]onedrive-microsoft[.]adhere[.]it[.]com/securedocument/
hxxps[://]orx0yiy9ne[.]darnel[.]nl/axp6xhqfhq/
hxxps[://]osoxsl[.]taskvault[.]nl/binsfe/
hxxps[://]ovf2cs01c[.]darnel[.]nl/tm4j7ox4/
hxxps[://]oxuhis3a[.]darnel[.]nl/phefxufswo/
hxxps[://]p71dpmrgm9[.]darnel[.]nl/mxkqubsv/
hxxps[://]pasarltda[.]horizoralabs[.]com/qoute93848/
hxxps[://]patmorefeeds[.]horizoralabs[.]com/quote3484/
hxxps[://]pay-quickbooks[.]nextvexharbor[.]de/snlpainting/
hxxps[://]payroll[.]vardeno[.]nl/employee/
hxxps[://]pilous-hungary[.]trenix[.]nl/doc280129291021/
hxxps[://]plastiserd[.]trenix[.]nl/doc38974980131/
hxxps[://]premiersoundslighting[.]p-oye8mc0f[.]workers[.]dev/
hxxps[://]pw0m7y36[.]darnel[.]nl/mpmjcofsl8/
hxxps[://]pyh2dc7[.]bluevale[.]com[.]de/ljhxry/
hxxps[://]q13alc7[.]pulseora[.]org/lihgckb/
hxxps[://]q7lvq0[.]scalorapro[.]org/v5rxbxlp/
hxxps[://]qx70jdorb[.]swiftoralabs[.]org/hsk4w8g/
hxxps[://]rdingredients[.]ventoraco[.]com/doc93847/
hxxps[://]retroactive[.]scalevantaco[.]com/adjustments/
hxxps[://]rgfleg[.]scalorapro[.]org/qnuojch/
hxxps[://]ringcentral[.]firmtix[.]com/alert/
hxxps[://]ringcentral[.]firmtix[.]com/notify/
hxxps[://]riutyr[.]taskvault[.]nl/fteylv/
hxxps[://]rivoltini[.]brieflync[.]nl/project393/
hxxps[://]rocklandmfg[.]apexviaco[.]com/quotes/
hxxps[://]rtlequipment[.]primeforgeco[.]org/estimate/
hxxps[://]sales[.]p-ct5v25xo[.]workers[.]dev/
hxxps[://]samcagroup[.]horizoralabs[.]com/quote937847/
hxxps[://]samoen[.]logvault[.]us/engineering/
hxxps[://]samoengineering[.]lisa-g-h-rn[.]workers[.]dev/
hxxps[://]secure[.]firmtix[.]com/docx
hxxps[://]secured-doc-tnxv-iki[.]c-qar6y6n0[.]workers[.]dev/
hxxps[://]service-agreement[.]scalevantaco[.]com/sakr/
hxxps[://]settlement[.]wgmilshyvn[.]workers[.]dev/
hxxps[://]shared[.]firmtix[.]com/file/
hxxps[://]sherwin-williams[.]primeforgeco[.]org/document/
hxxps[://]sifem[.]wgmilshyvn[.]workers[.]dev/
hxxps[://]smsaustria[.]bluevexworks[.]de/pt3ijxjdk/
hxxps[://]soassociat[.]insightora[.]it[.]com/afac2turg/
hxxps[://]sparkaxis[.]org/delivery/
hxxps[://]sparkaxis[.]org/deployment/
hxxps[://]sparkaxis[.]org/statement/
hxxps[://]stanfordhomecenters[.]insightora[.]it[.]com/stanfodhomeenterssss/
hxxps[://]steeleinsurance[.]trenix[.]nl/docsjak23435657634231/
hxxps[://]stratifylabs[.]org/BDAGroup/
hxxps[://]stratifylabs[.]org/Estimation/
hxxps[://]stratifylabs[.]org/FACTURE/
hxxps[://]stratifylabs[.]org/PAIEMENT/
hxxps[://]stratifylabs[.]org/Paiement/
hxxps[://]t0nimub8[.]darnel[.]nl/t6xstea2/
hxxps[://]tabisam[.]trenix[.]nl/dcoc27892932309/
hxxps[://]taskvault[.]nl/ehcwokk/
hxxps[://]teams[.]vardeno[.]nl/fileshared/
hxxps[://]tentiger[.]ventoraco[.]com/doc9874/
hxxps[://]teolpack[.]trenix[.]nl/doc32430300/
hxxps[://]ticbxcu9[.]stratavaco[.]com/kv7z16o/
hxxps[://]tomyinternational[.]insightora[.]it[.]com/tomyrnation/
hxxps[://]trenix[.]nl/alma-resort/
hxxps[://]trenix[.]nl/comercialgarcia/
hxxps[://]tritontrading[.]ventoraco[.]com/doc98374/
hxxps[://]tutorvix[.]com/gerdaudesigns/
hxxps[://]twinresourc[.]noventragroup[.]app/xwpikd6mx/
hxxps[://]tytaninternational[.]bluevexworks[.]de/quote0838/
hxxps[://]uboralmaxillofacialsurgery[.]noventragroup[.]app/uboralxillofialsurgery/
hxxps[://]ucu1i7a[.]querybase[.]us/u1j3uy2/
hxxps[://]uegreil[.]taskvault[.]nl/itiwa2/
hxxps[://]ugygr1[.]taskvault[.]nl/ffifaxx/
hxxps[://]ulbbab[.]taskvault[.]nl/rry0hf/
hxxps[://]ultraliquor[.]logvault[.]us/z7hmpvt2/
hxxps[://]uqbjiyntt[.]darnel[.]nl/diqu96lx/
hxxps[://]uvmjey8[.]certaint[.]it[.]com/cxkgdbt/
hxxps[://]uwfnfzo[.]notivora[.]nl/y0m8d0t/
hxxps[://]v379ge[.]meetrova[.]nl/p9mxbmz2x/
hxxps[://]v6lpwmnzv[.]darnel[.]nl/zgm47h/
hxxps[://]vc5ew58[.]darnel[.]nl/k2ixxm1t/
hxxps[://]velopa[.]wgmilshyvn[.]workers[.]dev/
hxxps[://]verif[.]futureanchor[.]it[.]com/cloud/
hxxps[://]verification[.]futureanchor[.]it[.]com/cardcrosoft/
hxxps[://]vmservfill[.]nkydzvws[.]workers[.]dev/c3RlcGhlbi5waWNrZXJpbmdAbWwuY29t
hxxps[://]vrulcwr[.]querybase[.]us/s7rc2r/
hxxps[://]vs7on4a6[.]darnel[.]nl/bj3e4k5y/
hxxps[://]vxsjxxg[.]querybase[.]us/v8uu0o/
hxxps[://]w73uwqxw[.]darnel[.]nl/s264s0pnzt/
hxxps[://]wallgatorfarm[.]horizoralabs[.]com/Quote223/
hxxps[://]wb6a68h8[.]insightora[.]it[.]com/gag8mpw/
hxxps[://]wm4p2fk[.]querybase[.]us/effhtiy
hxxps[://]wxmiie[.]taskvault[.]nl/mawanrp/
hxxps[://]x63r61l[.]scalorapro[.]org/vr9qlv/
hxxps[://]x6pso57zci[.]darnel[.]nl/dz6ht7imm/
hxxps[://]xo0urs[.]taskvault[.]nl/vtsccx/
hxxps[://]xritech[.]trenix[.]nl/dooc37832383273282323/
hxxps[://]xrsj6nvg[.]vardeno[.]nl/egsui5z/
hxxps[://]xsm6xe2a[.]darnel[.]nl/pn5s0fyy/
hxxps[://]xuu6c9eb[.]querybase[.]us/mqqtyl
hxxps[://]xvoshorvm[.]scaleoraco[.]de/zmpps1/
hxxps[://]yhinu8kf[.]darnel[.]nl/kb04mw2l/
hxxps[://]yjsq348[.]scalorapro[.]org/ka9jxdpf/
hxxps[://]ytmr47m28[.]darnel[.]nl/bcnxab2c/
hxxps[://]zktxnxlh[.]stratavaco[.]com/snzv8wq/
hxxps[://]zrkz-grl[.]adintmvb[.]workers[.]dev/
hxxps[://]ztiwggeo8[.]ridgevale[.]com[.]de/v90hcnvff/
hxxps[://]zyvy741g[.]darnel[.]nl/lekw1buh/