saroula01 is a threat actor handle associated with a Microsoft 365 phishing operation centered on abuse of Microsoft OAuth device code flow rather than traditional credential theft. The actor is linked to development and operation of the black-queen framework, an Evilginx-derived phishing platform adapted for device-code-based account compromise. In this tradecraft, victims are lured to themed pages impersonating common enterprise services and instructed to enter a legitimate device code on Microsoft’s real authentication portal, allowing the attacker to obtain and maintain authorized tokens without directly collecting the victim’s password. This approach enables compromise even when multifactor authentication is enforced, because the victim completes authentication on genuine Microsoft infrastructure while authorizing the attacker’s session. The actor’s campaign appears to have operated for more than a year and was notable for scale and persistence, with hundreds of confirmed victims across roughly a dozen countries. The overwhelming majority of observed victims were corporate Microsoft 365 accounts, including organizations in professional services, legal, SME, and public-sector environments. Recovered token data indicated systematic use of automatic token refresh, supporting long-lived access after initial compromise. Black-queen incorporated multiple preconfigured lure themes themed around widely used business services, along with a web dashboard and features for post-compromise session handling. Reported functionality included generation of session artifacts and use of Microsoft Graph API capabilities to access mailbox content. Unlike adversary-in-the-middle phishing kits that steal session cookies during proxied logins, saroula01’s operation relied on device code authorization and backend polling of the token endpoint until access tokens were issued. Saroula01 is also associated with signs of AI-assisted development in the surrounding tooling. No high-confidence public attribution to a specific real-world identity or state sponsor is currently available. The actor is best understood as an opportunistic cybercriminal operator focused on Microsoft 365 account compromise through OAuth device code phishing, with black-queen as the primary known associated framework.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
7 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
1 malware family attributed to this actor across reporting.
8 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Running a Microsoft 365 phishing campaign based on OAuth device code flow abuse, using an Authenticator-themed lure to trick victims into completing legitimate Microsoft authentication and MFA on microsoft.com/devicelogin, after which the operator captures and refreshes tokens.
Developed and operated the black-queen framework focused on Microsoft 365 Device Code Flow phishing, capturing OAuth access and refresh tokens and maintaining persistent access through automatic token refresh.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.