IOK Rules

Discord phishing kit that uses a external application invite as a lure, as well as the real DiscordServer discord bot logo to make it seem legitmate. Once the user clicks the button labelled authorize it will open a pop-up window mimicking the Discord login page pretty poorly. This rule uses the fact that the same CSS file name is used across all domains that use this kit.

Discord Hypesquad phishing kit containing a comment left behind by the supposed developer of the kit. As well as a unique nonce value that is present.

Discord Nitro phishing kit containing a reused image asset.

Detects a Discord oAuth2 scam confirmation page, which is often used in combination with social engineering to get the user to authorize for a spam application. This for example enables the attacker to add the victims into further scam/advertised servers using the 'guilds.join' scope.