{
	"id": "85b86efc-e336-4c07-9596-ae42062269b0",
	"created_at": "2026-04-06T00:15:07.885045Z",
	"updated_at": "2026-04-10T03:36:45.713424Z",
	"deleted_at": null,
	"sha1_hash": "bb2f4249a629254ae0f9ed4079f5d87cccc027da",
	"title": "Access granted: phishing with device code authorization for account takeover | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1896152,
	"plain_text": "Access granted: phishing with device code authorization for account\r\ntakeover | Proofpoint US\r\nBy December 18, 2025 The Proofpoint Threat Research Team\r\nPublished: 2025-12-16 · Archived: 2026-04-05 13:18:17 UTC\r\nKey findings \r\nProofpoint is tracking multiple threat clusters - both state-aligned and financially-motivated - that are using various\r\nphishing tools to trick users into giving access to M365 accounts via OAuth device code authorization.  \r\nSuccessful compromise leads to account takeover, data exfiltration, and more.  \r\nThreat actors are using the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 user accounts by\r\napproving access for various applications.  \r\nOverview \r\nSocial engineering is a tactic used by threat actors to trick a user into taking an action, for example adding an application on\r\ntheir system, or divulging confidential information. Techniques like ClickFix highlight how threat actors use security-themed issues to trick users into taking an action, leveraging legitimate tools and services to gain unauthorized\r\naccess. Device code phishing is another way threat actors are abusing enterprise resources for account takeovers.  \r\nProofpoint Threat Research has observed multiple threat clusters using device code phishing to trick\r\nusers into granting a threat actor access to their Microsoft 365 account. In general, an attacker will socially\r\nengineer someone into logging into an application with legitimate credentials. The service generates a token that is then\r\nobtained by the threat actor. This gives them control over the M365 account.  \r\nProofpoint has previously observed targeted malicious and limited red team activity leveraging device code phishing. But by\r\nSeptember 2025, we observed widespread campaigns using these attack flows, which was highly unusual. \r\nIn recently observed activity, campaigns begin with an initial message with a URL embedded behind a button, as\r\nhyperlinked text, or within a QR code. When a user visits the URL, it initiates an attack sequence leveraging the legitimate\r\nMicrosoft device authorization process. Once initiated, the user is presented with a device code.  It is either presented\r\ndirectly on the landing page or received in a secondary email from the threat actor. The lures typically claim that the device\r\ncode is an OTP and direct the user to input the code at Microsoft’s verification URL. Once the user inputs the code, the\r\noriginal token is validated, giving the threat actor access to the targeted M365 account.  \r\nIn observed campaigns, some messages directly claim to be token re-authorization notifications, while others use different\r\nlures to trick the user into clicking a URL, which leads to an attack chain that ends with application authorization.   \r\nWhile this is not necessarily a novel technique, it is notable to see it used increasingly by multiple threat clusters including a\r\ntracked cybercriminal threat actor, TA2723. Proofpoint threat researchers have identified a malicious application for sale on\r\nhacking forums, which could be used for this type of campaign. Additionally, red team tools are available – such\r\nas Squarephish and SquarephishV2– that can be used for this type of attack. These tools help threat actors mitigate the short-lived nature of device codes, enabling larger campaigns than were previously possible. \r\nThe tools \r\nSquarePhish2 Tool \r\nhttps://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover\r\nPage 1 of 14\n\nSquarePhish is a phishing tool that enables threat actors to target the OAuth Device Grant Authorization flow in\r\ncombination with QR codes to compromise Microsoft accounts. It was originally published in 2022 by Dell\r\nSecureWorks.  In 2024, an updated version – SquarePhish2 – was published on GitHub by an independent researcher. The\r\nattack chain is effective because it mimics the legitimate process that a user would follow to configure TOTP multifactor\r\nauthentication. The attack begins with a phishing email containing a QR code that directs users to a website hosted on an\r\nattacker-controlled SquarePhish2 server. Upon scanning the QR code, the user is redirected to Microsoft’s legitimate\r\nauthentication page, while the server initiates the OAuth Device Authorization Grant flow using a preconfigured client ID.  \r\nA second email is then sent to the user from a Microsoft tenant, containing the device code, prompting them to complete the\r\nauthentication process. SquarePhish2 can also automatically redirect users to the verification page, without needing\r\nto prompt for a second email. Once the user enters the code and authenticates, the tool polls the Microsoft endpoint for\r\naccess. While SquarePhish2 offers advanced capabilities, its user-friendly configuration and automation features mean that it\r\ndoes not require deep technical expertise to operate, making it accessible to a broader range of threat actors. The\r\nultimate objective is unauthorized access to sensitive Microsoft account data, enabling further exploitation such as account\r\ntakeover, lateral movement, data exfiltration, or persistence within targeted environments. \r\nGraphish tool\r\nThreat actors have increasingly adopted tools like the Graphish phishing kit to target Microsoft accounts with efficiency. The\r\ntool was shared in criminal hacking forums, where members are vetted, and made available for free. This tool has a\r\nmultitude of capabilities, including facilitating the creation of highly convincing phishing pages by leveraging Azure App\r\nRegistrations and reverse proxy setups for adversary-in-the-middle (AiTM) attacks, hosted on attacker-controlled\r\ninfrastructure. A typical AiTM attack begins with the user receiving a phishing message containing a link to a malicious\r\nwebpage design to mimic a legitimate login page. The fake domain is connected to a reverse proxy server, which relays\r\ntraffic between the user and the actual service. When the user enters their credentials, they are instantly intercepted by the\r\nattacker. If the user successfully completes an MFA challenge (like entering a one-time code), this enables a complete\r\nsession hijacking.  \r\nThe attack requires the actor to own a domain name and register an SSL certificate, to enhance the credibility of the phishing\r\nsite. By registering an application in Azure and extracting the client ID, the attacker can initiate OAuth-based\r\nphishing attempts that prompt users to grant access to their Microsoft accounts. For targeting enterprise environments, the\r\ntool includes guidance on bypassing organizational restrictions by verifying the malicious app with Azure, which increases\r\nits success rate against accounts. Similar to Squarephish, the tool is designed to be user-friendly and does not require\r\nadvanced technical expertise, lowering the barrier for entry and enabling even low-skilled threat actors to conduct\r\nsophisticated phishing campaigns. The ultimate objective is unauthorized access to sensitive personal or organizational data,\r\nwhich can be exploited for credential theft, account takeover, and further compromise. \r\nCampaigns \r\n“Salary Bonus + Employer Benefits Reports 25” \r\nProofpoint tracks multiple campaigns leveraging OAuth device code phishing. For example, on 8 December,\r\nresearchers identified a campaign that used a shared document reminder alert to trick users into clicking a Google Share\r\nURL hyperlinked as text, to access a fictitious document called “Salary Bonus + Employer Benefit Reports 25”. Email\r\nmessages were sent from attacker-controlled addresses and claimed to be the file. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover\r\nPage 2 of 14\n\nFigure 1: Example of phishing message purporting to be “Salary Bonus + Employer Benefits Reports 25”.\r\nOnce clicked, the URL embedded in the email leads the user to an attacker-controlled website with a domain that is\r\nlocalized according to browsing IP and shows the targeted company branding. The website prompts the user to input their\r\nemail address. Once done, the user is presented with a pop-up to “complete secure authentication” that includes a code and\r\ndirections to input that code on the legitimate Microsoft device authorization page - hxxps://microsoft.com/devicelogin. This\r\npop-up is purporting to be for MFA-token secure authentication. However, inputting the provided code into the Microsoft-provided OAuth page provides the threat actor access to the user’s Microsoft 365 account.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover\r\nPage 3 of 14\n\nFigure 2: Redirection to adding authorized device. \r\nTA2723  \r\nTA2723 is a financially-motivated, high-volume credential phishing threat actor that is notable for its campaigns spoofing\r\nMicrosoft OneDrive, Linkedin and DocuSign. Beginning October 2025, Proofpoint Threat Research observed TA2723\r\nconducting OAuth device code phishing. \r\nIn one campaign from 9 to 10 October, the email messages purported to be “[organization\r\nname] OCTOBER_SALARY_AMENDED RefID:6962_yslFRVQnQ”. The email message body appeared as if a document\r\nhad been shared with the recipient and was customized to show the recipient’s name and the name of the shared file,\r\nconsistent with the subject line. The message contained a virtoshare.com URL embedded as a “button” to Open the file.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover\r\nPage 4 of 14\n\nFigure 3: Example TA2723 email message. \r\nWhen clicked, the recipient is redirected to a device code authorization page where they are prompted to input their email\r\naddress and click a button to generate the one-time passcode (OTP).  \r\nFigure 4: URL redirect from email message to OTP generation site\r\nWhen clicked, the URL behind this button - which then shows as “Access Document” - is updated to redirect the user to the\r\nlegitimate device authorization page from Microsoft, where they will have authorized access to the attacker-controlled\r\napplication.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover\r\nPage 5 of 14\n\nFigure 5: OTP and updated 'Access Document' button URL redirect. \r\nProofpoint Threat Research suspects that SquarePhish2 could have been used in this TA2723 campaign from 6 to 8\r\nOctober, and the Graphish kit could have been used in a second wave of this campaign from 9 to 10\r\nOctober. The assessment is due to the timing and evolution of the campaigns, TTP changes, and that the Graphish kit had\r\nbeen recently published on the vetted forum in the prior weeks. A successful attack would enable the threat actor to have\r\naccess to the user’s M365 account, which could lead to account takeover, data exfiltration, lateral movement, and other\r\nfollow-on activity.  \r\nState-aligned threat actors using device code phishing \r\nSince January 2025, Proofpoint Threat Research has tracked multiple state-aligned threat actors abusing OAuth device code\r\nauthorization for account takeover, which aligns with a wider trend of state-aligned threat actors increasingly\r\nadopting password-less phishing techniques. This technique has been most widely used by Russia-aligned threat actors, as\r\nnoted in prior public reporting by Volexity covering the initial adoption of this technique. We have also observed suspected\r\nChina-aligned activity and other unattributed espionage campaigns using this attack vector.  \r\nState-aligned threat actors often conduct patient rapport building via benign outreach prior to a device code phishing\r\nattempt, with some campaigns showing evidence of multi-channel targeting via both email and other communication\r\nhttps://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover\r\nPage 6 of 14\n\nchannels. One particularly notable threat actor we have observed conducting device code phishing since at least September\r\n2025 is a suspected Russia-aligned group we are tracking as UNK_AcademicFlare.  \r\nUNK_AcademicFlare activity \r\nSince September 2025, Proofpoint has observed UNK_AcademicFlare using compromised email addresses belonging to\r\nmultiple government and military organizations to target entities within government, think tank, higher education, and\r\ntransportation sectors in the U.S. and Europe. Typically, these compromised email addresses are used to conduct benign\r\noutreach and rapport building related to the targets’ area of expertise to ultimately arrange a fictitious meeting or interview.\r\nThe threat actor then claims to share a document with questions or topics for the target to review. To do so, they provide a\r\nlink to a Cloudflare Worker URL that spoofs a OneDrive account associated with the compromised sender’s organization,\r\nwhich leads to a device code phishing workflow. \r\nFigure 6: UNK_AcademicFlare benign conversation starter. \r\nFigure 7: UNK_AcademicFlare email linking to Cloudflare worker URL. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover\r\nPage 7 of 14\n\nIn the above example, UNK_AcademicFlare sent a benign conversation starter email to an individual working for a U.S.\r\nuniversity using a compromised Zambian government email address. The threat actor later provided a link to a Cloudflare\r\nWorker domain spoofing a Zambian government OneDrive account: onedrive[.]gov-zm[.]workers[.]dev. \r\nFigure 8: UNK_AcademicFlare Cloudflare worker device code landing page. \r\nThis link redirects to a landing page stating that the sender has shared a document and instructs the user to copy the provided\r\ncode and click 'Next' to gain access. The presented code is a unique device code that is dynamically generated for the target\r\nand clicking 'Next' redirects the user to the Microsoft device code\r\nlogin URL  hxxps://login.microsoftonline[.]com/common/oauth2/deviceauth. \r\nProofpoint assesses that UNK_AcademicFlare is likely a Russia-aligned threat actor based on the targeting of Russia-focused specialists at multiple think tanks, as well as government and energy sector organizations in Ukraine. This\r\nassessment is further supported by the actor’s repeated use of Russia and Ukraine-themed lure content and reliance on\r\ndevice code phishing techniques.   \r\nRecommendations \r\nBlock device code flow where possible \r\nThe strongest mitigation is to create a Conditional Access policy using the Authentication Flows condition to block device\r\ncode flow for all users. Conditional Access policies can first be deployed in a report only mode, or the ‘Policy impact’\r\nhttps://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover\r\nPage 8 of 14\n\nviewed over historic sign in log records, to determine the impact for an environment.  \r\nIf blocking device code flow completely is not feasible, Conditional Access can be used to create an allow-list approach\r\nbased on accepted use cases. For example, only enabling device code authentication for approved users, operating systems,\r\nor IP ranges such as using ‘Named locations’. \r\nRequire compliant or joined devices \r\nIf organizations use device registration or Intune, Conditional access policies requiring that sign ins originate from a\r\ncompliant or registered device will protect users from device code phishing. This should be deployed as a defense in depth\r\nstrategy, as there will likely be exclusions from this requirement, when compared with a dedicated device code flow policy.  \r\nEnhance user awareness regarding device code phishing attacks  \r\nTraditional phishing awareness often emphasizes checking URLs for legitimacy. This approach does not effectively address\r\ndevice code phishing, where users are prompted to enter a device code on the trusted Microsoft\r\nportal hxxps://microsoft.com/devicelogin. User training should include guidance on not entering device codes received from\r\nuntrusted sources.  \r\nConclusion \r\nFrom the use of malicious OAuth applications for persistent access to the abuse of legitimate Microsoft authentication flows\r\nwith device codes, threat actors’ tactics to achieve account takeover are evolving with quick adoption across the threat\r\nlandscape. These campaigns rely heavily on social engineering, most often using lures with embedded URLs or QR codes to\r\ntrick users into thinking they are securing their accounts. Proofpoint tracks multiple threat clusters that are using this device\r\ncode authentication technique and recommends that organizations strengthen OAuth controls and enhance user awareness\r\nand education about these evolving threats. Proofpoint assesses that the abuse of OAuth authentication flows will continue\r\nto grow with the adoption of FIDO compliant MFA controls. \r\nIndicators of compromise \r\nCampaign Indicators \r\nIndicator  Type  Description \r\nFirst\r\nSeen \r\nhxxps://sharefile.progressivesharepoint.top/  URL  Phishing landing page \r\n20-\r\nOct-2025 \r\nhxxps://progressiveweba.z13.web.core.windows.net  URL  Redirector \r\n20-\r\nOct-2025 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover\r\nPage 9 of 14\n\nhxxps://agimplfundmgt.z13.web.core.windows.net  URL  Redirector \r\n20-\r\nOct-2025 \r\nhxxps://blackrockfundmgt.z13.web.core.windows.net  URL  Redirector \r\n20-\r\nOct-2025 \r\nrobert.pena@FirstTrustAdvisorsLP.onmicrosoft.com \r\nEmail\r\naddress \r\nSender email address \r\n20-\r\nOct-2025 \r\nhxxps://onlinedocuments-\r\n[OrganizationName].vxhwuulcnfzlfmh.live/application/a[PII_Linkable_hex]9 \r\nURL \r\nDevice code generation\r\nlanding page \r\n14-\r\nOct-2025 \r\nhxxps://onlinedocuments-\r\n[OrganisationName].vxhwuulcnfzlfmh.live/token/request?\r\nid=a[PII_Linkable_hex]9 \r\nURL  OTP generation  \r\n14-\r\nOct-2025 \r\nxgjtvyptrjlsosv.live  Domain  OTP generation \r\n9-\r\nOct-2025 \r\n196.251.80.184  IP  OTP generation \r\n9-\r\nOct-2025 \r\nvaultally.com  Domain  Sender email domain \r\n14-\r\nOct-2025 \r\ndocifytoday.com  Domain  Sender email domain \r\n14-\r\nOct-2025 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover\r\nPage 10 of 14\n\nfiletix.com  Domain  Sender email domain \r\n14-\r\nOct-2025 \r\nnebulafiles.com  Domain  Sender email domain \r\n14-\r\nOct-2025 \r\nnovodocument.com  Domain  Sender email domain \r\n14-\r\nOct-2025 \r\nspacesdocs.com  Domain   Sender email domain \r\n14-\r\nOct-2025 \r\nhxxps://www.vaultaliy.com/a[PII_Linkable_hex]9  URL  Link in email message \r\n14-\r\nOct-2025 \r\nhxxps://www.virtoshare.com/99[PII_Linkable]e9  URL  Link in email message \r\n9-\r\nOct-2025 \r\nhxxps://onlinedocuments-\r\n[OrganisationName].xgjtvyptrjlsosv.live/application/99[PII_Linkable]e9 \r\nURL \r\nDevice code generation\r\nlanding page \r\n9-\r\nOct-2025 \r\nhxxps://onlinedocuments-\r\n[OrganisationName].xgjtvyptrjlsosv.live/token/request?\r\nid=99[PII_Linkable]e9 \r\nURL  OTP generation \r\n9-\r\nOct-2025 \r\nno-reply.doc333@ksmus.virtoshare.com \r\nEmail\r\naddress \r\nSender email address \r\n9-\r\nOct-2025 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover\r\nPage 11 of 14\n\nacxioswan.com  Domain  Sender email domain \r\n9-\r\nOct-2025 \r\nacxishare.com  Domain  Sender email domain \r\n9-\r\nOct-2025 \r\ncollabodex.com  Domain  Sender email domain \r\n9-\r\nOct-2025 \r\ninfoldium.com  Domain  Sender email domain \r\n9-\r\nOct-2025 \r\nhxxps://www.renewauth.com/3a[PII_Linkable]59  URL  Link in email message \r\n6-\r\nOct-2025 \r\nhxxps://www.myfilepass.com/69[PII_Linkable]ed  URL  Link in email message \r\n6-\r\nOct-2025 \r\nhxxps://login.microsoftonline.com/common/oauth2/deviceauth[Abused]  URL  Device code prompt \r\n6-\r\nOct-2025 \r\nrenewauth.com  Domain  Sender email domain \r\n6-\r\nOct-2025 \r\nmyfilepass.com  Domain  Sender email domain \r\n6-\r\nOct-2025 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover\r\nPage 12 of 14\n\nconfidentfiles.com  Domain  Sender email domain \r\n6-\r\nOct-2025 \r\nmagnavite.com  Domain  Sender email domain \r\n6-\r\nOct-2025 \r\n97d7e46b-1bff-4f24-b262-8b0b3914d88a.us5.azurecomm.net  URL \r\nDevice code message\r\nsender \r\n6-\r\nOct-2025 \r\nbluecubecapital.com  Domain \r\nSender email address\r\ndomain \r\n29-\r\nSept-2025 \r\nallspringglobalinvestmentsllc.onmicrosoft.com  Domain \r\nSender email address\r\ndomain \r\n29-\r\nSept-2025 \r\naresmanagementllc.onmicrosoft.com  Domain \r\nSender email address\r\ndomain \r\n29-\r\nSept-2025 \r\ncitadeladvisorsllc.onmicrosoft.com  Domain \r\nSender email address\r\ndomain \r\n29-\r\nSept-2025 \r\ncpuhp.onmicrosoft.com  Domain \r\nSender email address\r\ndomain \r\n29-\r\nSept-2025 \r\nmillenniummanagementllc.onmicrosoft.com  Domain \r\nSender email address\r\ndomain \r\n29-\r\nSept-2025 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover\r\nPage 13 of 14\n\nhxxps://clientlogin.blitzcapital.net/  URL  Device code prompt \r\n29-\r\nSept-2025 \r\nhxxps://onedrive[.]gov-zm[.]workers[.]dev  URL  Redirector \r\n5-\r\nNov-2025 \r\nhxxps://portal.msprogresssharefile.cloud/  URL  Landing Page \r\n2-\r\nDec-2025 \r\nhxxps://sharingfilesystems.z13.web.core.windows.net  URL  Redirector \r\n2-\r\nDec-2025 \r\nhxxps://myapplicationinterfaces.s3.eu-north-1.amazonaws.com/index.html  URL  Redirector \r\n2-\r\nDec-2025 \r\nhxxps://corphostedfileservices.s3.eu-north-1.amazonaws.com/auth.html  URL  Redirector \r\n2-\r\nDec-2025 \r\nReferences\r\nhttps://aadinternals.com/post/phishing/#new-phishing-technique-device-code-authentication  \r\nhttps://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/  \r\nhttps://www.secureworks.com/blog/oauths-device-code-flow-abused-in-phishing-attacks  \r\nhttps://github.com/nromsdahl/squarephish2  \r\nhttps://www.praetorian.com/blog/introducing-github-device-code-phishing/  \r\nhttps://www.calypt.com/blog/index.php/a-phishing-technique-for-compromising-office-365-azure-ad-accounts/ \r\nhttps://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html \r\nhttps://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-device-code  \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover\r\nhttps://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover"
	],
	"report_names": [
		"access-granted-phishing-device-code-authorization-account-takeover"
	],
	"threat_actors": [
		{
			"id": "e328f450-3b7d-47dd-9257-1bcb6240cf7b",
			"created_at": "2026-02-11T02:00:03.945688Z",
			"updated_at": "2026-04-10T02:00:03.970941Z",
			"deleted_at": null,
			"main_name": "UNK_AcademicFlare",
			"aliases": [],
			"source_name": "MISPGALAXY:UNK_AcademicFlare",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2224f8c7-25ea-40fa-89a1-c4c0286f26b3",
			"created_at": "2026-03-24T02:00:04.634332Z",
			"updated_at": "2026-04-10T02:00:03.990829Z",
			"deleted_at": null,
			"main_name": "TA2723",
			"aliases": [],
			"source_name": "MISPGALAXY:TA2723",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434507,
	"ts_updated_at": 1775792205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bb2f4249a629254ae0f9ed4079f5d87cccc027da.pdf",
		"text": "https://archive.orkl.eu/bb2f4249a629254ae0f9ed4079f5d87cccc027da.txt",
		"img": "https://archive.orkl.eu/bb2f4249a629254ae0f9ed4079f5d87cccc027da.jpg"
	}
}