[len29ttt]

Hello everyone, 

So basically lets say I set up a discord phishing site and the user falls for it and I get their credentials. Lets also assume the password is different to their gmail or any other one and just works for discord.. How can I get in their account? If you try logging in to a discord account from another IP Address, discord will say "New login location detected" and you have to go to your gmail and verify from a new location. 

To get someone's discord token you can make them download malware, scan a QR Code or trick them using any method to get their token. But im wondering, is it possible to get someones token from phishing? Ive seen many discord scams where they set up discord phishing sites and then are able to infiltrate into the account.. how? Is there any way to be able to bypass this new login location detected? is there a way to get someone's discord token from phishing from just their login credentials? are discord phishing sites just not useful? 

Please tell me and thanks.

[ireliafromionia]

basically you need to get the token that the user is using at that moment, to do this get the stored token from the user's browser and use the token to log in, you will skip any validation, except the token one, most users don't know how validate your tokens, look at my last post

[hxl6mp]

Just make the site phish their discord cookie, when you login through cookie it doesn't log any "suspicious activity"

[Breach_Forums]

A standard phishing login page generally won't capture a Discord token since tokens are session-based and accessible only from the user's device. In a legitimate test, you might simulate this type of attack by getting the user to run disguised malicious software that can extract the token, but it requires user interaction beyond just entering credentials.