A newly identified phishing kit named EvilTokens is enabling cybercriminals to hijack Microsoft accounts using advanced device code phishing techniques, significantly raising the risk of business email compromise (BEC) attacks. The toolkit, currently distributed via Telegram, is actively being developed, with its creator planning to expand capabilities to include phishing templates for platforms like Gmail and Okta.

EvilTokens leverages a well-known but increasingly abused technique called device code phishing, which exploits the OAuth 2.0 device authorization flow. In this attack method, victims are tricked into authorizing a malicious device, unknowingly granting attackers access to their accounts. This technique has previously been used by multiple threat actors, including groups such as Storm-237, UTA032, and ShinyHunters, highlighting its effectiveness in real-world attacks.

Victims receive messages containing attachments or links (PDF, HTML, DOCX, XLSX, or SVG) embedded with QR codes or URLs leading to phishing pages. These lures impersonate legitimate business communications such as:

  • Financial documents
  • Payroll notifications
  • Meeting invites
  • Purchase orders
  • Shared files via services like DocuSign or SharePoint

The attacks are often tailored to employees in finance, HR, logistics, and sales roles.

Once the victim clicks the link, they are directed to a fake page mimicking trusted services like Adobe Acrobat or DocuSign. The page displays a verification code and instructs the user to proceed with authentication. When the victim clicks “Continue to Microsoft,” they are redirected to a legitimate Microsoft login page. At the same time, the attacker initiates a device authorization request using a legitimate Microsoft application and obtains a device code. By entering the code and completing authentication, the victim unknowingly grants the attacker access to their account.

Once access is granted, attackers receive valid authentication tokens, allowing them to:

  • Access emails and files
  • View Microsoft Teams data
  • Perform single sign-on (SSO) impersonation across services

These capabilities enable highly effective business email compromise (BEC) attacks, including financial fraud and internal impersonation. Sekoia’s analysis shows that EvilTokens campaigns are already operating at a global scale, with the most impacted regions including the United States, Canada, France, Australia, India, Switzerland, and the UAE. The phishing kit operates under a phishing-as-a-service (PhaaS) model, offering automation features that streamline large-scale BEC operations for cybercriminals.

To reduce risk, organizations should educate users not to enter verification codes from unsolicited messages, as these are often used in phishing or social engineering attacks. Security teams should closely monitor unusual authentication patterns, particularly device code login attempts that may indicate abuse. Implementing conditional access policies and enforcing strong identity controls such as multi-factor authentication and device compliance can further strengthen defenses. Additionally, leveraging threat intelligence, indicators of compromise (IoCs), and predefined detection rules helps identify and respond to potential threats more effectively.

The emergence of EvilTokens highlights how attackers are increasingly abusing legitimate authentication mechanisms to bypass traditional security controls. As phishing techniques evolve, organizations must strengthen identity-based defenses and user awareness to counter these sophisticated threats.

Recommended Cyber Technology News :

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com