A new phishing-as-a-service (PhaaS) campaign is abusing Microsoft’s device code authentication flow to gain unauthorized access to user accounts.
Sekoia researchers first spotted the toolkit “EvilTokens” that lets attackers capture authentication tokens by tricking users into completing a legitimate login process in Microsoft’s own environment.
The activity, observed since at least mid-February, relies on social engineering lures that prompt victims to enter a device code on a real Microsoft login page, Sekoia researchers noted in a blog post. “To compromise Microsoft 365 accounts, EvilTokens pages rely on device code phishing, a technique that differs from the common AitM tactic of replicating Microsoft authentication pages,” the researchers said.
The PhaaS toolkit is offering a host of features to its affiliates, including modules for access weaponization, email harvesting, reconnaissance capabilities, and a built-in webmail interface, all powered through Ai automation, the researchers added.
EvilTokens was found operating through bots on Telegram, with a dedicated channel for kit upgrades. The campaign has so far mostly affected countries, including the US, Australia, Canada, France, India, Switzerland, and the UAE.
Device code authentication as an access broker
The campaign centers around the abuse of Microsoft’s device authorization grant flow, a feature designed to simplify logins for devices like smart TVs or command-line tools. EvilTokens repurposes this workflow by generating a legitimate device code and then tricking victims into entering it themselves on the official login page.
Once the victim completes authentication, the attacker receives access tokens tied to the session. These tokens can then be used to access Microsoft 365 services, including email and cloud resources, without triggering typical credential-based alerts.
Sekoia researchers noted that this technique sidesteps many conventional phishing detections. Because the authentication happens on a legitimate Microsoft domain, there is no credential interception in transit, and multi-factor authentication is completed as happens in a normal login flow.
The attack results in a form of account takeover coming from a seemingly expected user behavior.
A phishing package with post-compromise focus
Beyond the initial access vector, EvilTokens is structured as a full-service phishing platform. The kit provides affiliates with ready-to-use lures, infrastructure, and automation tools designed to carry out both the phishing phase and post-compromise activity.
The lures used in the campaign include fake SharePoint document notifications, DocuSign requests, and account alerts, all meant to urge users toward entering device codes. Once access is obtained, the platform enables inbox analysis, allowing attackers to identify high-value targets such as financial conversations or invoice threads.
“By leveraging the short-lived access token, the attacker can exfiltrate targeted user data for up to 60 minutes following the device code phishing attack,” they said. “Depending on the targeted service, the attacker can access emails via Exchange Online, documents from Microsoft SharePoint Online and OneDrive, or conversation history in Microsoft Teams.” The received tokens with 60 minutes expiry can also be redeemed for generating new access tokens, with a rolling 90-day validity, allowing attackers to maintain persistence on the compromised account.
Distributed through Telegram channels, the PhaaS service includes bot-driven workflows to manage campaigns and token collection. Researchers also observed ongoing development efforts, with indications that support for additional platforms beyond Microsoft may be introduced.
Sekoia shared a set of attack infrastructure details to support tracking. These include phishing domain and URL patterns, self-hosted affiliate domains, EvilTokens admin domains, and the YARA rule for detecting the phishing page.
No Responses