EvilTokens: The Fuel Behind Microsoft Device Code Phishing Attacks

A cutting-edge malicious tool known as EvilTokens has emerged, introducing device code phishing capabilities that enable hackers to compromise Microsoft accounts and enhance their tactics for business email compromise attacks.

This sophisticated kit is distributed to cybercriminals via Telegram and is continuously evolving, with its creator expressing intentions to expand its support to include Gmail and Okta phishing pages.

Device code phishing attacks exploit the OAuth 2.0 device authorization flow, allowing threat actors to infiltrate a victim’s account by deceiving the user into authorizing a malicious device.

This technique has been extensively documented and utilized by various threat groups, including Russian entities identified as Storm-237, UTA032, UTA0355, UNK_AcademicFlare, and TA2723, as well as the data extortion group ShinyHunters.

EvilTokens Attacks

Researchers at Sekoia, a company specializing in threat detection and response, have observed EvilTokens attacks where victims receive emails containing documents (PDF, HTML, DOCX, XLSX, or SVG) that feature either a QR code or a hyperlink to an EvilTokens phishing template.

These deceptive emails mimic legitimate business communication, such as financial documents, meeting invitations, logistics or purchase orders, payroll notices, or shared documents through services like DocuSign or SharePoint, often targeting employees in finance, HR, logistics, or sales roles.

Upon clicking the provided link, victims are directed to a phishing page that impersonates a trusted service (e.g., Adobe Acrobat or DocuSign), displaying a verification code and instructions for completing identity verification.

The fraudulent page prompts users to click a “Continue to Microsoft” button, redirecting them to the authentic Microsoft device login page.

During this stage, the attacker employs a legitimate client (such as any Microsoft application) to request a device code, manipulating the victim into authenticating the legitimate Microsoft URL from the threat actor.

See also  ConnectWise Resolves Automate Vulnerability to Guard Against AiTM Update Attacks

This tactic allows the attacker to acquire both a short-lived access token and a refresh token for persistent access.

With these tokens, the attacker gains immediate access to the victim’s associated services, including email, files, Teams data, and the ability to perform Single Sign-On (SSO) impersonation across Microsoft services.

Sekoia researchers have analyzed EvilTokens’ infrastructure and identified campaigns with a global reach, affecting countries like the United States, Canada, France, Australia, India, Switzerland, and the UAE.

In addition to sophisticated phishing techniques, Sekoia researchers highlight that the EvilTokens phishing-as-a-service (PhaaS) operation offers advanced functionalities for conducting Business Email Compromise (BEC) attacks through automation.

The diverse range of campaigns indicates that EvilTokens is already being widely utilized by threat actors involved in phishing and BEC activities.

Sekoia provides Indicators of Compromise (IoC), technical insights, and YARA rules to assist defenders in thwarting attacks leveraging the EvilTokens PhaaS kit.