Full Report
A phishing kit subverting Microsoft’s legitimate authentication flow lets attackers break into accounts without stealing passwords or creating fake login pages
Analysis Summary
# Tool/Technique: EvilTokens
## Overview
EvilTokens is a sophisticated Phishing-as-a-Service (PhaaS) kit and framework designed to compromise Microsoft 365 accounts. Unlike traditional phishing that relies on credential harvesting (fake login pages), EvilTokens abuses the legitimate **OAuth 2.0 Device Authorization Grant flow**. It tricks victims into authenticating a session on a legitimate Microsoft domain, allowing the attacker to obtain session tokens without ever seeing the victim's password.
## Technical Details
- **Type**: Phishing-as-a-Service (PhaaS) / Tool
- **Platform**: Microsoft 365 / Entra ID
- **Capabilities**: Device code phishing, multi-factor authentication (MFA) bypass, token theft, automated account takeover.
- **First Seen**: February 2026 (Advertised via Telegram)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.002 - Phishing: Spearphishing Link
- **TA0006 - Credential Access**
- T1528 - Steal Application Access Token
- T1557 - Adversary-in-the-Middle (Technique variant)
- **TA0003 - Persistence**
- T1136.003 - Create Account: Cloud Account (via token access)
- **TA0007 - Discovery**
- T1087.003 - Account Discovery: Cloud Account
## Functionality
### Core Capabilities
- **Legitimate Flow Subversion**: Utilizes the Microsoft device code flow (`https[:]//microsoft[.]com/devicelogin`) to prompt victims to enter an attacker-generated code.
- **MFA Bypass**: Because the victim signs into a legitimate Microsoft page, they fulfill any MFA requirements (SMS, Authenticator app) themselves, inadvertently granting the attacker a fully authenticated session.
- **Token Acquisition**: Once the victim enters the code, the kit automatically exchanges the device authorization for an access token and a refresh token.
### Advanced Features
- **AI-Enabled Lures**: Incorporates AI-generated, bespoke phishing lures and dynamic device-code generation to increase victim conversion rates.
- **Session Automation**: Automatically performs post-compromise actions such as creating inbox rules to hide further activity.
- **PhaaS Model**: Distributed via Telegram, offering cybercriminals an easy-to-use interface for launching Business Email Compromise (BEC) campaigns.
## Indicators of Compromise
- **File Hashes**: *(Specific hashes not provided in the source article)*
- **Network Indicators**:
- `microsoft[.]com/devicelogin` (Legitimate domain abused by the tool)
- Telegram channels used for C2 and kit distribution.
- **Behavioral Indicators**:
- Sign-ins from "cross-tenant" or unfamiliar applications.
- Unexpected "Device Code Flow" authentication events in Microsoft Entra ID logs.
- Creation of suspicious inbox rules immediately following a login.
- Rapid session movement from one geographic location to another (Impossible Travel).
## Associated Threat Actors
- Cybercriminals involved in Business Email Compromise (BEC).
- Threat actors targeting high-value organizations for account takeover (over 340 organizations targeted in early 2026).
## Detection Methods
- **Sign-in Log Analysis**: Monitor for `Authentication Method: Device Code Flow` in Microsoft Azure AD/Entra ID logs, especially for users who do not typically use headless devices.
- **Application Monitoring**: Audit for the registration/authorization of unusual first-party or third-party applications (e.g., "Microsoft Office" or "PnP Management Shell" requested via device code).
- **Behavioral Detection**: Identify "Risky Sign-ins" where the IP address used for the final token exchange differs significantly from the victim’s usual profile.
## Mitigation Strategies
- **Conditional Access Policies**: Enforce policies that block the Device Code Flow for all users except those specifically requiring it (e.g., users on specific IoT devices or Linux consoles).
- **Phishing-Resistant MFA**: Transition to FIDO2-based authentication or Windows Hello for Business, which are less susceptible to authentication relay attacks.
- **User Education**: Train employees to never enter a 6- or 8-digit code into a website unless they manually initiated a login on a device that explicitly requested it (like a smart TV).
- **Security Defaults**: Monitor and restrict the use of the "Microsoft Command Line Interface" or "PowerShell" applications which are often the targets of these tokens.
## Related Tools/Techniques
- **EvilProxy / m365-2fa-proxy**: Similar PhaaS kits focusing on Adversary-in-the-Middle (AiTM) proxying.
- **Device Code Phishing**: The general technique of abusing OAuth 2.0 device flows.
- **Token Theft**: The broader category of hijacking active authentication sessions.