Full Report
Who needs MFA when you've got EvilTokens? Hundreds of organizations have been compromised daily by a Microsoft device-code phishing campaign that uses AI and automation at nearly every stage of the attack chain to ultimately snoop through corporate email inboxes and steal financial data.…
Analysis Summary
# Incident Report: Scaled AI-Driven Device-Code Phishing (EvilTokens)
## Executive Summary
A sophisticated, AI-driven phishing campaign is compromising hundreds of organizations daily by exploiting the Microsoft OAuth 2.0 device code authentication flow. The attack bypasses Multi-Factor Authentication (MFA) to gain unauthorized access to corporate Microsoft 365 environments, primarily targeting financial data through automated email exfiltration.
## Incident Details
- **Discovery Date:** April 6, 2026 (Public disclosure)
- **Incident Date:** Ongoing since at least March 15, 2026
- **Affected Organization:** Hundreds of organizations per day; Specific names not disclosed
- **Sector:** Cross-sector; high focus on Finance personas
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** March 15, 2026 (Start of surge)
- **Vector:** Phishing via AI-generated personalized emails.
- **Details:** Attackers use the `GetCredentialType` API for reconnaissance 10-15 days prior to the attack to verify user existence.
### Lateral Movement
- **Details:** Once a session token is stolen, attackers move within the Microsoft 365 ecosystem. In some cases, attackers register new devices within 10 minutes of initial compromise to generate a Primary Refresh Token (PRT) for persistence.
### Data Exfiltration/Impact
- **Details:** Automated script-based snooping of inboxes. Attackers create inbox rules to forward messages containing keywords like "payroll" or "invoice" to exfiltrate financial data.
### Detection & Response
- **Discovery:** Detected by Microsoft security researchers monitoring high-volume, automated campaign patterns.
- **Response Actions:** Microsoft released a technical breakdown of the "EvilTokens" infrastructure and recommended conditional access policies to block device code flows.
## Attack Methodology
- **Initial Access:** AI-enabled hyper-personalized phishing emails featuring industry-specific themes (RFPs, invoices).
- **Persistence:** Registration of secondary devices to obtain Primary Refresh Tokens (PRT); creation of malicious inbox forwarding rules.
- **Privilege Escalation:** Not explicitly detailed; however, gaining access to executive/finance mailboxes grants high-level data access.
- **Defense Evasion:** Use of trusted serverless platforms (Railway, Cloudflare Workers, AWS Lambda) for redirect chains to bypass URL scanners.
- **Credential Access:** Theft of OAuth 2.0 live access tokens via the Device Code flow.
- **Discovery:** API querying of `GetCredentialType` to validate target emails.
- **Lateral Movement:** Cloud-based movement using stolen session tokens to access various M365 apps.
- **Collection:** Automated scanning of email content for financial keywords.
- **Exfiltration:** Email forwarding rules and direct API-based data theft.
- **Impact:** Financial data theft and unauthorized mailbox access.
## Impact Assessment
- **Financial:** High potential for loss through intercepted invoices and payroll redirection (Business Email Compromise).
- **Data Breach:** Massive volume; hundreds of compromises occurring daily across global organizations.
- **Operational:** Disruption to financial workflows and necessity for enterprise-wide password/token resets.
- **Reputational:** Significant risk for organizations whose sensitive financial communications are exposed.
## Indicators of Compromise
- **Network indicators:**
- Traffic to `microsoft[.]com/devicelogin` initiated from unusual serverless platforms.
- Redirects through `railway[.]app`, `workers[.]dev`, `digitaloceanspaces[.]com`, or `lambda-url[.]aws`.
- **File indicators:** Malicious attachments in phishing emails (often role-specific PDFs or Docs).
- **Behavioral indicators:**
- Polling activity to a `/state` endpoint every 3-5 seconds.
- Creation of new inbox rules (keywords: "payroll", "invoice").
- New device registration shortly after an interactive login.
## Response Actions
- **Containment:** Revoking active session tokens for compromised users; deleting malicious inbox rules.
- **Eradication:** Blocking the specific redirect domains and disabling the Device Code flow at the tenant level.
- **Recovery:** Re-enrolling compromised accounts in phishing-resistant MFA.
## Lessons Learned
- **MFA is not a silver bullet:** Standard MFA can be bypassed by session-theft techniques like Device Code phishing.
- **AI-driven scale:** Attackers are using AI to automate the "human" element of phishing (customization), making volume and quality equally high.
- **Redirect Evasion:** Relying solely on URL reputation is insufficient as attackers use reputable serverless infrastructure to mask their links.
## Recommendations
- **Restrict Authentication Flows:** Disable/Block "Device Code Flow" using Entra ID (Azure AD) Conditional Access policies except where strictly required for IoT.
- **Phishing-Resistant MFA:** Transition to FIDO2-based hardware keys or Windows Hello for Business to prevent token theft.
- **Monitoring:** Implement alerts for new inbox rule creation and "GetCredentialType" API spikes.
- **User Training:** Specifically educate employees on the "Microsoft Device Login" prompt and why they should never enter a code requested via email.