A sophisticated new phishing-as-a-service (PhaaS) kit dubbed "EvilTokens" is being actively marketed to cybercriminals, specializing in the exploitation of Microsoft's OAuth device code flow to hijack user accounts. The service, advertised on Telegram channels, provides attackers with a turnkey solution to conduct device code phishing attacks, a technique that bypasses traditional credential harvesting by tricking users into authorizing a malicious device. According to researchers from threat detection firm Sekoia, the kit is under continuous development, with its author planning to expand support to include phishing templates for Gmail and Okta, significantly broadening its potential impact.
The core of the EvilTokens attack abuses the OAuth 2.0 device authorization grant flow, a legitimate protocol designed for input-constrained devices like smart TVs. In this attack, the victim is presented with a QR code or a link that directs them to a Microsoft login page displaying a unique code. The user is instructed to visit a separate Microsoft device login website and enter this code to "authenticate." Unbeknownst to them, this action grants the attacker's session full access to the victim's Microsoft account, including email, OneDrive, and connected services, without the victim ever surrendering their password. This method has been leveraged by various advanced threat actors, including Russian-linked groups tracked as Storm-237 and TA2723, as well as the notorious ShinyHunters data extortion gang.
Sekoia's analysis reveals that EvilTokens campaigns are highly targeted, often aimed at employees in finance, human resources, and logistics departments. The initial phishing lures are meticulously crafted emails containing malicious attachments—such as PDF, DOCX, or HTML files—that impersonate legitimate business communications. These documents may appear as financial reports, payroll notifications, meeting invitations via platforms like Microsoft Teams, or shared documents from services like DocuSign or SharePoint. The embedded QR codes or hyperlinks lead to convincing EvilTokens phishing templates that seamlessly initiate the device code authentication process.
The emergence of EvilTokens as a commercial service lowers the barrier to entry for conducting high-impact business email compromise (BEC) and account takeover attacks. By providing a user-friendly interface and ongoing support, the kit enables less technically skilled threat actors to launch sophisticated campaigns that can lead to significant financial fraud and data theft. This development underscores a critical need for organizations to enhance user awareness about this specific phishing vector and to implement conditional access policies that require additional verification for device code authentications, especially from new or unfamiliar locations.
