{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreieziin3p2ntuvs3rd2xwiqle6jhbskengyplftyfxm23spliwkqqq",
"uri": "at://did:plc:5opbpi2nomj4y3d5kpwamkrd/app.bsky.feed.post/3mj26rp2tlqh2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreidna2xjjpdectxoguw4btkabvs2vxjehofjisv5bzj4enyh4dupjy"
},
"mimeType": "image/jpeg",
"size": 20678
},
"description": "A new class of identity attacks is rapidly scaling across enterprises: AI-augmented device code phishing, operationalized through phishing-as-a-service (PhaaS) platforms like EvilTokens. Microsoft and multiple security vendors have confirmed that these attacks are now widespread and highly effective, compromising organizations daily by abusing legitimate authentication flows rather than exploiting vulnerabilities.\n\nThis post provides a technical deep dive into what EvilTokens is, how it works un",
"path": "/eviltokens-an-ai-driven-device-code-attack-compromising-microsoft-businesses/",
"publishedAt": "2026-04-09T06:32:43.000Z",
"site": "https://corti.com",
"tags": [
"CSO Online",
"Sekoia.io Blog",
"Microsoft",
"The Hacker News",
"Push Security",
"Arctic Wolf"
],
"textContent": "A new class of identity attacks is rapidly scaling across enterprises: **AI-augmented device code phishing** , operationalized through phishing-as-a-service (PhaaS) platforms like _EvilTokens_. Microsoft and multiple security vendors have confirmed that these attacks are now widespread and highly effective, compromising organizations daily by abusing legitimate authentication flows rather than exploiting vulnerabilities.\n\nThis post provides a technical deep dive into **what EvilTokens is, how it works under the hood, and how to mitigate it effectively**.\n\n* * *\n\n## What Is EvilTokens?\n\n**EvilTokens** is a **phishing-as-a-service (PhaaS) platform** that automates account takeover attacks against Microsoft 365 and similar SaaS environments by abusing OAuth device code authentication. (CSO Online)\n\nKey characteristics:\n\n * **Turnkey attack platform** sold via underground channels (e.g., Telegram) (Sekoia.io Blog)\n * Focused on **device code phishing** instead of traditional credential harvesting\n * Uses **AI to scale and personalize attacks** (e.g., crafting targeted phishing emails) (Microsoft)\n * Enables **Business Email Compromise (BEC)** workflows and post-exploitation automation (Sekoia.io Blog)\n\n\n\nThe result: a **low-skill, high-impact attack kit** that allows attackers to compromise enterprise identities at scale.\n\n* * *\n\n## Why This Attack Is Different\n\nTraditional phishing targets credentials (passwords, MFA codes).\nEvilTokens instead targets **authentication tokens** , which changes the threat model fundamentally:\n\n * **No password theft required**\n * **MFA and passkeys are bypassed**\n * **Tokens persist even after password resets** (The Hacker News)\n\n\n\nThis makes it closer to a **session hijack via legitimate authentication flows** than classic phishing.\n\n* * *\n\n## How Device Code Authentication Works (Legitimate Flow)\n\nThe attack abuses the OAuth 2.0 **Device Authorization Grant** :\n\n 1. User wants to log in from a limited device (CLI, IoT, TV)\n 2. Service provides a **device code**\n 3. User goes to a trusted login page (e.g. microsoft.com/devicelogin)\n 4. User enters the code and authenticates\n 5. The device receives an **access token**\n\n\n\nThis flow is widely used in developer tooling and enterprise environments. (Push Security)\n\n* * *\n\n## How EvilTokens Attacks Work\n\n### Step-by-Step Attack Chain\n\n 1. **Device Code Generation (Attacker)**\n * Attacker requests a valid device code from Microsoft APIs\n 2. **Phishing Delivery**\n * Victim receives a highly convincing, AI-generated message\n * Examples: invoices, RFPs, SharePoint documents (Microsoft)\n 3. **User Interaction**\n 4. 5. **Legitimate Authentication**\n * Victim enters the code on the real Microsoft login page\n 6. **Token Issuance**\n * Microsoft issues:\n * Access token\n * Refresh token\n 7. **Token Theft**\n * Attacker already knows the device code → retrieves tokens\n 8. **Post-Compromise Activity**\n * Email exfiltration\n * Inbox rule creation (persistence)\n * Microsoft Graph reconnaissance (Microsoft)\n\n\n\nVictim is redirected to a page instructing them to:\n\n> “Enter this code to access the document”\n\n* * *\n\n## Key Technical Innovations in EvilTokens\n\n### 1. Dynamic Code Generation\n\nAttackers generate device codes **only when the victim clicks** , avoiding expiration windows. (Microsoft)\n\n### 2. AI-Driven Social Engineering\n\n * Personalized phishing emails\n * Context-aware lures (finance, exec roles) (Microsoft)\n\n\n\n### 3. Cloud-Based Attack Infrastructure\n\n * Uses trusted platforms like Railway (PaaS) to host infrastructure\n * Blends into legitimate traffic patterns (Arctic Wolf)\n\n\n\n### 4. Automation at Scale\n\n * Thousands of ephemeral backend nodes\n * Full attack lifecycle automation (phishing → token replay → persistence) (Microsoft)\n\n\n\n* * *\n\n## Why It Bypasses MFA and Security Controls\n\nThis is the critical insight:\n\n> The victim completes authentication **on behalf of the attacker**\n\n * MFA is satisfied legitimately\n * Login happens on **trusted Microsoft endpoints**\n * Security tools see **valid authentication events**\n\n\n\nAdditionally:\n\n * Tokens remain valid even after password reset (The Hacker News)\n * Refresh tokens enable **long-term persistence** (Arctic Wolf)\n\n\n\n* * *\n\n## Impact on Organizations\n\n * Hundreds of organizations already impacted globally (Arctic Wolf)\n * Targets include:\n * Finance\n * Manufacturing\n * Government\n * Healthcare (The Hacker News)\n\n\n\nPrimary risks:\n\n * Business Email Compromise (BEC)\n * Data exfiltration\n * Lateral movement via Microsoft Graph\n * Long-lived unauthorized access\n\n\n\n* * *\n\n## Mitigations and Defensive Strategies\n\n### 1. Disable Device Code Flow (Where Possible)\n\n * Use Conditional Access policies\n * Block device code authentication unless explicitly required (Arctic Wolf)\n\n\n\n* * *\n\n### 2. Monitor Authentication Patterns\n\nFocus on:\n\n * Device code login events\n * Suspicious IP ranges (e.g., PaaS providers)\n * Token issuance anomalies\n\n\n\n* * *\n\n### 3. Token Hygiene & Incident Response\n\nIf compromise is suspected:\n\n * Revoke **all refresh tokens immediately**\n * Invalidate active sessions\n * Reset credentials (secondary step only)\n\n\n\n* * *\n\n### 4. Strengthen Conditional Access\n\n * Restrict:\n * OAuth app permissions\n * Token issuance scope\n * Require compliant devices where possible\n\n\n\n* * *\n\n### 5. User Awareness (Critical)\n\nTrain users to recognize:\n\n * Requests to enter **device login codes**\n * “Open this document via Microsoft login” flows\n * Unexpected prompts involving microsoft.com/devicelogin\n\n\n\n* * *\n\n### 6. Detection Engineering\n\nImplement detections for:\n\n * Device code authentication spikes\n * Token reuse patterns\n * Inbox rule creation anomalies\n * Microsoft Graph reconnaissance behavior\n\n\n\n* * *\n\n### 7. Limit OAuth Application Abuse\n\n * Audit enterprise app registrations\n * Restrict consent permissions\n * Monitor for newly registered attacker-controlled apps\n\n\n\n* * *\n\n## Strategic Takeaways\n\nEvilTokens represents a broader shift:\n\n * **From credential theft → token abuse**\n * **From manual phishing → AI-scaled automation**\n * **From vulnerabilities → abuse of legitimate features**\n\n\n\nThis class of attack is particularly dangerous because:\n\n * It operates within **trusted authentication flows**\n * It is **hard to distinguish from normal behavior**\n * It scales efficiently via PhaaS ecosystems\n\n\n\n* * *\n\n## Final Thoughts\n\nDevice code phishing is no longer a niche technique—it has entered **mainstream cybercrime operations** , with EvilTokens leading the charge.\n\nFor organizations heavily invested in Microsoft 365 and Entra ID, this attack vector should now be treated as a **first-class threat scenario** , requiring:\n\n * Identity-layer monitoring\n * Token lifecycle controls\n * Conditional access hardening\n\n\n\nThe key mindset shift is this:\n\n> **If you only protect credentials, you are already behind. You must protect tokens.**",
"title": "EvilTokens: An AI-Driven Device Code Attack Compromising Microsoft Businesses",
"updatedAt": "2026-04-09T06:32:43.846Z"
}