Microsoft 365 Users Targeted by EvilTokens Device Code Phishing

A concerning surge in device code phishing attacks is now targeting Microsoft 365 accounts, fueled by a new toolkit called EvilTokens. This specialized platform, offered as a phishing-as-a-service (PhaaS) on Telegram, is lowering the barrier for cybercriminals to execute sophisticated campaigns that bypass traditional security measures like multi-factor authentication.

This attack method exploits a legitimate Microsoft feature designed for Device Code Authentication, which helps users sign into devices with limited input capabilities, such as smart TVs or printers. In a legitimate scenario, a user requests a short code from Microsoft and enters it on a dedicated login page to grant their device access. Attackers, however, initiate a real device authorization request themselves. They then send the resulting Microsoft-provided code and link to the victim, crafting a convincing pretext,often embedded in a QR code,to trick the user into entering it. If the target complies, they are directed to the genuine Microsoft authentication page. Entering the phisher’s code completes the login flow for the attacker.

The critical outcome is that the attacker retrieves valid access and refresh tokens directly from Microsoft’s OAuth endpoint. This grants them persistent, long-term access to the compromised account without ever needing the user’s password or having to defeat MFA. Researchers from Sekoia explain that in advanced scenarios, attackers can use a stolen refresh token to register a new device in Entra ID. This allows them to obtain a Primary Refresh Token (PRT), enabling silent authentication to the organization’s Microsoft 365 applications. With this level of access, threat actors can move laterally across services, completely bypassing credential prompts and MFA checks.

The EvilTokens phishing kit automates this entire malicious process. It provides operators with decoy pages and generates convincing phishing emails, often using large language models to improve realism. The service offers a range of deceptive templates mimicking common business communications, including email quarantine alerts, calendar invites, SharePoint access requests, password expiry warnings, and fake DocuSign or Adobe Sign notifications. Beyond initial access, the platform includes features like AI Analysis and a Keyword Scanner to help attackers quickly triage compromised mailboxes, prioritizing financial data and other high-value information for maximum impact. Documented campaigns have primarily focused on employees in finance, human resources, and transportation sectors.

While device code phishing itself is not novel, its adoption is growing rapidly. Most common phishing kits still rely on adversary-in-the-middle techniques. Analysts note that EvilTokens is currently the only widely available kit with built-in support for this method, combined with tools for account takeover and post-compromise activity. This integration is driving a noticeable increase in related campaigns as BEC scammers and other threat actors recognize its effectiveness.

To defend against this threat, organizations must combine user awareness with technical controls. Employees should be trained to recognize and report unexpected login or code requests, understanding what the device authorization workflow entails. Technically, administrators can use Conditional Access policies to restrict or block device code authentication entirely, or limit its use to approved users, devices, and trusted locations. Security teams are also advised to monitor for anomalous sign-ins linked to known infrastructure associated with kits like EvilTokens and to revoke refresh tokens immediately if a compromise is suspected.