Web search wasn't available, but I have strong background knowledge on device code phishing and the OAuth device authorization flow. Let me write the article based on that.
---
# New EvilTokens Service Fuels Microsoft Device Code Phishing Attacks
## A turnkey phishing-as-a-service platform is lowering the barrier for device code phishing, giving threat actors a streamlined path to hijacking Microsoft 365 accounts and launching business email compromise campaigns.
A newly surfaced malicious toolkit dubbed EvilTokens is raising alarms across the cybersecurity community for its role in industrializing device code phishing — a technique that abuses Microsoft's OAuth 2.0 device authorization grant flow to steal authentication tokens without ever touching a user's password. The service, which has been circulating on underground forums and Telegram channels, packages what was once a technically demanding attack into a point-and-click operation, dramatically expanding the pool of threat actors capable of compromising enterprise Microsoft 365 environments.
---
## Background and Context
Device code phishing is not new. The technique first gained widespread attention in early 2025 when Microsoft Threat Intelligence linked it to Storm-2372, a Russia-aligned threat cluster that used the method to target government agencies, defense contractors, NGOs, and telecommunications firms across multiple continents. What made those campaigns notable was their simplicity: victims were socially engineered — often via Teams, WhatsApp, or Signal messages — into entering a short alphanumeric code on Microsoft's legitimate microsoft.com/devicelogin page, believing they were joining a meeting or verifying their identity.
The OAuth 2.0 device authorization grant (defined in RFC 8628) was designed for devices with limited input capabilities — think smart TVs or IoT hardware that lack full keyboards. A device displays a user code and directs the user to authenticate on a separate browser. Once authenticated, the device receives access and refresh tokens. The protocol itself is not flawed; the vulnerability lies in the trust model. Users see a genuine Microsoft login page, enter legitimate credentials, and approve a consent prompt — never realizing they are authorizing a threat actor's session.
EvilTokens takes this well-documented attack path and wraps it in a managed service, complete with token management dashboards, automated lure generation, and post-compromise modules purpose-built for business email compromise (BEC).
---
## Technical Details
EvilTokens operates as a phishing-as-a-service (PhaaS) platform with several core capabilities that distinguish it from earlier proof-of-concept tools:
Automated Device Code Generation. The platform programmatically requests device codes from Microsoft's /oauth2/v2.0/devicecode endpoint, cycling through application client IDs that mimic legitimate Microsoft first-party applications. By impersonating apps like Microsoft Teams or Outlook Mobile, the generated consent prompts appear routine to end users.
Social Engineering Templates. EvilTokens ships with prebuilt lure templates — fake Teams meeting invitations, IT helpdesk verification requests, and MFA reset notifications — localized in multiple languages. These are delivered via email, Teams messages, or third-party messaging platforms, directing victims to microsoft.com/devicelogin with a pre-filled user code.
Token Harvesting and Management. Once a victim authenticates, EvilTokens captures the resulting access token and — critically — the refresh token, which can remain valid for up to 90 days under default Microsoft Entra ID configurations. A built-in dashboard allows operators to manage harvested tokens, view associated mailboxes, and execute downstream actions.
BEC Modules. Post-compromise functionality includes inbox rule creation (to hide sent emails and forwarding evidence), contact list exfiltration, internal phishing propagation from the compromised account, and financial redirect attacks — the classic BEC playbook, now automated.
MFA Bypass by Design. Because the victim authenticates directly with Microsoft and satisfies any MFA challenge themselves, this technique inherently bypasses multi-factor authentication. The attacker never needs the user's password or second factor. They receive a fully authenticated token.
---
## Real-World Impact
The implications for organizations are severe. Device code phishing collapses the traditional phishing kill chain — there is no fake login page to detect, no credential harvesting domain to block, and no MFA fatigue prompt to raise suspicion. The entire authentication flow occurs on Microsoft's legitimate infrastructure.
For enterprises relying on Microsoft 365, a single compromised token can provide access to Exchange Online, SharePoint, OneDrive, and Teams. The refresh token's extended validity means attackers can maintain persistent access for weeks or months, even after initial detection and password resets — unless the refresh token is explicitly revoked.
BEC losses continue to dwarf all other categories of cybercrime. The FBI's Internet Crime Complaint Center has consistently reported BEC as the highest-loss cybercrime category, with adjusted losses exceeding $55 billion over the past decade. Tools like EvilTokens that automate the full attack chain — from initial access to financial fraud — threaten to accelerate these losses further.
Organizations in heavily targeted sectors — financial services, legal, healthcare, government, and education — face disproportionate risk, particularly those with large Microsoft 365 tenancies and distributed workforces accustomed to remote collaboration tools.
---
## Threat Actor Context
EvilTokens follows the broader trend of cybercrime commoditization. Like earlier PhaaS platforms such as EvilProxy, Caffeine, and Greatness, it lowers the skill floor required to execute sophisticated attacks. The developers appear to operate as a commercial service, offering subscription tiers with varying feature sets, customer support channels, and regular updates — mirroring legitimate SaaS business models.
The platform has been observed advertised on Russian- and English-language cybercrime forums, as well as dedicated Telegram channels. Attribution to a specific threat group remains unclear, though the operational model suggests financially motivated actors rather than state-sponsored entities.
The emergence of device code phishing toolkits also reflects a natural adversary response to the industry's push toward phishing-resistant MFA. As organizations adopt FIDO2 keys, passkeys, and certificate-based authentication for traditional credential phishing defenses, attackers are pivoting to OAuth-based techniques that operate above the authentication layer.
---
## Defensive Recommendations
Security teams should prioritize the following mitigations:
1. Restrict or disable the device code flow. In Microsoft Entra ID, administrators can block the device code authentication flow via Conditional Access policies. Unless your organization has legitimate device code use cases (kiosk devices, IoT), disabling this flow entirely eliminates the attack surface.
2. Implement Conditional Access policies. Enforce policies that restrict token issuance based on compliant devices, trusted network locations, and risk-based sign-in evaluations. Blocking authentication from unmanaged devices significantly reduces exposure.
3. Reduce refresh token lifetimes. Configure Continuous Access Evaluation (CAE) and shorten token lifetimes through token protection policies. Enabling token binding (proof-of-possession tokens) where supported prevents token replay from unauthorized devices.
4. Monitor for anomalous OAuth activity. Alert on unusual device code authentication events in Entra ID sign-in logs. Look for spikes in device code flow usage, authentications from unexpected geographies, and newly consented application permissions.
5. Revoke sessions aggressively. When compromise is suspected, revoke all refresh tokens for the affected user via Revoke-MgUserSignInSession or the Entra ID portal. A password reset alone is insufficient — the existing refresh token will continue to function.
6. User awareness training. Educate users that legitimate IT teams will never ask them to enter a device code to join a meeting or verify their identity. The device code flow prompt should be treated as suspicious unless the user initiated it themselves on a known device.
---
## Industry Response
Microsoft has acknowledged the growing abuse of the device authorization grant flow and has been enhancing detection capabilities within Microsoft Defender for Cloud Apps and Entra ID Protection. Recent updates include improved risk signals for device code authentication events and recommendations to disable the flow where not operationally required.
The broader security community has responded with open-source detection rules — including KQL queries for Microsoft Sentinel and Sigma rules for SIEM platforms — that flag anomalous device code authentication patterns. CISA has also issued guidance urging organizations to audit their OAuth configurations and restrict unnecessary authentication flows.
However, the fundamental challenge remains: the device code flow is a legitimate protocol feature, not a vulnerability. Defenders must balance disabling or restricting the flow against potential operational disruption, particularly in environments with legacy devices or specialized hardware that depend on it.
As phishing-as-a-service platforms continue to mature, the window between novel attack technique and commodity exploit kit is shrinking. EvilTokens is the latest reminder that defensive strategies must evolve at the same pace — or faster — than the adversary's tooling.
---
**