EvilTokens turns Microsoft sign-ins into bait

EvilTokens, a newly identified phishing-as-a-service operation, is offering cybercriminals a ready-made way to hijack Microsoft accounts by abusing a legitimate sign-in process rather than stealing passwords through fake login pages. The service centres on Microsoft’s device code flow, a method designed for televisions, printers and other input-constrained devices, and researchers say the toolkit has been active since the middle of February.

What makes the platform notable is not only the technique but the degree of industrialisation around it. Researchers tracking the service say EvilTokens packages the attack into an affiliate-friendly model, combining phishing templates, Telegram-based management, token capture, email harvesting, reconnaissance tools and automation features aimed at speeding up business email compromise operations. That shifts device-code phishing from a specialised tactic into something closer to an off-the-shelf criminal service.

The method exploits a weakness in user trust rather than a flaw in Microsoft software. In a standard device code flow, a user is shown a short code on one device and asked to enter it on another at Microsoft’s official login page. The system then issues authentication tokens to the device that requested access. In the criminal version, the attacker initiates the request, lures the victim into entering the code on the genuine Microsoft page, and silently receives the resulting access and refresh tokens. Because the victim is interacting with a legitimate Microsoft domain and may even complete multi-factor authentication, the attack can be harder to detect than a classic credential-stealing phish.

Researchers say EvilTokens has been built to reduce friction for attackers at every stage. Its templates reportedly mimic familiar business services such as Adobe Acrobat Sign, DocuSign, OneDrive, SharePoint, voicemail systems and password-expiry alerts. Victims are guided through a branded decoy page before being sent to Microsoft’s authentic device login screen, where the short code appears to validate the request. That sequence is designed to exploit the credibility of the real Microsoft sign-in environment while masking the fact that the code originated with the attacker.

The concern for security teams is persistence. Access tokens may offer an attacker a shorter window to read mail or files straight away, but refresh tokens can allow renewed access without forcing the victim through another visible sign-in challenge. More advanced abuse can deepen the compromise further by helping attackers move laterally across Microsoft 365 services or maintain footholds that survive routine password resets if token revocation is not handled properly.

This development fits a broader pattern in identity-focused cybercrime. Microsoft has warned for more than a year that multiple threat actors, including state-linked operators and financially motivated groups, have been using device-code phishing, adversary-in-the-middle methods and other token-based attacks to get around stronger authentication controls. Security researchers have also documented layered campaigns that combine OAuth abuse, token theft and internal phishing once an account is compromised. EvilTokens appears to take those building blocks and package them as a commercial service for wider criminal use.

That trend matters because many organisations have invested heavily in multi-factor authentication on the assumption that it sharply reduces phishing risk. It still does, but token-centric attacks exploit the reality that attackers no longer always need the password itself. If a victim is persuaded to authenticate a malicious session through a legitimate workflow, the criminal can inherit the trust created by that sign-in. In practical terms, the battleground has shifted from password theft to session theft and identity token abuse.

Microsoft’s own guidance has become more direct as these attacks have spread. The company advises organisations to block device code flow wherever it is not essential and to restrict it tightly through Conditional Access where business use remains necessary. That is a significant recommendation because device code flow is legitimate and useful in some environments, particularly with legacy or input-limited hardware, but it has become an attractive avenue for attackers precisely because it looks normal and relies on Microsoft infrastructure.