EvilTokens is a phishing-as-a-service kit sold via Telegram that integrates device code phishing to hijack Microsoft accounts and enable large-scale business email compromise campaigns. Sekoia researchers observed document-based lures that redirect victims through legitimate Microsoft device login flows, allowing attackers to obtain access and refresh tokens for persistent access across email, files, and Teams. #EvilTokens #Microsoft
Keypoints
- EvilTokens abuses the OAuth 2.0 device authorization flow to trick users into authorizing malicious devices.
- The kit is sold on Telegram, under active development, and plans to add Gmail and Okta phishing support.
- Phishing lures use documents with QR codes or links impersonating services like DocuSign or Adobe to target finance, HR, logistics, and sales staff.
- Successful exploitation yields short-lived access tokens and refresh tokens, enabling persistent access and SSO impersonation across Microsoft services.
- Sekoia identified global campaigns, provided IoCs and YARA rules, and noted EvilTokens offers automation and advanced features for BEC attacks.