EvilTokens: How “Ghost” Code Threatens US and European Businesses

MITRE Techniques

• [T1056.001 ] Input Capture: Keylogging – The article describes the kit tricking the victim into entering or authorizing information through Microsoft’s device login flow rather than stealing a password directly, effectively capturing user action in the login process. [‘it convinces the victim to complete Microsoft’s legitimate device login flow and unknowingly authorize access to their account’]
• [T1566.002 ] Spearphishing Link – The attack uses a phishing landing page and link-based delivery to lure the victim into interacting with a malicious Microsoft device-code page. [‘The landing page HTML is encrypted with AES-GCM and becomes visible only after the browser decrypts it’]
• [T1110 ] Brute Force – Not directly used for password guessing, but the article indicates account takeover is achieved through authorization abuse rather than direct credential theft. [‘gain account access without directly stealing the victim’s password’]
• [T1528 ] Steal Application Access Token – The device-code phishing flow results in attackers retaining access authorized through the completed Microsoft device login flow, which functions like token-based account access. [‘the attackers retain the access authorized through the completed Microsoft device login flow’]
• [T1059.007 ] JavaScript – The page logic uses browser-side script to decrypt content, request the user code, and poll the session status. [‘The landing page HTML is encrypted with AES-GCM and becomes visible only after the browser decrypts it and renders it in the DOM’]
• [T1105 ] Ingress Tool Transfer – The browser retrieves the decrypted phishing content and user code from backend endpoints after page execution. [‘the landing page in an HTTP response encrypted with AES-GCM’ / ‘The next fragment sends a POST request to /api/device/start’]