Skip to main content
CybersecuritySocial Engineering

EvilTokens Fuels Sophisticated Microsoft Phishing Attacks

Dimly lit desk with laptop showing fake login page, surrounded by clutter and a suspicious smartphone message.

What do you do when the key to your digital front door can be handed over with nothing more than a code typed into a web page? That question moved from theoretical to urgent this month as a commercially available toolkit called EvilTokens began packaging device code phishing into an easy-to-use service, putting Microsoft accounts and corporate email systems squarely in the crosshairs of organized fraudsters.

Background: an authentication flow repurposed as a weapon

Device code authentication is an OAuth 2.0 flow designed for devices with limited input capabilities. A service shows a short code and a URL; the user opens that URL on a separate device, enters the code, authenticates, and the original device is granted access. It was meant to simplify login for smart TVs, kiosks, and similar hardware.

Researchers and incident responders have warned for months that attackers can repurpose that mechanism for phishing: if a victim is tricked into visiting a malicious site and entering the device code, an attacker who controls the paired session can obtain tokens and sign into the victim’s account without ever capturing the victim’s password. The newly reported EvilTokens service automates and streamlines that attack vector, according to reporting by BleepingComputer.

What’s changed: EvilTokens commoditizes device code phishing

BleepingComputer’s coverage describes EvilTokens as a malicious kit that integrates device code phishing capabilities and other tools aimed at compromising Microsoft accounts and supporting business email compromise (BEC). Where previously attackers needed technical skill or bespoke tooling to exploit device code flows, EvilTokens packages these capabilities into a turnkey offering that lowers the barrier to entry.

That commoditization matters because it changes the calculus for attackers. A service that automates targeting, session harvesting, token management and post-compromise features (such as mailbox rules creation or token refresh) makes it easier and faster for a wider set of adversaries to conduct effective intrusions and fraud campaigns.

Why it matters: access, escalation, and the corporate attack surface

  • High-impact access: Microsoft accounts are often gateways to email, collaboration tools, and cloud services. Token-based access bypasses passwords and can sidestep some protections if organizations do not restrict or monitor the device code flow.
  • Business Email Compromise: With mailbox access, attackers can perform BEC—requesting wire transfers, changing payment details, or harvesting contact lists to scale fraud.
  • Persistence and lateral movement: OAuth tokens and refresh tokens can grant sustained access until revoked. Attackers who secure tokens can move laterally, exfiltrate data, or create backdoors via mailbox rules and forwarding.
  • Lower barriers, higher volume: Commoditized services like EvilTokens permit less-technical criminals to run attacks at scale, increasing the frequency and diversity of phishing campaigns targeting organizations of all sizes.

Responses and perspectives: technologists, policymakers, and users

Technologists: Security teams should assess exposure to device code flows and implement layered mitigations. Practical steps include enforcing conditional access policies that limit where and when device code grants are allowed, requiring compliant and managed devices, revoking suspicious refresh tokens, and enabling stronger authentication methods such as FIDO2 hardware keys. Logging and anomalous sign-in detection are critical—monitor for new device authorizations, unexpected geographical patterns, or unusual token issuance.

Policymakers and regulators: The trend highlights the need for clear expectations about vendor responsibilities and minimum security baselines for enterprise identity services. Where edge-case authentication flows exist to support consumer-friendly scenarios, regulators may press for standards that prevent their misuse in business contexts. Transparency around logged incidents and accessible guidance for organizations of varying sizes will also be important.

Users and administrators: Awareness campaigns should explain how device code phishing looks in practice: a plausible message directing you to a code-entry page, often tied to a legitimate service name. Users should be trained to treat unsolicited authentication prompts with suspicion and to verify unusual requests through a second channel. Administrators should audit app consent grants, remove unnecessary third-party privileges, and rotate credentials and tokens after suspected compromises.

Adversaries: From the attacker’s vantage, commoditized services are attractive because they reduce cost and time to compromise. That incentive will likely drive evolving capabilities—better social engineering templates, built-in post-exploit automation, and resale of captured credentials or sessions to other criminal actors.

Conclusion: an authentication convenience that demands attention

Device code flows solved a real usability problem, but convenience has always carried risk. The arrival of EvilTokens is a reminder that when security controls are uneven and attackers have access to off-the-shelf tooling, organizations must shift from passive hope to active defense: audit identity flows, reduce unnecessary privileges, and make token-based access harder to exploit. Otherwise, the question is not whether an adversary will use these tools, but how quickly they will turn a convenient login into a costly compromise.

https://www.bleepingcomputer.com/news/security/new-eviltokens-service-fuels-microsoft-device-code-phishing-attacks/