Sign in Subscribe

EvilTokens: An AI-Driven Device Code Attack Compromising Microsoft Businesses

Sascha Corti

3 min read
EvilTokens: An AI-Driven Device Code Attack Compromising Microsoft Businesses

A new class of identity attacks is rapidly scaling across enterprises: AI-augmented device code phishing, operationalized through phishing-as-a-service (PhaaS) platforms like EvilTokens. Microsoft and multiple security vendors have confirmed that these attacks are now widespread and highly effective, compromising organizations daily by abusing legitimate authentication flows rather than exploiting vulnerabilities.

This post provides a technical deep dive into what EvilTokens is, how it works under the hood, and how to mitigate it effectively.

What Is EvilTokens?

EvilTokens is a phishing-as-a-service (PhaaS) platform that automates account takeover attacks against Microsoft 365 and similar SaaS environments by abusing OAuth device code authentication. (CSO Online)

Key characteristics:

  • Turnkey attack platform sold via underground channels (e.g., Telegram) (Sekoia.io Blog)
  • Focused on device code phishing instead of traditional credential harvesting
  • Uses AI to scale and personalize attacks (e.g., crafting targeted phishing emails) (Microsoft)
  • Enables Business Email Compromise (BEC) workflows and post-exploitation automation (Sekoia.io Blog)

The result: a low-skill, high-impact attack kit that allows attackers to compromise enterprise identities at scale.

Why This Attack Is Different

Traditional phishing targets credentials (passwords, MFA codes).
EvilTokens instead targets authentication tokens, which changes the threat model fundamentally:

  • No password theft required
  • MFA and passkeys are bypassed
  • Tokens persist even after password resets (The Hacker News)

This makes it closer to a session hijack via legitimate authentication flows than classic phishing.

How Device Code Authentication Works (Legitimate Flow)

The attack abuses the OAuth 2.0 Device Authorization Grant:

  1. User wants to log in from a limited device (CLI, IoT, TV)
  2. Service provides a device code
  3. User goes to a trusted login page (e.g. microsoft.com/devicelogin)
  4. User enters the code and authenticates
  5. The device receives an access token

This flow is widely used in developer tooling and enterprise environments. (Push Security)

How EvilTokens Attacks Work

Step-by-Step Attack Chain

  1. Device Code Generation (Attacker)
    • Attacker requests a valid device code from Microsoft APIs
  2. Phishing Delivery
    • Victim receives a highly convincing, AI-generated message
    • Examples: invoices, RFPs, SharePoint documents (Microsoft)
  3. User Interaction
  5. Legitimate Authentication
    • Victim enters the code on the real Microsoft login page
  6. Token Issuance
    • Microsoft issues:
      • Access token
      • Refresh token
  7. Token Theft
    • Attacker already knows the device code → retrieves tokens
  8. Post-Compromise Activity
    • Email exfiltration
    • Inbox rule creation (persistence)
    • Microsoft Graph reconnaissance (Microsoft)

Victim is redirected to a page instructing them to:

“Enter this code to access the document”

Key Technical Innovations in EvilTokens

1. Dynamic Code Generation

Attackers generate device codes only when the victim clicks, avoiding expiration windows. (Microsoft)

2. AI-Driven Social Engineering

  • Personalized phishing emails
  • Context-aware lures (finance, exec roles) (Microsoft)

3. Cloud-Based Attack Infrastructure

  • Uses trusted platforms like Railway (PaaS) to host infrastructure
  • Blends into legitimate traffic patterns (Arctic Wolf)

4. Automation at Scale

  • Thousands of ephemeral backend nodes
  • Full attack lifecycle automation (phishing → token replay → persistence) (Microsoft)

Why It Bypasses MFA and Security Controls

This is the critical insight:

The victim completes authentication on behalf of the attacker
  • MFA is satisfied legitimately
  • Login happens on trusted Microsoft endpoints
  • Security tools see valid authentication events

Additionally:

Impact on Organizations

  • Hundreds of organizations already impacted globally (Arctic Wolf)
  • Targets include:

Primary risks:

  • Business Email Compromise (BEC)
  • Data exfiltration
  • Lateral movement via Microsoft Graph
  • Long-lived unauthorized access

Mitigations and Defensive Strategies

1. Disable Device Code Flow (Where Possible)

  • Use Conditional Access policies
  • Block device code authentication unless explicitly required (Arctic Wolf)

2. Monitor Authentication Patterns

Focus on:

  • Device code login events
  • Suspicious IP ranges (e.g., PaaS providers)
  • Token issuance anomalies

3. Token Hygiene & Incident Response

If compromise is suspected:

  • Revoke all refresh tokens immediately
  • Invalidate active sessions
  • Reset credentials (secondary step only)

4. Strengthen Conditional Access

  • Restrict:
    • OAuth app permissions
    • Token issuance scope
  • Require compliant devices where possible

5. User Awareness (Critical)

Train users to recognize:

  • Requests to enter device login codes
  • “Open this document via Microsoft login” flows
  • Unexpected prompts involving microsoft.com/devicelogin

6. Detection Engineering

Implement detections for:

  • Device code authentication spikes
  • Token reuse patterns
  • Inbox rule creation anomalies
  • Microsoft Graph reconnaissance behavior

7. Limit OAuth Application Abuse

  • Audit enterprise app registrations
  • Restrict consent permissions
  • Monitor for newly registered attacker-controlled apps

Strategic Takeaways

EvilTokens represents a broader shift:

  • From credential theft → token abuse
  • From manual phishing → AI-scaled automation
  • From vulnerabilities → abuse of legitimate features

This class of attack is particularly dangerous because:

  • It operates within trusted authentication flows
  • It is hard to distinguish from normal behavior
  • It scales efficiently via PhaaS ecosystems

Final Thoughts

Device code phishing is no longer a niche technique—it has entered mainstream cybercrime operations, with EvilTokens leading the charge.

For organizations heavily invested in Microsoft 365 and Entra ID, this attack vector should now be treated as a first-class threat scenario, requiring:

  • Identity-layer monitoring
  • Token lifecycle controls
  • Conditional access hardening

The key mindset shift is this:

If you only protect credentials, you are already behind. You must protect tokens.