The **EvilTokens** kit integrates device code phishing capabilities, enabling attackers to hijack **Microsoft** accounts and provides features for business email compromise (BEC) attacks. This kit is being sold to cybercriminals via **Telegram** and is under continuous development with the author planning to add support for **Gmail** and **Okta** phishing pages. ### Device Code Phishing Explained Device code phishing attacks exploit the **OAuth 2.0** device authorization flow. Attackers trick victims into authorizing a malicious device, granting them access to the victim's account. This technique has been used by threat actors like Storm-237, UTA032, UTA0355, UNK_AcademicFlare, TA2723, and the **ShinyHunters** data extortion group. ### EvilTokens Attack Flow Researchers at **Sekoia** observed **EvilTokens** attacks beginning with emails containing malicious documents (PDF, HTML, DOCX, XLSX, or SVG). These documents contain either a QR code or a hyperlink redirecting to an **EvilTokens** phishing template. These lures impersonate legitimate business content such as financial documents, meeting invitations, logistics or purchase orders, payroll notices, or shared documents via services like **DocuSign** or **SharePoint**. They are often tailored to employees in finance, HR, logistics, or sales roles.  When a victim opens the link, they are presented with a phishing page impersonating a trusted service (e.g., **Adobe Acrobat** or **DocuSign**), displaying a verification code and instructions for identity verification. The page prompts the user to click a “Continue to Microsoft” button, redirecting them to the legitimate **Microsoft** device login page. At this stage, the attacker uses a legitimate client (any **Microsoft** application) to request a device code. They then trick the victim into authenticating to the legitimate **Microsoft** URL controlled by the attacker.  This grants the attacker both a short-lived access token and a refresh token, enabling persistent access. These tokens provide immediate access to services associated with the victim's account, including email, files, **Teams** data, and the ability to perform SSO impersonation across **Microsoft** services. ### Global Impact **Sekoia** researchers examined **EvilTokens'** infrastructure and uncovered campaigns with a global reach, with the United States, Canada, France, Australia, India, Switzerland, and the UAE being the most affected countries.  In addition to advanced phishing, **Sekoia** researchers report that the **EvilTokens** PhaaS operation also offers "advanced features to conduct BEC attacks" through automation. The variety of campaigns suggests that **EvilTokens** is already being used at scale by threat actors involved in phishing and BEC activities. **Sekoia** provides indicators of compromise (IoC), technical details, and YARA rules to help defenders block attacks leveraging the **EvilTokens** PhaaS kit.