EvilTokens abuses Microsoft device code flow for account takeovers
Summary
A new phishing-as-a-service (PhaaS) campaign called EvilTokens is exploiting Microsoft's device code authentication flow to achieve account takeovers. Attackers trick victims into entering a device code on a legitimate Microsoft login page, which grants them access tokens for Microsoft 365 services.
IFF Assessment
This campaign abuses a legitimate authentication mechanism to bypass security controls and gain unauthorized access, posing a direct threat to user accounts.
Defender Context
Defenders need to be aware of phishing techniques that leverage legitimate services like Microsoft's device code flow, as these can bypass traditional credential theft detection. Educating users about this specific social engineering tactic and monitoring for unusual authentication patterns are crucial mitigation strategies.