A newly uncovered phishing infrastructure targeting Microsoft 365 users is using the OAuth device‑code authentication flow to steal access tokens and retain long‑term control of compromised accounts, cybersecurity researchers and law‑enforcement agencies reported this week. The operation, dubbed “EvilTokens,” employs a device‑code phishing kit that tricks victims into authorizing a malicious application without entering a password, allowing attackers to capture OAuth tokens that grant unrestricted access to the victim’s Office 365 data.
What happened
The ARToken research team first identified the EvilTokens affiliate panel while tracking a surge of Microsoft 365 phishing campaigns. The panel distributes a phishing kit that leverages the OAuth 2.0 device‑code flow—a protocol originally designed for “password‑less” sign‑ins on devices lacking a web browser, such as smart TVs or IoT gadgets.
In a typical attack, a victim receives an email that appears to come from a trusted source and contains a link to a counterfeit Microsoft 365 sign‑in page. Instead of prompting for a password, the page displays a short alphanumeric device code and instructions to visit https://microsoft.com/devicelogin on a separate device. When the victim follows the instructions and enters the code, Microsoft’s legitimate authentication service presents an authorization prompt that lists the requested permissions for a third‑party application. If the victim clicks “Accept,” the OAuth server issues an access token and a refresh token to the malicious application. The phishing kit captures these tokens and stores them on the attacker‑controlled panel, where they can be used repeatedly to read, modify, or delete the victim’s emails, files, and other cloud resources.
Cisco’s Talos research blog describes the kit as “totally more evil than we all thought,” noting that the device‑code flow was never intended to be a vector for credential theft. The Register cited an FBI advisory warning Microsoft users about a “passwordless scam” that exploits the same OAuth mechanism. Additional coverage from WFIN’s Email Threat Radar and Barracuda Networks highlighted the rapid adoption of the technique across multiple phishing campaigns, emphasizing that the stolen tokens enable attackers to bypass traditional password‑based defenses and persist in compromised accounts indefinitely.
Why it matters
The abuse of the device‑code flow represents a shift in threat actors’ tactics from stealing passwords to hijacking authentication tokens. Tokens, especially refresh tokens, can remain valid for months or even years, granting attackers continuous access without the need to re‑phish the victim. Because token‑based authentication does not generate the same password‑failure alerts that security teams typically monitor, the compromise can remain undetected for extended periods.
For organizations that rely heavily on Microsoft 365 for email, collaboration, and document storage, the consequences are severe. An attacker with a valid token can read confidential communications, exfiltrate proprietary data, install malicious macros, or even add additional accounts to the compromised tenant. The FBI’s involvement suggests the technique could affect not only private enterprises but also government agencies that use Microsoft 365 as a productivity platform.
Background and context
OAuth 2.0 is an open standard for delegated authorization that allows users to grant third‑party applications limited access to their resources without sharing passwords. The device‑code flow, defined in RFC 8628, was introduced to support devices that cannot display a full web browser. Microsoft adopted the flow for its “Sign in without a password” feature, encouraging users to move away from password‑based authentication in favor of more convenient, phishing‑resistant methods such as Windows Hello or FIDO2 keys.
However, the flow still requires the user to approve an authorization request. If a phishing page can convincingly mimic a legitimate Microsoft prompt, the user’s consent becomes the attack vector. The EvilTokens panel automates this process, providing affiliates with a ready‑made kit that generates unique device codes, hosts counterfeit login pages, and collects the resulting tokens.
The panel operates as an affiliate network: attackers who successfully harvest tokens receive a share of the proceeds, while the panel owners maintain the infrastructure and continuously update the kit to evade detection. The ARToken team’s analysis indicates that the panel has been active since at least early 2024, with a noticeable increase in activity after Microsoft’s public push for password‑less sign‑ins in late 2023.
Competing claims and uncertainty
While the technical details of the device‑code abuse are well documented by ARToken, Cisco Talos, and the FBI advisory, some uncertainty remains regarding the scale of the threat. The FBI’s warning does not disclose the number of confirmed victims or the monetary losses incurred, citing ongoing investigations. Barracuda Networks’ blog notes that token‑theft campaigns have been observed in both targeted spear‑phishing and broad‑based spam operations, but it does not provide quantitative data on campaign volume.
Microsoft has not yet issued a dedicated public advisory on the EvilTokens kit. In its general security guidance, Microsoft advises users to verify the legitimacy of any device‑code authentication request and to restrict the flow to managed devices via Conditional Access policies. Some security analysts argue that Microsoft’s existing guidance may be insufficient, given that the attack does not rely on compromised passwords but on user consent. Others contend that the problem is fundamentally a user‑education issue: users must be trained to recognize unsolicited authorization prompts, especially when they appear on devices they do not normally use for work.
What to watch next
– Microsoft’s response – Analysts expect Microsoft to release a more specific advisory or mitigation guidance, potentially including telemetry that flags anomalous device‑code token issuance.
– Conditional Access policy adoption – Organizations may begin tightening Conditional Access rules to limit device‑code flows to corporate‑managed devices, a step recommended by multiple security blogs.
– Law‑enforcement actions – The FBI’s involvement suggests possible coordinated takedowns of the EvilTokens panel or arrests of affiliates. Future press releases could shed light on the operation’s size and financial impact.
– Threat‑intel updates – Both Cisco Talos and independent researchers are likely to publish additional indicators of compromise (IOCs), such as specific phishing URLs, token‑exfiltration endpoints, and malware payloads that accompany the token theft.
– User‑education campaigns – Enterprises may roll out targeted training that simulates device‑code phishing attempts to reinforce the “verify before you approve” habit.
Conclusion
The EvilTokens phishing panel demonstrates how attackers can subvert modern, password‑less authentication mechanisms to gain stealthy, long‑lasting access to Microsoft 365 environments. By hijacking OAuth device‑code tokens, threat actors bypass traditional password‑based alerts and embed themselves within compromised tenants. While Microsoft’s existing guidance emphasizes verification of authorization prompts, the rapid adoption of this technique underscores the need for tighter Conditional Access controls, enhanced monitoring of token issuance, and robust user‑education programs. As law‑enforcement agencies and security vendors continue to investigate, organizations should treat device‑code flow abuse as a high‑priority risk and implement layered defenses to protect their cloud assets.
Sources
– ARToken, “Inside an EvilTokens affiliate panel targeting Microsoft 365,” CyberSecurityNews. https://news.google.com/rss/articles/CBMikAFBVV95cUxQMjlZRGhoQ0c5WDY5aFg3TnJ1cFNPcG1uTHY1ZDFzSjRCSzdNdXZNOTVHd0l1RWc1YnBFaGtwLS0yZzVHR2hzeGs2eU14OWtyTWNBYVgzdFFZQVRRQTNnM1JwMmc3VE9raHFEbnlYZ0hDQ0p0bUxOMjE3UTNwUXRtZUtha2paeGpGY0UxdF9udTjSAZYBQVVfeXFMUFNNZzlieWZFU1pObkpOck52VkhZQTdDM2F1c09ucWN3RzQ1OGc2d252QVZEdFVTSTJmS3U2aDRhTk5kXzk3LTFHWjY2R3hTdDZudFEycm04TnZTUFUwamI3Sk1ER3g0Nk5oU0lyUUJ5cHhCelZOZWl0aVNQVmR4U3kyNU9McFk0SFljWVBmX0syUHRjZkhR
– Cisco Talos, “EvilTokens device‑code phishing kit totally more evil than we all thought.”
– The Register, “FBI warns Microsoft users about passwordless scam.”
– WFIN Email Threat Radar, “Microsoft phishing, device code scams & malware.”
– Barracuda Networks Blog, analysis of the phishing campaign.
Story synopsis gathered from: Google News India – Technology — source
Corrections
If you believe this article contains an error, contact Herald Express with the source URL and supporting evidence.

