EvilTokens Weaponises Device Code Flow for At-Scale Account Hijacking
EvilTokens is a commercialised malicious service that automates Microsoft device code phishing attacks, enabling attackers to steal authentication tokens and compromise corporate accounts at scale without requiring passwords.
Affected
EvilTokens represents a significant shift in authentication attack methodology. Rather than targeting weak passwords or exploiting software vulnerabilities, it exploits legitimate Microsoft authentication mechanisms. Device code flow was introduced to allow OAuth authentication on devices without browsers, but attackers have recognised that this flow generates authentication tokens that remain valid even when standard MFA protections are bypassed.
The technical elegance of this attack lies in its misdirection. When a user is phished into authorising a device code, they believe they are validating a legitimate action on their own device. In reality, they are granting token access to an attacker-controlled application. The token obtained is a fully functional OAuth token that grants access to Microsoft services, email, Teams, SharePoint, and OneDrive without requiring password knowledge or triggering MFA alerts on subsequent authentication attempts.
Organisations face a defenders' dilemma. Device code flow is necessary for legitimate scenarios such as headless servers, CLI tools, and IoT devices. Blocking it entirely damages productivity. However, the attack requires minimal technical sophistication from actors using EvilTokens. The service appears to handle token generation, phishing delivery, and potentially exfiltration, meaning operators need only conduct social engineering.
Immediate defensive actions include: deploying Conditional Access policies that restrict device code flow to known corporate devices and networks, implementing token replay detection in SIEM systems, and educating users that Microsoft will never ask them to authorise a device code through suspicious links or messages. Organisations should also audit Entra ID sign-in logs for suspicious device code authentication events and review OAuth application permissions granted to unfamiliar applications.
The broader implication is that OAuth and OAuth-derived authentication mechanisms, whilst cryptographically sound, remain vulnerable to authorisation attacks. The attack surface has shifted from password security to user decision-making at the point of token delegation. As incident response becomes token-centric rather than password-centric, organisations must rebuild their detection and containment capabilities around token lifecycle and suspicious grant patterns.
Sources