Evil Token: AI-Enabled Device Code Phishing Campaign

A recent security advisory details a sophisticated phishing campaign leveraging the OAuth Device Code Authentication flow to breach Microsoft 365 accounts globally, bypassing multi-factor authentication entirely. This campaign, identified as "EvilToken," employs an AI-driven Phishing-as-a-Service toolkit that generates live device codes to exploit the device code authentication mechanism. Attackers craft personalized phishing lures, such as fake invoices or document notifications, which trick victims into authorizing their session on legitimate Microsoft login portals. Once the device code is entered, attackers obtain OAuth tokens to access email, files, and contacts, allowing them to conduct email exfiltration, create malicious inbox rules, and persist access through device registration. The campaign's infrastructure avoids detection by routing phishing links through legitimate serverless platforms and compromised domains, while automated post-compromise operations use Microsoft Graph API for rapid data exfiltration and lateral phishing. The advisory emphasizes the need for organizations to enhance security measures, such as blocking cloud-hosted IP addresses for authentication and enabling token protection, to mitigate such identity-based attacks.