EvilTokens PhaaS: Device Code Phishing Bypasses MFA to Hijack Microsoft 365 Accounts

A phishing-as-a-service platform called EvilTokens has compromised over 340 Microsoft 365 organizations across seven countries — including the UAE — by exploiting the legitimate OAuth device code authentication flow. The attack bypasses multi-factor authentication entirely, and its operators are specifically targeting employees in finance, HR, and logistics. For SAMA-regulated institutions running Microsoft 365, this is not a theoretical threat — it is an active campaign that demands immediate attention.

How EvilTokens Weaponizes OAuth Device Code Authentication

Traditional phishing kits clone Microsoft login pages and attempt to harvest credentials. EvilTokens takes a fundamentally different approach. It abuses the OAuth 2.0 device authorization grant — a legitimate authentication mechanism designed for devices without keyboards, such as smart TVs and IoT hardware. The attacker generates a valid device code through Microsoft's own endpoint, then tricks the victim into entering that code on the real Microsoft login page at microsoft.com/devicelogin. Because the victim authenticates on Microsoft's genuine infrastructure, MFA prompts are completed by the victim themselves. The resulting OAuth tokens — access and refresh — are silently forwarded to the attacker's command-and-control infrastructure. No fake login page is involved. No credential is directly stolen. The victim unknowingly authorizes persistent access to their own mailbox, OneDrive, SharePoint, and Teams.

Platform Architecture and Distribution Model

EvilTokens first surfaced in underground cybercrime forums in mid-February 2026 and rapidly gained traction among Business Email Compromise (BEC) operators. The platform is distributed through Telegram bots and provides affiliates with a full attack toolkit: phishing page templates mimicking IT department notifications, email harvesting modules, account reconnaissance features, a built-in webmail interface for reading hijacked inboxes, and AI-powered automation for crafting convincing lure messages. By March 23, 2026, Sekoia researchers had tracked over 1,000 domains hosting EvilTokens phishing pages. The lures are diverse — fake multi-factor authentication reset notices, Teams meeting invitations, IT compliance review requests, and Microsoft security alerts — all engineered to push the target toward the device code entry page.

Scale and Targeting: Finance and HR in the Crosshairs

According to Sekoia's published analysis, EvilTokens campaigns have compromised organizations across the United States, Canada, France, Australia, India, Switzerland, and the United Arab Emirates. The documented targeting pattern focuses heavily on employees in finance departments, human resources, and transportation logistics — roles with access to payment systems, employee PII, and supply chain workflows. Microsoft's own security research team confirmed the AI-enabled component of these campaigns in an April 2026 advisory, noting that attackers use large language models to generate contextually accurate phishing emails at scale, making traditional email gateway detection significantly harder.

Why This Matters for Saudi Financial Institutions

Microsoft 365 is the dominant productivity platform across SAMA-regulated banks, insurance companies, and fintech firms in Saudi Arabia. The device code authentication flow is enabled by default in most Azure AD (Entra ID) tenants. This means every Saudi financial institution running a standard Microsoft 365 deployment is potentially exposed to this exact attack vector unless proactive hardening has been applied. The SAMA Cyber Security Framework (CSCC) mandates that regulated entities implement controls for identity and access management (Domain 7), email security, and phishing resilience. NCA's Essential Cybersecurity Controls (ECC 2:2024) further require organizations to enforce conditional access policies and monitor anomalous authentication events. A successful EvilTokens compromise would also trigger PDPL notification obligations if customer personal data is accessed through hijacked mailboxes or SharePoint sites — a scenario that has already materialized in documented cases outside the Kingdom.

Technical Indicators and Detection Guidance

Security operations teams should monitor Azure AD sign-in logs for authentication events using the device code flow (grant type: urn:ietf:params:oauth:grant-type:device_code). Legitimate use of this flow in a typical enterprise is minimal — most authentications occur through browser-based or app-based flows. A spike in device code authentications, particularly from unfamiliar IP ranges or geographies inconsistent with the user's normal behavior, is a strong indicator of compromise. Additionally, SOC teams should inspect Unified Audit Logs for MailItemsAccessed events from non-interactive applications, which indicate programmatic mailbox access using stolen tokens. Network-level detection should flag connections to known EvilTokens C2 domains — Sekoia has published IOC feeds through their intelligence portal, and Microsoft Defender Threat Intelligence (MDTI) has classified the campaign under the designation Storm-2049.

Recommended Countermeasures

1. Disable device code flow: In Azure AD (Entra ID), create a Conditional Access policy that blocks the device code authentication flow for all users except those with a documented business need (e.g., conference room devices). This single control eliminates the primary attack vector.
2. Enforce token binding and Continuous Access Evaluation (CAE): Enable CAE in your Microsoft 365 tenant to ensure that stolen tokens are invalidated when session conditions change, such as network location or device compliance status.
3. Deploy phishing-resistant MFA: Migrate from SMS/authenticator app-based MFA to FIDO2 security keys or Windows Hello for Business. These methods are bound to the legitimate authentication endpoint and cannot be proxied through device code abuse.
4. Implement token lifetime policies: Reduce refresh token lifetime to 12 hours maximum for sensitive roles (finance, HR, executive). This limits the persistence window for stolen tokens.
5. Activate Microsoft Defender for Office 365 Plan 2: Enable Safe Links with URL detonation and configure anti-phishing policies with mailbox intelligence. Tune impersonation protection for C-suite and finance department users.
6. Conduct targeted awareness training: Brief finance and HR teams specifically on device code phishing scenarios. Emphasize that legitimate IT departments will never ask employees to enter codes on microsoft.com/devicelogin via email or chat.
7. Hunt retroactively: Query Azure AD sign-in logs for the past 90 days for any device code flow authentications. Investigate each instance to confirm legitimacy.

Conclusion

EvilTokens represents a significant evolution in phishing operations — moving from credential theft to token theft, and from static phishing pages to abuse of legitimate authentication infrastructure. The platform's targeting of finance and HR departments, combined with its AI-powered lure generation and MFA bypass capability, makes it a direct threat to SAMA-regulated institutions. The good news is that the primary countermeasure — disabling device code flow via Conditional Access — is straightforward to implement and immediately effective. The question is whether your organization has done it yet.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and Microsoft 365 security hardening review.