.webp)
If your business uses Microsoft 365 - and most do - there's a new threat worth knowing about. Researchers at Sekoia's Threat Detection and Research team disclosed a brand-new Phishing-as-a-Service (PhaaS) platform called EvilTokens in late March 2026. It first appeared in underground cybercrime communities in mid-February and spread fast - over 1,000 active phishing domains tracked within weeks of launch.
This one's different from the phishing emails you've seen before. It doesn't just steal passwords. It hijacks authenticated sessions, bypassing multi-factor authentication entirely. Here's what's happening and what your team can do about it.
How EvilTokens Actually Works
Most phishing attacks clone a login page, trick someone into typing their credentials, and capture them. EvilTokens takes a smarter approach that exploits a legitimate Microsoft authentication mechanism called the OAuth 2.0 Device Authorization Grant.
This authentication flow was built for devices that don't have keyboards or browsers - think smart TVs, printers, or IoT devices. The normal sequence: a device generates a short code, displays it on screen, and asks you to visit microsoft.com/devicelogin on your phone or laptop to approve the connection. Once you do, the device gets a persistent access token without ever storing your password.
EvilTokens abuses this by acting as the device. Here's the attack chain:
- The attacker sends a request to Microsoft's API and generates a real device code linked to their session.
- They email or message the victim with a fake lure - a shared document, a payroll notice, a meeting invite - telling them to visit the legitimate Microsoft devicelogin page and enter the code.
- The victim, seeing a real Microsoft page, enters the code and completes their usual login (including any MFA prompt).
- Microsoft hands the attacker a full access token and refresh token for the victim's account.
- The attacker now has persistent, authenticated access - no password captured, no suspicious sign-in from an unknown location, no MFA bypass needed.
What makes this particularly effective: the victim sees no red flags. The URL is real. The page is real. The MFA prompt is real. They're just authorizing what they think is a legitimate device or application.
Who Is Being Targeted
According to cybersecurity researchers tracking EvilTokens, affiliates of this platform specifically targeted employees in finance, HR, logistics, and sales. These are roles that routinely open shared documents, approve invoices, and respond to payroll notices - exactly the kind of people who would click on a fake DocuSign link or a shared SharePoint file without hesitation.
The United States is the most heavily targeted country. Small and mid-sized businesses are especially at risk because they often lack the security monitoring that larger enterprises have in place. When an attacker already has a valid session token, most standard security tools won't flag it as unusual.
The EvilTokens operator has also announced plans to extend the platform to support Gmail and Okta phishing pages - so this threat isn't going to stay limited to Microsoft accounts.
Why MFA Isn't Enough Here
This is the part that surprises people. Many businesses implemented multi-factor authentication precisely to stop account takeovers. And MFA is still absolutely worth having - it stops a huge percentage of credential-based attacks. But device code phishing sidesteps MFA because the victim completes the MFA challenge themselves, on a legitimate Microsoft page. The attacker never needs to intercept the code or bypass anything.
Standard MFA - SMS codes, authenticator apps, even hardware keys in some configurations - won't protect you against this attack vector. The user is the one authenticating. The attacker just receives the token.
This is why layered security matters. Relying on any single control, even a good one like MFA, creates a blind spot. The goal is to make the overall attack cost prohibitively high through multiple overlapping defenses.
What You Can Actually Do About It
Here are concrete steps that reduce your exposure to device code phishing and similar authentication-based attacks.
1. Block or Restrict Device Code Flow in Entra ID
If your organization doesn't have smart TVs, printers, or other IoT devices logging into Microsoft 365, there's no reason to leave device code authentication enabled. Microsoft Entra ID (formerly Azure Active Directory) lets you block this flow with a Conditional Access policy.
In Entra admin center, go to Protection > Conditional Access and create a policy that blocks the 'Device Code' authentication flow for all users or scopes it to only the device types that actually need it. This is the most direct fix and it eliminates the attack surface entirely for those users.
2. Train Employees to Recognize Device Code Lures
Your team needs to know that no legitimate business application should be asking them to visit microsoft.com/devicelogin in response to an email. That's not how normal Microsoft 365 apps authenticate users. If someone sees that URL in an unexpected email or message, it should be treated as suspicious until verified.
Security awareness training that includes real examples of device code phishing lures - not just generic phishing awareness - helps employees recognize the pattern before they click. The difference between a compromised account and a near-miss often comes down to whether someone was trained on the specific technique.
3. Enable FIDO2 / Phishing-Resistant MFA
Microsoft supports phishing-resistant authentication methods through FIDO2 security keys and Windows Hello for Business. Unlike standard TOTP codes, these methods are cryptographically bound to the specific site they were registered on, so they can't be replayed across a different authentication flow. Deploying these across your organization, especially for privileged accounts, significantly raises the bar for attackers.
4. Monitor for Anomalous Token Usage
If you have Microsoft Defender for Identity or a managed SOC watching your environment, configure alerts for unusual token activity. Specifically: refresh tokens being used from new locations or IP addresses, access from device types that don't match your user base, and sign-ins from a device code grant where the device type is unexpected.
Microsoft Sentinel and Defender for Cloud Apps both have detection rules for device code phishing - but they need to be enabled and tuned. Default configurations won't catch this automatically.
5. Review Third-Party App Consents
Once an attacker has a valid session token, they often create persistent access by registering a malicious OAuth application in your tenant and granting it consent. Go to your Entra admin center under Enterprise Applications and review any recently consented applications you don't recognize. Limit who in your organization can grant OAuth app consent - ideally, only admins should be able to approve new application integrations.
What to Do If You Think You've Been Compromised
If you suspect someone in your organization may have completed a device code authentication they didn't initiate, move quickly:
- Revoke all active sessions for the affected user immediately through Entra admin center (Users > select user > Revoke sessions).
- Rotate their password even though the attack didn't capture it - this forces re-authentication.
- Review the audit log for that account: look for mail forwarding rules created in the last 30 days, calendar permissions granted, and any OAuth application consents.
- Check their sent mail for any emails that didn't come from them - BEC attacks often start silently monitoring inbox traffic before striking.
- Review any financial transaction emails that may have been read and deleted.
Speed matters here. Attackers using EvilTokens are set up for rapid BEC exploitation - they have built-in tools for email harvesting and financial fraud automation. The sooner you cut off the session, the less damage they can do.
The Bigger Picture: Phishing Has Gotten Easier to Run
What EvilTokens represents isn't just a single threat - it's a sign of how the attack economy has matured. Phishing used to require technical skill. Now, it's available as a subscription service through Telegram bots, complete with ready-made templates, AI automation, and customer support from the platform operator.
This is what Sekoia's researchers noted: the EvilTokens code appears to be AI-generated, allowing the operator to build and iterate fast. The platform went from launch to 1,000 active domains in roughly five weeks. That kind of velocity used to be impossible without a large team.
For small businesses, this shift matters because you're no longer protected by obscurity. The attackers don't need to know who you are or what you're worth - they just send lures at scale and wait to see what tokens come back.
Managed cybersecurity services and vulnerability management have become more important precisely because the threat landscape moves this fast. Most small business IT teams don't have the bandwidth to track new PhaaS platforms as they emerge, evaluate detection rules, and tune controls in real time. That's where having a dedicated security partner pays off.
Summary: Three Things to Do This Week
You don't need to overhaul your security stack to address this. Start with these:
- Block device code flow in Entra ID if you don't have specific devices that need it. This is a free configuration change that eliminates the attack vector entirely for your users.
- Send a quick note to your team explaining what a device code phishing attempt looks like - specifically, any email asking them to visit
microsoft.com/deviceloginshould trigger a pause and a verification before proceeding. - Audit OAuth app consents in your Entra tenant. If you find anything unfamiliar, revoke it and investigate.
If you'd like help reviewing your Microsoft 365 security configuration or setting up monitoring for this kind of token-based attack, the team at Burgi Technologies is happy to take a look. We work with small and mid-sized businesses in Orange County and beyond, and this is exactly the kind of thing we help clients get ahead of.
Frequently Asked Questions
Can EvilTokens steal accounts that have MFA enabled?
Yes. The device code phishing technique used by EvilTokens doesn't bypass MFA - it routes the victim through the legitimate Microsoft MFA challenge. The user completes the MFA step themselves on a real Microsoft page, and the attacker receives the resulting authenticated token. Standard TOTP-based MFA does not protect against this attack vector.
How do I know if my Microsoft 365 account was compromised this way?
Check the sign-in logs in Entra admin center (Monitoring > Sign-in logs). Look for authentications with 'Device code flow' listed as the authentication method, especially from IP addresses or locations that don't match your users. Also check for unfamiliar OAuth apps under Enterprise Applications and look for new mail forwarding rules in any user inboxes.
Do I need to disable device code authentication for everyone?
Only if none of your devices (printers, conference room displays, IoT equipment) actually use this flow. If you do have legitimate devices, create a Conditional Access policy that restricts device code flow to specific users or approved device registrations instead of blanket-blocking it. Your IT administrator or MSP can scope this correctly.
Is this threat limited to Microsoft 365?
Currently, EvilTokens focuses on Microsoft 365. However, the platform's operator has announced plans to add Gmail and Okta support. Device code phishing as a technique can theoretically target any OAuth 2.0 implementation that supports the Device Authorization Grant flow.
What's the best protection against device code phishing specifically?
The most reliable control is blocking the device code authentication flow entirely via Conditional Access in Microsoft Entra ID, for users who don't need it. Combined with FIDO2 phishing-resistant MFA and security awareness training that covers this specific scenario, you significantly reduce the risk. Employee training on this attack pattern is particularly valuable because the attacker is relying on human action to complete the exploit.
