EvilTokens: phishing as a service that steals tokens through the OAuth 2.0 device flow

A new malicious kit called EvilTokens has again put on the table a technique that, although known to the security community, continues to be effective and dangerous: the abuse of the clearance flow for OAuth 2.0 devices to kidnap corporate accounts. Researchers of the Sekoia detection and response firm have documented campaigns that use this kit and confirm that it is a fraudulent service in constant evolution, offered to buyers through Telegram and with the stated intention to extend its scope to additional platforms such as Gmail and Okta. You can read the technical analysis and commitment indicators in Sekoia's report published by researchers.

The technique that exploit these attacks is based on the so-called "device code flow" of OAuth 2.0, originally designed to allow authentication on devices with limited interfaces. In essence, the flow generates a device code that the end user must enter or authorize from a browser in a second device; the problem appears when that process is manipulated so that the victim, believing to be validating a legitimate service, ends up delivering to the attacker access and refresh tokens. The standard described in this mechanism is publicly available in the RFC 8628 specification Here., and Microsoft also documents its implementation and use in Azure AD in its documentation for developers over the device flow.

In the campaigns analyzed by Sekoia, the entry door is not a binary mail or a complex explosion, but a well-made decoy: documents in regular formats - PDF, HTML, DOCX, XLSX or even SVG - containing a QR code or a link to phishing templates created by EvilTokens. These lures imitate credible business documents, such as purchase orders, payroll notices, invitations to meetings or so-called files shared by trust services such as DocuSign or SharePoint; therefore, they often target specific profiles within companies, especially finance, human resources, logistics or sales. When opening the link, the victim finds a page that simulates being a legitimate service and requests a code-based verification; after pressing a button - for example "Continue Microsoft" - it is redirected to the authentic Microsoft login site to complete the authorization, without suspecting that the same act gives credentials to the attacker.

The abuse vector is ingenious because the aggressor uses a legitimate client application to request the device code and, by guiding the victim to enter it into the genuine Microsoft URL, gets both a temporary access token and a refresh token that allows to maintain persistent access. With these tokens, the attacker can not only read and send emails, access files and Teams conversations, or move laterally through services with single login, but also automate business commitment actions (BEC) to supplant identities, move money or extract sensitive information. Sekoia identified international operations; the most affected countries include the United States, Canada, France, Australia, India, Switzerland and the United Arab Emirates.

The most worrying thing is that EvilTokens is marketed as a physical-as@-@ a@-@ service (PhaaS), which makes it easier for actors with different skill levels to use it on a large scale. According to researchers, the kit incorporates various templates and automation tools specifically designed to facilitate corporate supplanting attacks, and the author already announces future support for other identity providers. This business model reduces the entry barrier for mass campaigns and, by centralizing development into a single evolving kit, allows operators to quickly update templates and techniques.

For organizations and defenders, there is a combination of technical and awareness-raising measures that can mitigate this risk. The first line of defence is the prevention and segmentation of the use of OAuth flows: to review which applications have access permits, to apply consent policies for applications and to restrict the use of the device code flow when not necessary. In addition, conditional access controls and policies that assess the customer's reputation, location or session risk can block abnormal attempts to get tokens. In parallel, the detection should include analysis of issued tokens, alerts on refresh tokens applied from unexpected locations and audit of application consents. The response teams can rely on the YARA and IoC rules that Sekoia has made available in his report to identify infrastructure related to EvilTokens and campaign patterns.

The human component must not be forgotten: social engineering remains the most effective vector. This is why it is crucial that employees are trained to identify emails with suspicious documents, check the authenticity of the senders and avoid scanning QR codes or pressing unverified links. Organizations should promote clear procedures to confirm requests for sensitive information or transfers and provide alternative safe channels to validate critical communications; in case of doubts about the legitimacy of a resource, verify the URL and confirm by other means, it avoids many incidents.

To deepen how the flow of devices works and why it can be exploited, it is recommended to review both the technical specification of OAuth 2.0 for device codes (RFC 8628) and the implementation guides of the identity providers your company uses. In addition, general guidelines on the implementation and business mail commitments published by cybersecurity agencies help to contextualize threats and best practices to respond. Useful resources include Microsoft documentation on device flow and the analysis of Sekoia about EvilTokens, as well as material from agencies like the CISA on corporate mail fraud related to BEC and recommendations of national security centres on phishing and good practices on the web.

In short, EvilTokens is a robust reminder that threats evolve at the point where technical convenience is crossed with human trust. It is not just a question of covering up a technical failure, but of tightening the security culture and identity controls. to reduce both the exposed surface and the impact of a compromised credential. Organizations that combine strict access policies, active tokens monitoring and targeted training in social engineering will be better prepared to detect and neutralize such attacks before they cause significant damage.