Cybersecurity News • 2h
EvilTokens: AI-Enhanced OAuth 2.0 TaaS Phishing Targeting Microsoft 365
Threat actors are utilizing "EvilTokens," a Token-as-a-Service (TaaS) framework, to compromise Microsoft 365 accounts by exploiting the OAuth 2.0 Device Code Flow. By tricking users into authorizing malicious Client IDs on legitimate Microsoft authentication pages, attackers bypass Multi-Factor Authentication (MFA) to acquire session-persistent access and refresh tokens. The campaign is scaled via the ArToken affiliate panel and leverages AI for personalized lure generation. This methodology enables long-term persistence and complete account takeover (ATO) without requiring the victim's password, effectively neutralizing traditional identity-based security controls.
Links:Cybersecurity News, bleepingcomputer.com, Blog, Labs, Welivesecurity, Youtube, Paubox, Oecd, Silverfort, Community, Thehackernews, Proofpoint •