Threat actors are utilizing "EvilTokens," a Token-as-a-Service (TaaS) framework, to compromise Microsoft 365 accounts by exploiting the OAuth 2.0 Device Code Flow. By tricking users into authorizing malicious Client IDs on legitimate Microsoft authentication pages, attackers bypass Multi-Factor Authentication (MFA) to acquire session-persistent access and refresh tokens. The campaign is scaled via the ArToken affiliate panel and leverages AI for personalized lure generation. This methodology enables long-term persistence and complete account takeover (ATO) without requiring the victim's password, effectively neutralizing traditional identity-based security controls.
-
Campaign Evolution: Token-as-a-Service (TaaS)
- Transition from traditional credential harvesting to session-token acquisition.
- Deployment of the "ArToken" affiliate panel to democratize high-impact account takeovers.
- Use of AI-driven automation to generate personalized, high-conversion phishing lures.
-
Technical Vector: OAuth 2.0 Device Code Flow
- Exploitation of the device authorization grant to circumvent MFA/2FA.
- Inducement of users to enter a device code on an authentic Microsoft login portal.
- Authorization of malicious Client IDs that grant the attacker direct access to the user's session.
-
Persistence and Impact
- Acquisition of Refresh Tokens allowing long-term, persistent access to Microsoft 365 environments.
- Complete Account Takeover (ATO) achieved without the need for plaintext passwords.
- Neutralization of conditional access policies that rely solely on password-plus-MFA.
-
Infrastructure and Scaling
- Utilization of fraudulent landing pages that mirror legitimate Microsoft 365 authentication flows.
- Centralized management of targets and stolen tokens via the ArToken administrative dashboard.
- Scale-out capability through a professionalized affiliate model targeting global user bases.
-
Detection and Mitigation Strategies
- Monitoring for anomalous OAuth application registrations and unauthorized device code requests.
- Enforcing stricter Conditional Access policies to restrict Device Code Flows to managed devices.
- Implementing continuous auditing of Refresh Token usage and session anomalies.
Related posts
- Cybersecurity News — Microsoft 365 Phishing Panel Uses OAuth Device Code Flow to Capture Tokens and Persist Access
- bleepingcomputer.com — ARToken PhaaS exposes EvilTokens' Microsoft 365 phishing toolkit
- Blog
- Labs
- Welivesecurity
- Youtube
- Paubox
- Oecd
- Silverfort
- Community
- Thehackernews
- Blog
- Proofpoint