Phishing, Identity, Threat Intelligence

Global Microsoft device code phishing facilitated by novel EvilTokens kit

Microsoft only editorial Stock information on the logo of the office facade

BleepingComputer reports that organizations around the world, particularly in the U.S., Canada, France, Australia, India, Switzerland, and the United Arab Emirates, have been subjected to attacks involving the nascent EvilTokens device code phishing kit compromising Microsoft accounts.

Intrusions commence with the distribution of malicious emails with documents purporting to be financial documents and other legitimate business content, which include a link diverting to a trusted service-spoofing website showing a verification code, according to a Sekoia report. Included within the site is a "Continue to Microsoft" button that redirects to a legitimate Microsoft device login page, where victims are then deceived into authenticating a requested device code to the attacker-supplied URL.

Doing so provides threat actors with access to a temporary access token and another refresh token, which could be leveraged to compromise email accounts, files, and Teams information. Further analysis of EvilTokens revealed that the phishing-as-a-service kit also enabled business email compromise attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds