What measures can organizations take to protect against device code phishing?

Organizations should implement strict conditional access policies, monitor for unusual device code authentication events, and educate users about the risks of unsolicited authentication requests.

EvilTokens: The Phishing Service That Bypasses MFA Without Stealing Passwords

Discover how the EvilTokens Phishing-as-a-Service platform exploits OAuth 2.0 to compromise Microsoft 365 accounts, bypassing traditional security measures.

Published: June 16, 2026

Share this on:

Executive Summary

In early 2026, the EvilTokens Phishing-as-a-Service platform emerged, exploiting the OAuth 2.0 device authorization grant flow to compromise over 340 Microsoft 365 organizations across multiple countries within five weeks. This method bypasses traditional password theft by tricking users into completing legitimate multi-factor authentication (MFA) processes on genuine Microsoft login pages, thereby granting attackers access tokens without raising typical security alarms. The attackers then gain persistent access to corporate emails, files, and other sensitive resources, facilitating data exfiltration and business email compromise (BEC) attacks. This incident underscores the evolving sophistication of phishing techniques that render conventional MFA defenses insufficient. Organizations must reassess their security protocols to address these advanced threats, emphasizing the need for continuous monitoring and user education on emerging phishing tactics.

Why This Matters Now

The rapid adoption of EvilTokens highlights a significant shift in phishing strategies, where attackers exploit legitimate authentication processes to bypass traditional security measures. This evolution necessitates immediate attention to enhance security frameworks and user awareness to mitigate such sophisticated threats.

Attack Path Analysis

Attackers used EvilTokens to phish Microsoft 365 users by exploiting the OAuth 2.0 device authorization grant flow, leading to unauthorized access and data exfiltration.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

Mediuminferred

Command & Control

High

Exfiltration

High

Impact

High

Initial Compromise

Description

Attackers sent phishing emails containing links to decoy pages that requested device codes, tricking users into authorizing attacker-controlled devices.

Confidence:

High

MITRE ATT&CK® Techniques

Initial Access

T1566.001

Spearphishing Attachment

Persistence

T1078

Valid Accounts

Defense Evasion

T1550.001

Application Layer Protocol: Web Protocols

Command and Control

T1071.001

Application Layer Protocol: Web Protocols

Collection

T1114

Email Collection

Exfiltration

T1567.002

Exfiltration Over Web Service: Exfiltration to Cloud Storage

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure that security policies and operational procedures for managing system and network security are documented, in use, and known to all affected parties.

Control ID: 6.4.3

The attack exploited weaknesses in authentication processes, indicating a need for comprehensive security policies and procedures to manage system and network security effectively.

NYDFS 23 NYCRR 500 – Training and Monitoring

Control ID: 500.14

The incident highlights the necessity for regular cybersecurity awareness training and monitoring to prevent phishing attacks that exploit authentication processes.

DORA – ICT Risk Management Framework

Control ID: Article 5

The breach underscores the importance of implementing a robust ICT risk management framework to identify and mitigate risks associated with phishing and unauthorized access.

CISA ZTMM 2.0 – Identity and Access Management

Control ID: 3.1

The attack exploited authentication processes, emphasizing the need for stringent identity and access management controls to prevent unauthorized access.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident demonstrates the need for comprehensive cybersecurity risk management measures to protect network and information systems from phishing attacks.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Financial Services

EvilTokens phishing-as-a-service targets Microsoft 365 OAuth flows, bypassing traditional authentication safeguards critical for financial operations and regulatory compliance requirements.

Health Care / Life Sciences

Device code phishing compromises Microsoft 365 environments containing sensitive patient data, violating HIPAA compliance while enabling unauthorized access to healthcare communications.

Government Administration

OAuth abuse attacks against government Microsoft 365 deployments threaten classified information systems and inter-agency communications through legitimate authentication flow exploitation.

Legal Services

EvilTokens enables business email compromise attacks targeting law firms' Microsoft 365 environments, compromising confidential client communications and privileged legal documentation.

Sources

EvilTokens: A phishing attack that doesn’t steal your passwordhttps://www.welivesecurity.com/en/cybercrime/eviltokens-phishing-doesnt-steal-password/
Verified

New widespread EvilTokens kit: device code phishing as-a-servicehttps://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/

Verified

EvilTokens ramps up device code phishing targeting Microsoft 365 usershttps://www.helpnetsecurity.com/2026/03/31/eviltokens-phishing-microsoft-365/

Verified

Frequently Asked Questions

EvilTokens manipulates users into completing legitimate MFA processes on real Microsoft login pages, thereby granting attackers access tokens without triggering standard security alerts.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it embeds security directly into the cloud fabric, potentially limiting unauthorized access and reducing the attacker's ability to move laterally within the network.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The CNSF may have limited the attacker's ability to exploit the device authorization grant flow by enforcing strict identity verification and access controls at every workload boundary.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Zero Trust Segmentation could have constrained the attacker's ability to escalate privileges by enforcing least-privilege access and segmenting workloads based on identity.

Lateral Movement

Control: East-West Traffic Security

Mitigation: East-West Traffic Security would likely have limited the attacker's lateral movement by monitoring and controlling internal traffic between workloads.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: Multicloud Visibility & Control may have constrained the attacker's ability to maintain command and control by providing comprehensive monitoring and management across cloud environments.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Egress Security & Policy Enforcement would likely have restricted data exfiltration by controlling and monitoring outbound traffic.

Impact (Mitigations)

The implementation of CNSF controls may have reduced the overall impact by limiting the attacker's ability to exploit compromised accounts for further attacks.

Impact at a Glance

Affected Business Functions

Email Communications
File Storage and Sharing
Calendar Management
Collaboration Platforms

Operational Disruption

Estimated downtime: 7 days

Financial Impact

Estimated loss: $500,000

Data Exposure

Access to corporate emails, files, calendars, and contacts, potentially leading to data exfiltration and business email compromise.

Recommended Actions

• Implement Zero Trust Segmentation to restrict access between workloads and limit lateral movement.
• Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
• Utilize Multicloud Visibility & Control to detect anomalous interactions and repeated malformed requests indicative of compromise.
• Deploy Threat Detection & Anomaly Response mechanisms to identify and respond to suspicious activities in real-time.
• Apply Inline IPS (Suricata) to inspect traffic for known exploit patterns and malicious payloads, blocking them when detected.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

EvilTokens: The Phishing Service That Bypasses MFA Without Stealing Passwords

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Spearphishing Attachment

Valid Accounts

Application Layer Protocol: Web Protocols

Application Layer Protocol: Web Protocols

Email Collection

Exfiltration Over Web Service: Exfiltration to Cloud Storage

Potential Compliance Exposure

PCI DSS 4.0 – Ensure that security policies and operational procedures for managing system and network security are documented, in use, and known to all affected parties.

NYDFS 23 NYCRR 500 – Training and Monitoring

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Identity and Access Management

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Financial Services

Health Care / Life Sciences

Government Administration

Legal Services

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads