EvilTokens - Rampant Device Code Phishing Targets Microsoft 365
Basically, EvilTokens tricks Microsoft 365 users into giving away their login access through fake login prompts.
A rise in device code phishing attacks is targeting Microsoft 365 users, fueled by the EvilTokens toolkit. This sophisticated method tricks users into revealing their access tokens, leading to account compromises. Organizations must take action to protect their sensitive data from these growing threats.
What Happened
Security researchers have observed a significant rise in device code phishing activities aimed at Microsoft 365 users. This increase has been linked to EvilTokens, a new phishing toolkit that is being marketed as a service on Telegram. Device code phishing is a method where attackers exploit legitimate authentication flows to trick users into logging into their accounts, ultimately stealing their access and refresh tokens.
The device code authentication workflow, originally designed for input-constrained devices, is being misused by phishers. They initiate a genuine device authorization request and send the login code to the targeted user. If the user follows the link and enters the code, they unknowingly hand over their access tokens to the attacker.
Who's Affected
The primary targets of these phishing campaigns are Microsoft 365 users, particularly employees in sensitive sectors such as finance, human resources, and logistics. As more organizations adopt cloud services, the risk of such targeted attacks increases. The EvilTokens toolkit lowers the barrier for entry, allowing even low-skill attackers to launch sophisticated phishing operations.
Organizations must remain vigilant as these attacks can lead to unauthorized access to sensitive data and systems. The potential for lateral movement within an organization’s network makes this threat particularly concerning, as attackers can exploit compromised accounts to access further resources.
What Data Was Exposed
When successful, device code phishing can lead to the exposure of critical data. Attackers gain access to valid access and refresh tokens, enabling them to authenticate as the victim without needing their login credentials. This access allows attackers to move laterally within the organization, potentially compromising financial records or sensitive communications.
The EvilTokens toolkit provides templates for various phishing scenarios, including email quarantine notices and document sharing requests. This diversity in phishing tactics increases the likelihood of success, as attackers can tailor their approach based on the victim’s role and the context of their work.
What You Should Do
Organizations should take proactive measures to defend against device code phishing. Training employees to recognize phishing attempts and understand the legitimate device authorization process is crucial. Implementing Conditional Access policies can help restrict device code authentication to approved users and devices.
Monitoring for anomalous sign-ins and revoking refresh tokens when compromise is suspected are also essential steps. By staying informed and prepared, organizations can mitigate the risks associated with this evolving threat landscape.