EvilTokens - New Phishing Kit Targets Microsoft Accounts
Basically, EvilTokens tricks people into giving hackers access to their Microsoft accounts.
EvilTokens, a new phishing kit, is targeting Microsoft accounts through device code phishing. This poses a high risk for businesses and users. Stay alert and protect your accounts from these sophisticated attacks.
What Happened
A new malicious kit called EvilTokens has emerged, integrating device code phishing capabilities. This kit allows attackers to hijack Microsoft accounts and is marketed to cybercriminals via Telegram. The creator of EvilTokens has plans to expand its functionality to include phishing for Gmail and Okta accounts in the future.
Device code phishing exploits the OAuth 2.0 device authorization flow. Attackers deceive victims into authorizing a malicious device, granting them access to sensitive accounts. This technique has been utilized by various threat actors, including groups linked to Russian cybercrime.
Who's Being Targeted
Researchers from Sekoia have identified that EvilTokens targets individuals through emails containing documents that appear legitimate. These documents often include QR codes or hyperlinks leading to phishing templates. The impersonated content can range from financial documents to meeting invitations, specifically aimed at employees in finance, HR, logistics, or sales roles.
Victims who fall for these lures are redirected to phishing pages that mimic trusted services, such as Adobe Acrobat or DocuSign. This deception is designed to extract sensitive information from unsuspecting users.
Signs of Infection
Once a victim interacts with the phishing link, they are prompted to authenticate through a legitimate Microsoft URL. At this point, attackers use a legitimate Microsoft application to request a device code. Victims unknowingly provide both a short-lived access token and a refresh token to the attackers.
These tokens grant immediate access to the victim's Microsoft services, including email and Teams data. The global reach of EvilTokens has been noted, with significant activity reported in countries like the United States, Canada, and Australia.
How to Protect Yourself
To mitigate the risks posed by EvilTokens, users should remain vigilant against suspicious emails and verify the authenticity of any links before clicking. Organizations should educate employees about the dangers of phishing and implement multi-factor authentication to add an extra layer of security.
Sekoia has provided indicators of compromise (IoCs) and technical details to help defenders block EvilTokens-related attacks. Staying informed and proactive is essential to safeguarding against these evolving threats.