The EvilTokens phishing kit is driving the surge, targeting Microsoft 365 and Entra ID environments
Key takeaways
- The EvilTokens phishing kit tricks users into signing into Microsoft through the abuse of device codes.
- Device code phishing has advantages over traditional credential phishing in stealth, persistence and evasion.
- In the last four weeks, Barracuda has detected more than 7 million device code attacks.
- Layered security controls, advanced email filtering, identity protection mechanisms, and continuous monitoring reduce exposure.
Device code authentication is an OAuth 2.0 login method that lets users sign in on one device by entering a short code on another, trusted device. This is ideal for devices with limited interfaces, such as TVs, printers or command line interface (CLI) tools. Device code phishing attacks exploit this process to gain persistent, authorized access to Microsoft services.
Over the last month, Barracuda’s threat analysts have detected more than 7 million device code phishing attacks, largely powered by the recently reported EvilTokens phishing kit. Barracuda has also seen other attackers leveraging the approach together with Tycoon 2FA capabilities. It is likely that other phishing kits will follow.
The attack approach is as follows: The attackers request a real device code from Microsoft and then send victims a phishing lure that persuades them to enter the code into a legitimate login page, such as ‘microsoft.com/devicelogin.’ The victim completes the authentication, and Microsoft issues the OAuth access and refresh token, which passes straight to the attacker.
What’s the appeal of device code phishing?
Device code phishing has several advantages over traditional credential phishing with fake login pages — particularly in terms of stealth, persistence and evasion.
- It relies on legitimate links — no suspicious URLs: Traditional phishing needs a convincing fake website, which can be easy for email filters to spot. Device code phishing uses official authentication URLs, making it difficult to identify malicious activity.
- It bypasses multifactor authentication and any conditional access policies: Because the victim authorizes the new device themselves, the attacker gains a valid access token that passes these security checks.
- Persistent, long-term access: Once the victim enters the code, the attacker receives a refresh token that allows them to maintain access to the user’s account for days or weeks, even if the user changes their password.
- It takes advantage of user trust and familiarity: People are used to entering a 6 to 8 character code to link their devices.
- Stealthier lateral movement: The attacker hijacks the session without raising any alarm.
In this article we examine the flow of a real-world device code phishing attack seen by Barracuda’s threat analysts.