The Industrialization of Identity Theft: The PhaaS Evolution
The landscape of cybercrime is shifting from manual, targeted attacks to a highly scalable business model. The emergence of Phishing-as-a-Service (PhaaS) platforms, such as the EvilTokens kit, allows low-skill criminals to launch sophisticated campaigns that were once the sole domain of advanced threat actors.
This “industrialization” means that high-volume attacks are now easier to execute. For example, security firm Barracuda recently detected over 7 million device code phishing attacks within a single four-week window. By packaging complex exploits into ready-to-use kits sold on platforms like Telegram, the barrier to entry for attackers has vanished.
Beyond the Password: The Shift to Token Hijacking
For years, security training focused on preventing credential theft. However, we are seeing a strategic pivot toward hijacking trusted authentication flows. Instead of stealing a password, attackers are now targeting OAuth 2.0 access and refresh tokens.
By abusing the device authorization flow—originally designed for devices with limited interfaces like printers or smart TVs—attackers can gain authorized access to Microsoft 365 and Entra ID environments. Once a victim enters a legitimate code on a real Microsoft page, the attacker receives the token directly.
This method provides three critical advantages for the attacker:
- Stealth: No cloned websites are used, bypassing many email filters.
- MFA Bypass: Because the victim authorizes the device themselves, multifactor authentication (MFA) and conditional access checks are often bypassed.
- Persistence: Refresh tokens can grant attackers access for days or weeks, remaining effective even if the user changes their password.
The Next Frontier: Cross-Platform Expansion
While current surges heavily target Microsoft ecosystems, the trend is moving toward cross-platform versatility. The developers behind the EvilTokens kit have already indicated plans to extend their phishing capabilities to include Gmail and Okta phishing pages.
This suggests a future where “identity-agnostic” phishing kits can pivot between different cloud providers depending on the target’s infrastructure. We are already seeing diverse threat actors—including Russian groups like Storm-237, UTA032, UTA0355, UNK_AcademicFlare, and TA2723, as well as the ShinyHunters data extortion group—leveraging these advanced techniques.
Redefining the Human Firewall
The rise of device code phishing renders traditional “look for the padlock” or “check the domain” advice obsolete. Since the final step of the attack happens on a genuine site (such as microsoft.com/devicelogin), the battle has shifted from technical detection to contextual awareness.
Future security training must move beyond identifying “fake” sites and instead teach users to question the reason for a request. If a user is asked to enter a verification code for a device they didn’t intentionally link, it should be treated as a critical red flag, regardless of how legitimate the website appears.
Attackers are increasingly tailoring their lures to specific roles. Recent campaigns have used PDFs, HTML, and DOCX files impersonating financial documents, payroll notices, or SharePoint shares to target employees in HR, finance, logistics, and sales.
Frequently Asked Questions
What is device code phishing?
It’s an attack that abuses the OAuth 2.0 device authorization flow. Attackers trick users into entering a legitimate device code on an official login page, which grants the attacker an access token to the user’s account.
Can MFA stop device code phishing?
Not necessarily. Because the victim is the one performing the authentication on a trusted device, they effectively “approve” the attacker’s session, potentially bypassing MFA and conditional access checks.
What is EvilTokens?
EvilTokens is a Phishing-as-a-Service (PhaaS) kit that automates device code phishing attacks, primarily targeting Microsoft 365 and Entra ID environments.
How do I protect my organization?
Implement layered security, use advanced email filtering, monitor for unusual identity patterns, and train staff to never enter device codes unless they initiated the request themselves.
Are you confident in your current identity protection strategy? Share your thoughts in the comments below or subscribe to our newsletter for the latest updates on evolving cyber threats.
