Business Email Compromise

The Industrialization of Identity Theft: The PhaaS Evolution

The landscape of cybercrime is shifting from manual, targeted attacks to a highly scalable business model. The emergence of Phishing-as-a-Service (PhaaS) platforms, such as the EvilTokens kit, allows low-skill criminals to launch sophisticated campaigns that were once the sole domain of advanced threat actors.

This “industrialization” means that high-volume attacks are now easier to execute. For example, security firm Barracuda recently detected over 7 million device code phishing attacks within a single four-week window. By packaging complex exploits into ready-to-use kits sold on platforms like Telegram, the barrier to entry for attackers has vanished.

Did you recognize? Device code phishing is particularly dangerous since it doesn’t rely on fake login pages. Instead, it tricks users into using the legitimate Microsoft login portal, making it nearly invisible to traditional “spot the fake URL” training.

Beyond the Password: The Shift to Token Hijacking

For years, security training focused on preventing credential theft. However, we are seeing a strategic pivot toward hijacking trusted authentication flows. Instead of stealing a password, attackers are now targeting OAuth 2.0 access and refresh tokens.

View this post on Instagram about Microsoft, Phishing

From Instagram — related to Microsoft, Phishing

By abusing the device authorization flow—originally designed for devices with limited interfaces like printers or smart TVs—attackers can gain authorized access to Microsoft 365 and Entra ID environments. Once a victim enters a legitimate code on a real Microsoft page, the attacker receives the token directly.

This method provides three critical advantages for the attacker:

Stealth: No cloned websites are used, bypassing many email filters.
MFA Bypass: Because the victim authorizes the device themselves, multifactor authentication (MFA) and conditional access checks are often bypassed.
Persistence: Refresh tokens can grant attackers access for days or weeks, remaining effective even if the user changes their password.

The Next Frontier: Cross-Platform Expansion

While current surges heavily target Microsoft ecosystems, the trend is moving toward cross-platform versatility. The developers behind the EvilTokens kit have already indicated plans to extend their phishing capabilities to include Gmail and Okta phishing pages.

How fast is a BARRACUDA ATTACK? FREE CODE FRIDAY : DIGITAL CODES Magic Mike 7th son

This suggests a future where “identity-agnostic” phishing kits can pivot between different cloud providers depending on the target’s infrastructure. We are already seeing diverse threat actors—including Russian groups like Storm-237, UTA032, UTA0355, UNK_AcademicFlare, and TA2723, as well as the ShinyHunters data extortion group—leveraging these advanced techniques.

Pro Tip: To mitigate this risk, organizations should implement layered security controls, including advanced email filtering and continuous monitoring of identity protection mechanisms. Tighter controls around device authorization flows are essential to stop token abuse.

Redefining the Human Firewall

The rise of device code phishing renders traditional “look for the padlock” or “check the domain” advice obsolete. Since the final step of the attack happens on a genuine site (such as microsoft.com/devicelogin), the battle has shifted from technical detection to contextual awareness.

Future security training must move beyond identifying “fake” sites and instead teach users to question the reason for a request. If a user is asked to enter a verification code for a device they didn’t intentionally link, it should be treated as a critical red flag, regardless of how legitimate the website appears.

Attackers are increasingly tailoring their lures to specific roles. Recent campaigns have used PDFs, HTML, and DOCX files impersonating financial documents, payroll notices, or SharePoint shares to target employees in HR, finance, logistics, and sales.

Frequently Asked Questions

What is device code phishing?
It’s an attack that abuses the OAuth 2.0 device authorization flow. Attackers trick users into entering a legitimate device code on an official login page, which grants the attacker an access token to the user’s account.

Can MFA stop device code phishing?
Not necessarily. Because the victim is the one performing the authentication on a trusted device, they effectively “approve” the attacker’s session, potentially bypassing MFA and conditional access checks.

What is EvilTokens?
EvilTokens is a Phishing-as-a-Service (PhaaS) kit that automates device code phishing attacks, primarily targeting Microsoft 365 and Entra ID environments.

How do I protect my organization?
Implement layered security, use advanced email filtering, monitor for unusual identity patterns, and train staff to never enter device codes unless they initiated the request themselves.

Are you confident in your current identity protection strategy? Share your thoughts in the comments below or subscribe to our newsletter for the latest updates on evolving cyber threats.

AI‑Powered Threat Hunting: Faster, Smarter, but Still Human‑Centric

Security teams are racing to embed artificial intelligence into their hunt‑for‑baddies pipelines. AI can crunch millions of logs in seconds, spot anomalous patterns, and flag suspicious behavior before a traditional signature‑based system ever notices.

Yet experts warn that full automation is a double‑edged sword. An AI‑driven system that automatically isolates a compromised laptop might sound perfect—until it mistakenly shuts down a SCADA controller feeding a power plant. The cost of an unwarranted outage can dwarf any data breach.

“Technology alone won’t define resilience. The best teams hunt for behavior and intent, not just alerts,” says Dave Spencer, Director of Technical Product Management at Immersive.

Real‑World Example: The 2023 SolarWinds Incident

When the SolarWinds supply‑chain attack was uncovered, analysts discovered that static signatures failed to catch the novel backdoor. It was only after manual investigation of unusual network traffic that the breach was confirmed. Today, AI‑enabled UEBA (User and Entity Behavior Analytics) tools aim to spot such “behavioral drift” automatically, but a human analyst still validates the final decision.

IT/OT Convergence: Legacy Systems Meet Smart Controls

Industrial networks are no longer isolated islands. Information‑technology (IT) and operational‑technology (OT) environments are merging, creating a blended attack surface that mixes office‑level phishing with plant‑floor sabotage.

Older PLCs and legacy SCADA components often lack built‑in security, making them attractive footholds for attackers who can pivot into newer, AI‑enabled control systems.

“Success will depend on disciplined change management, exhaustive testing, and efficient use of maintenance windows,” warns Sam Maesschalck, Lead OT Cyber Security Engineer at Immersive.

Case Study: Ukrainian Power Grid Outage (2022)

Threat actors leveraged compromised VPN credentials to infiltrate the grid’s IT network, then moved laterally into OT devices that still ran outdated firmware. The incident sparked tighter NIST guidelines for IT/OT security and accelerated adoption of standards like ISA/IEC 62443.

Extortion 2.0: Data as Fuel for AI Models

Ransomware gangs are already selling stolen credentials on underground forums. The next wave could see criminals offering clean, labeled datasets to AI startups desperate for training material.

Because large language models thrive on high‑quality data, extortionists may demand higher premiums for “AI‑ready” datasets, turning data theft into a commodity market.

“Threat actors may threaten to sell stolen data to AI companies hungry for new training material,” predicts Ben McCarthy, Lead Cyber Security Engineer at Immersive.

Recent Trend: AI‑Assisted Malware

Proof‑of‑concept tools now let a malicious script call an LLM API to generate polymorphic code on the fly. This capability enables malware that adapts its payload in real time, evading static detection.

AI‑Driven Deception: The Rise of Hyper‑Realistic Social Engineering

Deepfake videos, AI‑generated voice clones, and personalized phishing lures are moving from novelty to everyday weapon.

When an AI can synthesize a CEO’s voice with perfect cadence, the “business email compromise” playbook becomes dramatically more convincing.

“Organizations that rely solely on technology, processes, and policies will fail,” says John Blythe, Director of Cyber Psychology at Immersive.

Did you know?

Building True Resilience: People, Process, and Technology

Resilience isn’t a checkbox; it’s a proven capability. Companies must demonstrate that automated defenses, legacy controls, and human operators can all respond in sync under pressure.

Key steps include:

Running continuous red‑team exercises that blend AI‑based attack simulations with manual phishing drills.
Maintaining an up‑to‑date asset inventory that spans both IT and OT environments.
Adopting zero‑trust principles that enforce granular, context‑aware access across converged networks.

Pro tip

FAQ

Will AI replace security analysts? No. AI augments analysts by filtering noise, but final judgement still rests with humans.
How can legacy OT devices be protected? Use network segmentation, strict access controls, and overlay security gateways that inspect traffic without altering device firmware.
Are deepfake attacks common today? They’re rising fast. A 2023 study by the FBI showed a 300 % increase in deepfake‑related fraud cases within a year.
What regulations address IT/OT security? Standards like ISA/IEC 62443, NIST 800‑82, and emerging EU CSDR guidelines set baseline controls for converged environments.
How should organizations test AI‑driven defenses? Conduct “attack‑in‑the‑loop” drills where AI tools generate simulated threats that analysts must investigate.

Next Steps for Your Organization

Ready to future‑proof your security posture? Start by mapping every asset—old PLCs, cloud workloads, and employee laptops—then layer AI‑enhanced monitoring on top of a solid zero‑trust framework. Finally, run regular, realistic tabletop exercises that blend AI‑generated phishing with hands‑on incident response.

Have thoughts on AI‑driven cyber threats? Contact us, share your experiences in the comments below, and subscribe to our newsletter for the latest insights.