The PhaaS toolkit is offering a host of features to its affiliates, including modules for access weaponization, email harvesting, reconnaissance capabilities, and a built-in webmail interface, all powered through Ai automation, the researchers added.
EvilTokens was found operating through bots on Telegram, with a dedicated channel for kit upgrades. The campaign has so far mostly affected countries, including the US, Australia, Canada, France, India, Switzerland, and the UAE.
Device code authentication as an access broker
The campaign centers around the abuse of Microsoft’s device authorization grant flow, a feature designed to simplify logins for devices like smart TVs or command-line tools. EvilTokens repurposes this workflow by generating a legitimate device code and then tricking victims into entering it themselves on the official login page.
Once the victim completes authentication, the attacker receives access tokens tied to the session. These tokens can then be used to access Microsoft 365 services, including email and cloud resources, without triggering typical credential-based alerts.
