Coralogix

A large-scale Phishing-as-a-Service campaign called EvilToken is actively compromising Microsoft 365 accounts by abusing the OAuth Device Code Authentication flow. The toolkit generates live device codes on demand, bypassing the 15-minute expiry window, and uses AI to craft role-specific phishing lures. Victims authenticate on legitimate Microsoft infrastructure while unknowingly authorizing the attacker's session, completely bypassing MFA. Post-compromise activity includes email exfiltration via Microsoft Graph API, device registration for persistent Primary Refresh Tokens, lateral phishing, inbox rule manipulation, and evidence destruction. The advisory includes full MITRE ATT&CK mapping, a comprehensive list of IOCs (IPs, domains, URLs), detection rules for Coralogix SIEM, and hardening recommendations including enforcing managed device compliance via Conditional Access, enabling Token Protection, and restricting Graph API permissions.

Evil Token: AI-Enabled Device Code Phishing Campaign

Snowbit by Coralogix – Threat Intelligence Advisory