A new malicious toolkit called EvilTokens has emerged that weaponizes Microsoft's device code authentication system to hijack user accounts. The kit integrates device code phishing capabilities, allowing attackers to bypass traditional security measures and gain unauthorized access to Microsoft accounts through legitimate authentication flows.

The service provides cybercriminals with advanced features specifically designed for business email compromise (BEC) attacks, representing a significant evolution in phishing techniques. Device code phishing exploits the legitimate OAuth device authorization flow, making it particularly dangerous as it can bypass multi-factor authentication protections.

The attack vector leverages Microsoft's device code authentication process, which is typically used for devices without web browsers to authenticate users. Attackers trick victims into entering device codes on legitimate Microsoft authentication pages, effectively granting the attackers access to the victim's account without triggering traditional security alerts.

Organizations should implement additional security monitoring for unusual authentication patterns and consider restricting device code authentication flows where not necessary. Microsoft has been working to improve detection of these attacks, but the legitimate nature of the authentication process makes prevention challenging without impacting legitimate users.

This development highlights the ongoing evolution of phishing techniques, with cybercriminals increasingly targeting cloud-based authentication systems rather than traditional credential theft methods.