EvilTokens: an AI-augmented Phishing-as-a-Service for automating BEC fraud – Part 2

Key Takeaways

• EvilTokens is a Phishing-as-a-Service (PhaaS) platform that automates Business Email Compromise (BEC) using Microsoft device code phishing.
• The platform integrates AI models (Groq, OpenAI) to automatically analyze stolen emails, identify financial exposure, and draft highly convincing BEC lures.
• Attackers use a custom 'Portal Browser' to manage multiple compromised Microsoft 365 accounts simultaneously using stolen tokens.
• The backend leverages the Microsoft Graph API for extensive automated reconnaissance, extracting contacts, events, sent items, and organizational structures.
• Harvested access and refresh tokens are converted into Primary Refresh Tokens (PRTs) to establish persistence and bypass MFA.

Affected Systems

• Microsoft 365
• Microsoft Entra ID (Azure AD)
• Microsoft Outlook
• Microsoft Graph API

Attack Chain

The attack begins with a phishing page impersonating services like DocuSign or Microsoft, tricking the victim into initiating a Microsoft device code authorization flow. Once the victim authenticates, the EvilTokens backend captures the access and refresh tokens, exchanging them for a Primary Refresh Token (PRT) for persistence. The backend then automatically queries the Microsoft Graph API to perform reconnaissance on the victim's mailbox, contacts, and organization. Finally, an AI pipeline ingests the emails and reconnaissance data to identify financial exposure and generate tailored BEC attack scenarios, which are sent to the attacker via Telegram.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules (YARA, Sigma, KQL, etc.) in the text, though it mentions the authoring organization provides built-in rules to their customers.

Detection Engineering Assessment

EDR Visibility: Low — The attack primarily occurs in cloud environments (Microsoft 365/Entra ID) using stolen tokens and legitimate APIs, bypassing traditional endpoint execution and malware drops. Network Visibility: Medium — Network logs may capture the initial phishing link click, but subsequent API calls happen server-to-server (EvilTokens backend to Microsoft Graph). Detection Difficulty: Hard — The use of legitimate Microsoft APIs (Graph) and valid OAuth tokens makes malicious activity blend in with normal administrative or user behavior.

Required Log Sources

• Azure AD Sign-in Logs
• Microsoft 365 Unified Audit Log
• Microsoft Graph API Activity Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for unusual or high-volume Microsoft Graph API calls (e.g., /mailFolders, /contacts, /events, /manager) originating from unfamiliar IP addresses or unexpected user agents shortly after a new device code authentication.	Microsoft 365 Unified Audit Log / Graph API Logs	Discovery	Medium
Identify the creation of new inbox rules (forwarding or deletion) immediately following a device code login event.	Microsoft 365 Unified Audit Log	Persistence	Low
Monitor for anomalous Primary Refresh Token (PRT) requests or usage from unmanaged devices or unexpected geolocations.	Azure AD Sign-in Logs	Credential Access	Medium

Control Gaps

• Standard MFA (bypassed via device code/token theft)
• Endpoint Antivirus (no malware dropped)

Key Behavioral Indicators

• Rapid sequence of Graph API reconnaissance calls (/manager, /directReports, /organization)
• Authentication via device code flow from unknown or unmanaged devices
• Presence of X-Tenant-Secret headers in web traffic (if inspecting affiliate infrastructure)

False Positive Assessment

• Medium. Legitimate applications and scripts heavily use the Microsoft Graph API and device code flow, requiring careful baseline tuning to distinguish EvilTokens automation from normal business processes.

Recommendations

Immediate Mitigation

• Revoke active sessions and refresh tokens for suspected compromised accounts.
• Review and remove unauthorized inbox rules (forwarding/deletion) in Exchange Online.

Infrastructure Hardening

• Disable or restrict the Microsoft Device Code flow in Entra ID if not strictly required by the organization.
• Implement Conditional Access policies restricting access from unmanaged devices or unknown locations.
• Reduce token lifetimes to limit the window of opportunity for stolen tokens.

User Protection

• Deploy FIDO2 security keys or phishing-resistant MFA to mitigate token theft.
• Monitor for and alert users on new device registrations or unusual login locations.

Security Awareness

• Train employees to recognize device code phishing lures and verify the context before entering codes on microsoft.com/devicelogin.
• Educate finance and HR teams on AI-generated BEC lures, emphasizing out-of-band verification for payment changes.

MITRE ATT&CK Mapping

• T1566.002 - Phishing: Spearphishing Link
• T1528 - Steal Application Access Token
• T1550.004 - Use Alternate Authentication Material: Web Session Cookie
• T1114.002 - Email Collection: Remote Email Collection
• T1598.003 - Phishing for Information: Spearphishing Link
• T1137.005 - Office Application Startup: Outlook Rules

Additional IOCs

• Domains:
  • machinemind-market[[.]]com - Domain selling the custom browser for BEC operations.
• Urls:
  • /api/ext/device/start - Backend endpoint called by affiliate scripts to initiate device code flow.
  • /api/ext/device/status/{sessionId} - Backend endpoint called by affiliate scripts to check token capture status.
  • /api/ext/link/create?email={email} - Backend endpoint called by affiliate scripts to register target emails.
• File Paths:
  • index.php - Affiliate server-side PHP script used to render the phishing page and communicate with the backend.
• Other:
  • X-Real-IP - HTTP header used by affiliate code to forward the victim's IP address to the backend.
  • X-Tenant-Secret - HTTP header used by affiliate code to authenticate to the centralized EvilTokens infrastructure.