EvilTokens: How “Ghost” Code Threatens US and European Businesses
The EvilTokens phishing kit utilizes browser-side AES-GCM decryption to conceal its malicious payload from static analysis tools. By abusing the Microsoft Device Code authentication flow, the kit tricks victims into authorizing attacker access to their Microsoft 365 accounts without directly harvesting credentials, creating a significant visibility gap for SOC teams.
Authors:
- domainemp01825[.]workers[.]devTop-level domain abused by EvilTokens
- domainimtesasanqaolo[.]homesDomain associated with device code phishing
- domainnomaerngineering[.]comDomain associated with device code phishing
- domainpetruzzidistrib[.]autosDomain associated with device code phishing
- domainviewdocuemnt151y-dataqjqhg[.]emp01825[.]workers[.]devEvilTokens phishing landing page subdomain
- md5fcd1b654a0b3e8f85ca7cfdafe494d4bMD5 hash associated with the EvilTokens phishing payload
- urlhxxps://files-s3-bucket-documents-331[.]mgorman-f86[.]workers[.]dev/api/device/startDevice code phishing start endpoint
- urlhxxps://imtesasanqaolo[.]homes/api/device/startDevice code phishing start endpoint
- urlhxxps://landmine-coat-sheath[.]ngrok-free[.]dev/api/device/startDevice code phishing start endpoint
- urlhxxps://nomaerngineering[.]com/api/device/startDevice code phishing start endpoint
- urlhxxps://petruzzidistrib[.]autos/api/device/startDevice code phishing start endpoint
- urlhxxps://viewdocuemnt151y-dataqjqhg[.]emp01825[.]workers[.]dev/api/device/gate/6715247cd324ed10EvilTokens gate check endpoint
- urlhxxps://viewdocuemnt151y-dataqjqhg[.]emp01825[.]workers[.]dev/api/device/startEndpoint used by EvilTokens to request the Microsoft device user code
- urlhxxps://viewdocuemnt151y-dataqjqhg[.]emp01825[.]workers[.]dev/api/device/status/7f3b490d80bbe2ecafc807700e0d71acEvilTokens session status polling endpoint
Detection / HunterGoogle
What Happened
Cybercriminals are using a phishing tool called EvilTokens to break into Microsoft 365 accounts. The tool hides its malicious code using encryption that only unlocks once the victim opens the page in their web browser, making it hard for standard security tools to spot. Instead of stealing passwords, it tricks users into approving a legitimate-looking Microsoft login request on their device. This matters because it allows attackers to bypass normal security checks and access sensitive corporate emails and files. Organizations should educate employees on the dangers of approving unexpected device login codes and use advanced browser-level scanning to catch these hidden threats.
Key Takeaways
- EvilTokens hides its phishing flow using browser-side AES-GCM decryption, bypassing static URL analysis and network-level checks.
- The kit abuses Microsoft's legitimate device login flow to gain account access without directly stealing passwords.
- Browser-level inspection is required to view the decrypted DOM and trace the API requests behind the device-code flow.
- The attack utilizes a gate check mechanism to serve decoy pages if specific conditions are not met, further complicating analysis.
Affected Systems
- Microsoft 365
- Web Browsers
Attack Chain
The attack begins when a victim visits an EvilTokens phishing URL, which delivers an AES-GCM encrypted HTML payload. The victim's browser decrypts and renders the DOM, triggering a gate check request to the attacker's backend to verify the target. If approved, the page requests a Microsoft device user code via a POST request and displays it to the victim, urging them to enter it on the legitimate Microsoft device login page. The malicious page continuously polls the session status, and once the victim authorizes the code, the attacker gains an application access token while the victim is redirected to a legitimate OneDrive page.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: Yes
- Platforms: ANY.RUN
The article provides ANY.RUN Threat Intelligence search queries to find related phishing infrastructure based on signatures, threat names, and specific URL paths.
Detection Engineering Assessment
EDR Visibility: Low — The attack relies on browser-side decryption and legitimate Microsoft OAuth flows, generating minimal endpoint artifacts that traditional EDRs monitor. Network Visibility: Medium — While the initial payload is encrypted, the subsequent API calls (e.g., /api/device/start) may be visible if SSL/TLS inspection is enabled. Detection Difficulty: Hard — The use of AES-GCM encryption for the landing page evades static URL analysis, and the abuse of legitimate Microsoft device login flows blends in with normal authentication traffic.
Required Log Sources
- Proxy Logs
- DNS Logs
- Browser Extension Telemetry
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for web traffic to unusual or newly registered domains containing the URI path '/api/device/start' or '/api/device/gate/'. | Proxy Logs | Delivery | Low |
| If you have visibility into browser DOM events, consider hunting for large, sudden DOM size changes occurring shortly after page load, which may indicate browser-side decryption. | Browser Extension Telemetry | Execution | Medium |
Control Gaps
- Static URL Analysis
- Network-level signature detection without SSL inspection
Key Behavioral Indicators
- Presence of AES-GCM decryption routines in obfuscated JavaScript
- XHR/Fetch requests to /api/device/start
- Polling behavior to /api/device/status/{sessionId}
False Positive Assessment
- Low for the specific URL paths (/api/device/start) combined with suspicious domains, but High if blocking shared infrastructure like Cloudflare IPs.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider blocking the identified EvilTokens domains and URL paths in your web proxy or DNS filtering solutions.
- Evaluate whether recent Microsoft 365 device code authentications originated from unexpected locations or devices.
Infrastructure Hardening
- If applicable, consider disabling the Microsoft Device Code authentication flow in your Azure AD / Entra ID tenant if it is not required for business operations.
- Evaluate implementing Conditional Access policies to restrict device code logins to trusted networks or compliant devices.
User Protection
- Consider deploying browser security extensions capable of dynamic DOM inspection to catch client-side decrypted phishing pages.
Security Awareness
- Consider updating security awareness training to specifically warn users about the dangers of entering Microsoft device codes presented by third-party websites.
MITRE ATT&CK Mapping
- T1566.002 - Spearphishing Link
- T1027 - Obfuscated Files or Information
- T1528 - Steal Application Access Token
- T1550.001 - Application Access Token
Additional IOCs
- Domains:
emp01825[.]workers[.]dev- Top-level domain abused by EvilTokensimtesasanqaolo[.]homes- Domain associated with device code phishingnomaerngineering[.]com- Domain associated with device code phishingpetruzzidistrib[.]autos- Domain associated with device code phishing
- Urls:
hxxps://viewdocuemnt151y-dataqjqhg[.]emp01825[.]workers[.]dev/api/device/gate/6715247cd324ed10- EvilTokens gate check endpointhxxps://viewdocuemnt151y-dataqjqhg[.]emp01825[.]workers[.]dev/api/device/status/7f3b490d80bbe2ecafc807700e0d71ac- EvilTokens session status polling endpointhxxps://files-s3-bucket-documents-331[.]mgorman-f86[.]workers[.]dev/api/device/start- Device code phishing start endpointhxxps://imtesasanqaolo[.]homes/api/device/start- Device code phishing start endpointhxxps://nomaerngineering[.]com/api/device/start- Device code phishing start endpointhxxps://landmine-coat-sheath[.]ngrok-free[.]dev/api/device/start- Device code phishing start endpointhxxps://petruzzidistrib[.]autos/api/device/start- Device code phishing start endpoint