New widespread EvilTokens kit: device code phishing as-a-service – Part 1

Key Takeaways

• EvilTokens is a new Phishing-as-a-Service (PhaaS) kit specializing in Microsoft device code phishing to facilitate Business Email Compromise (BEC).
• The kit automates the theft of access and refresh tokens, converting them to Primary Refresh Tokens (PRTs) for persistent, MFA-bypassing access.
• Phishing lures impersonate trusted services like Adobe Acrobat, DocuSign, and Microsoft applications to trick users into entering a device code on legitimate Microsoft portals.
• The backend features advanced capabilities including reconnaissance, enumeration, and one-click browser SSO hijacking.
• Campaigns are widespread globally, utilizing various attachment types (PDF, HTML, XLSX, SVG, DOCX) to deliver the phishing links.

Affected Systems

• Microsoft 365
• Entra ID
• Exchange Online
• SharePoint Online
• OneDrive
• Microsoft Teams

Attack Chain

Attackers send phishing emails with attachments (PDF, HTML, XLSX, SVG, DOCX) containing links or QR codes to EvilTokens pages. The victim visits the page, which impersonates a trusted service (e.g., Adobe Acrobat, DocuSign) and displays a device code fetched from the Microsoft API. The victim is redirected to the legitimate Microsoft device login page and enters the code, unknowingly authorizing the attacker's device. The EvilTokens backend then polls Microsoft to retrieve access and refresh tokens, converting them to Primary Refresh Tokens (PRTs) for persistent access, reconnaissance, and subsequent data exfiltration or BEC.

Detection Availability

• YARA Rules: Yes
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: Yes
• Platforms: Sekoia.io, urlscan.io, urlquery

The article provides a YARA rule to detect EvilTokens HTML phishing pages and specific search queries for urlscan.io and urlquery to identify the infrastructure.

Detection Engineering Assessment

EDR Visibility: Low — The attack primarily occurs in the cloud (Entra ID/M365) and the browser, with no malware executed on the local endpoint. Network Visibility: Medium — Network logs might capture traffic to the phishing domains or the presence of the X-Antibot-Token header, but the actual authentication traffic goes to legitimate Microsoft endpoints. Detection Difficulty: Hard — The authentication flow uses legitimate Microsoft endpoints (microsoft.com/devicelogin), making it difficult to distinguish from legitimate device code authorizations without strict conditional access policies.

Required Log Sources

• Entra ID Sign-in Logs
• Microsoft 365 Audit Logs
• Web Proxy/Gateway Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for unusual device code authentication events in Entra ID sign-in logs, especially from unexpected geolocations or device types.	Entra ID Sign-in Logs	Credential Access	Medium
Hunt for web proxy logs containing the X-Antibot-Token HTTP header.	Web Proxy/Gateway Logs	Initial Access	Low
Monitor for sudden creation or usage of Primary Refresh Tokens (PRTs) from unknown or unmanaged devices.	Entra ID Sign-in Logs	Persistence	Medium

Control Gaps

• Standard MFA
• Endpoint Antivirus

Key Behavioral Indicators

• X-Antibot-Token HTTP header
• URL paths /api/device/start and /api/device/status/
• Cloudflare Workers subdomains ending in -s-account.workers.dev

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Block known EvilTokens domains and Cloudflare Worker patterns.
• Revoke active sessions and refresh tokens for users suspected of compromise.

Infrastructure Hardening

• Disable the OAuth 2.0 Device Authorization Grant flow in Entra ID if not required by the organization.
• Implement Conditional Access policies restricting device code flow to trusted networks or managed devices.

User Protection

• Deploy phishing-resistant MFA (e.g., FIDO2 security keys).
• Use email security gateways to block attachments containing QR codes or links to known PhaaS infrastructure.

Security Awareness

• Train users on the risks of device code phishing and instruct them never to enter codes from untrusted sources into Microsoft login pages.

MITRE ATT&CK Mapping

• T1566.001 - Phishing: Spearphishing Attachment
• T1566.002 - Phishing: Spearphishing Link
• T1528 - Steal Application Access Token
• T1550.004 - Use Alternate Authentication Material: Web Session Cookie
• T1114.002 - Email Collection: Remote Email Collection

Additional IOCs

• Domains:
  • backdoor-hub[.]com - EvilTokens affiliate-hosted phishing domain
  • bumpgames[.]net - EvilTokens affiliate-hosted phishing domain
  • carbatterygurgaon[.]com - EvilTokens affiliate-hosted phishing domain
  • careldutoit-el[.]co[.]za - EvilTokens affiliate-hosted phishing domain
  • dao[.]com[.]au - EvilTokens affiliate-hosted phishing domain
  • docusend[.]networkssolutionmail[.]com - EvilTokens affiliate-hosted phishing domain
  • eqfit[.]co[.]za - EvilTokens affiliate-hosted phishing domain
  • eventcalender-schedule[.]com - EvilTokens affiliate-hosted phishing domain
  • evobothub[.]org - EvilTokens affiliate-hosted phishing domain
  • framebound[.]cloud - EvilTokens affiliate-hosted phishing domain
  • infinitechai[.]org - EvilTokens affiliate-hosted phishing domain
  • internalmemorecord[.]bxwancheng[.]com - EvilTokens affiliate-hosted phishing domain
  • macmamo[.]com - EvilTokens affiliate-hosted phishing domain
  • mirsanotolastik[.]com - EvilTokens affiliate-hosted phishing domain
  • mirzanyapi[.]com - EvilTokens affiliate-hosted phishing domain
  • newmobilepolojean[.]com - EvilTokens affiliate-hosted phishing domain
  • notificationsmanagersec[.]com - EvilTokens affiliate-hosted phishing domain
  • pelangiservice[.]com - EvilTokens affiliate-hosted phishing domain
  • prcservis[.]com - EvilTokens affiliate-hosted phishing domain
  • promanager[.]outboundciwidey[.]com - EvilTokens affiliate-hosted phishing domain
  • serenitygovsupplys[.]com - EvilTokens affiliate-hosted phishing domain
  • signaturerequired[.]thecoolcactus[.]com - EvilTokens affiliate-hosted phishing domain
  • smstltle[.]net - EvilTokens affiliate-hosted phishing domain
  • statushelper[.]aguasomos[.]com - EvilTokens affiliate-hosted phishing domain
  • suctwocesonesstory[.]com - EvilTokens affiliate-hosted phishing domain
  • thesafarigarden[.]com - EvilTokens affiliate-hosted phishing domain
  • topbuysella[.]com - EvilTokens affiliate-hosted phishing domain
  • totalhomesafe[.]com - EvilTokens affiliate-hosted phishing domain
  • update[.]youcreadio[.]cfd - EvilTokens affiliate-hosted phishing domain
  • well[.]atlantaperlnatal[.]com - EvilTokens affiliate-hosted phishing domain
  • xlkconsulting[.]co[.]za - EvilTokens affiliate-hosted phishing domain
  • yankeepine[.]co - EvilTokens affiliate-hosted phishing domain
  • youremplregroup[.]com - EvilTokens affiliate-hosted phishing domain
  • docusign-vs4[.]finance-zltnservices-org-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • onedrive-au8[.]hayixa9795-pazard-com-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • adobe-b6d[.]tuwilika-fcsnam-com-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • onedrive-23n[.]sbutler-stateservice-us-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • onedrive-ac4[.]ryker-samik-dropmeon-com-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • onedrive-33i[.]amittal-prodwaresol-com-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • docusign-d0e[.]admin-treyripple-com-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • adobe-t9r[.]thomas-gibson-clyde-enq-com-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • onedrive-7fp[.]davarius-thackery-dropmeon-com-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • adobe-h7l[.]gregcausey-hyundaicrenshaw-com-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • sharepoint-uo2[.]angela-warrconstructioninc-onmicrosoft-com-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • onedrive-hea[.]jhaas-hapnehartmedia-com-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • page-custommmvx6290-9kb[.]snpfs90-outlook-com-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • index-8ni[.]shirdav-mail-com-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • docusign-gmx[.]medea-locallovechs-com-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • index-izk[.]rifkit-protonmail-com-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • docusign-t0o[.]accountsreceivable-greens-au-com-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • adobe-7bf[.]signature-on-invoice-required-mail-com-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • page-voicemail-3i6[.]ucbqzm9-ucl-ac-uk-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • adobe-y73[.]letsgo-birdynyc-com-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • onedrive-dsk[.]cassandra-warholak-ifrma-org-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • docusign-u0p[.]kevin-domae-ca-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • docusign-a5c[.]export-cellular-iberia-com-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • docusign-14g[.]jhipolito-arrow-food-com-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • adobe-qi2[.]pm-pdgrealty-proton-me-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • adobe-8dt[.]ishaan-zvi-dropmeon-com-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • adobe-of6[.]hayixa9795-pazard-com-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • docusign-ffp[.]garciarodriguezt-student-wpunj-edu-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • docusign-y8l[.]accountant-fitfranchisebrands-com-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • adobe-mxg[.]snpfs90-outlook-com-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • index-ap3[.]tyler2miler-proton-me-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • adobe-yzz[.]ejkim-gsglobalusa-us-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • docusign-520[.]mike-maplecityglass-net-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • voicemail-l1b[.]thomas-gibson-clyde-enq-com-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • docusign-ac3[.]christina-parsons-charter-comm-com-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • docusign-o4x[.]bhc-credit-services-edl-bayreer-com-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
  • onedrive-4um[.]accounting-malitzconstructioninc-co-s-account[.]workers[.]dev - EvilTokens administrator-hosted Cloudflare Workers domain
• Urls:
  • /api/prt/convert - EvilTokens backend API endpoint to convert a refresh token to a PRT.
  • /api/prt/cookie - EvilTokens backend API endpoint to generate a cookie for one-click browser SSO hijack.
  • /api/prt/recon - EvilTokens backend API endpoint to obtain a Graph API token and perform reconnaissance.