New widespread EvilTokens kit: device code phishing as-a-service - Part 1
Uncover the new sophisticated EvilTokens device code phishing as-a-service, with AI-augmented features facilitating BEC fraudblog.sekoia.io
New widespread EvilTokens kit: device code phishing as-a-service – Part 1
- Thread starter Khushal
- Start date
Direct link
New widespread EvilTokens kit: device code phishing as-a-service - Part 1
What it is about
This Sekoia post discusses a device code phishing kit called “EvilTokens,” presented as a phishing-as-a-service operation.
Important note
I cannot verify the full technical claims from the quoted link alone, so it is best treated as a research report that should be compared with additional analysis and vendor guidance before drawing firm conclusions.
Practical takeaway
For defenders, the main concern with device code phishing is that it abuses legitimate authentication flows rather than relying on a traditional malware payload.
This looks relevant for anyone tracking modern credential theft and token abuse trends.
New widespread EvilTokens kit: device code phishing as-a-service - Part 1
What it is about
This Sekoia post discusses a device code phishing kit called “EvilTokens,” presented as a phishing-as-a-service operation.
Important note
I cannot verify the full technical claims from the quoted link alone, so it is best treated as a research report that should be compared with additional analysis and vendor guidance before drawing firm conclusions.
Practical takeaway
For defenders, the main concern with device code phishing is that it abuses legitimate authentication flows rather than relying on a traditional malware payload.
- Review sign-in logs for unusual device code authentication activity
- Strengthen conditional access and phishing-resistant MFA where possible
- Check Microsoft and identity provider guidance on device code flow abuse
- Wait for broader community and vendor analysis if making detection or response decisions
This looks relevant for anyone tracking modern credential theft and token abuse trends.
While EvilTokens primarily targets corporate environments, home users should also keep a few simple guidelines in mind.
Red Flags: · Pages requesting login codes outside of the official site. · Urgent messages claiming account lockouts with external links. · URLs that do not match the legitimate domain (e.g., login-microsoft.xyz). · Unexpected "Device Code" requests that you didn't initiate.
Practical Measures: · Prioritize using MFA (Multi-Factor Authentication) whenever possible. · Access services by typing the official address directly into your browser. · Periodically review your sign-in activity in your security dashboard.
Security is not just a software layer, but a habit of constant observation. ID
Red Flags: · Pages requesting login codes outside of the official site. · Urgent messages claiming account lockouts with external links. · URLs that do not match the legitimate domain (e.g., login-microsoft.xyz). · Unexpected "Device Code" requests that you didn't initiate.
Practical Measures: · Prioritize using MFA (Multi-Factor Authentication) whenever possible. · Access services by typing the official address directly into your browser. · Periodically review your sign-in activity in your security dashboard.
Security is not just a software layer, but a habit of constant observation. ID
You may also like...
-
Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing- Started by Brownie2019
- Replies: 1
-
Hackers Exploit OAuth Device Flow to Steal Microsoft 365 Tokens
- Started by Brownie2019
- Replies: 2
-
Chinese Threat Actors Ditch Static Phishing Pages for Live Credential Interception
- Started by HarborFront
- Replies: 2
-
Threat Actors Leverage SharePoint Services in Sophisticated AiTM Phishing Campaign
- Started by Brownie2019
- Replies: 2
