Microsoft 365 is facing a new and insidious threat: the EvilToken campaign. This sophisticated phishing attack targets hundreds of organizations daily, compromising their security and data. What makes it particularly dangerous is its ability to bypass traditional security measures, leveraging device code phishing and OAuth tokens to gain unauthorized access.
The EvilToken campaign is a masterclass in exploiting trust. Attackers trick victims into completing a legitimate Microsoft authentication flow, which then issues a valid token to the attacker's session. This token grants the attacker access to email and files, often going unnoticed until it's too late. The attackers' use of generative AI to create tailored phishing messages further emphasizes the need for vigilance.
One of the most concerning aspects of this campaign is its ability to exploit the limited validity window for device codes. By using dynamic code generation, attackers can automate the process, making it more efficient and harder to detect. This shift from manual scripts to AI-driven attack chains highlights a broader trend in SaaS attacks.
Bill Legue, Lead Threat Hunter at AppOmni, emphasizes the changing nature of these attacks. "The EvilToken campaign is not an isolated incident. It reflects a consistent and growing pattern in SaaS attacks. Attackers are no longer trying to break in; they are logging in with valid access, leveraging tokens and operating entirely within trusted SaaS environments."
Legue's insights underscore the importance of a two-layered response strategy: containment and continuous risk reduction. Security teams should focus on reducing active exposure by restricting or disabling device code authentication, blocking unauthorized device code authentication flows, and monitoring for suspicious inbox rules, abnormal Microsoft Graph API activity, and unexpected device registrations.
However, containment measures alone are not enough. To prevent recurrence, organizations must address the root issue: how access is granted, used, and extended across SaaS environments. This involves continuous validation of identity and access, monitoring post-authentication behavior, and controlling OAuth and application access.
The EvilToken campaign serves as a stark reminder that identity is now the primary attack surface. Compromise happens at the authentication layer, not the infrastructure layer. Tokens are the new persistence mechanism, allowing attackers to maintain access without repeated logins or password reuse. Post-authentication activity is where risk truly lives, and native features are being weaponized.
In response to this evolving threat landscape, security teams must shift their mindset from alert-driven security to risk-based prioritization. They should focus on high-impact identity and access combinations, identify activity tied to sensitive data, and reduce exposure based on the business context. By taking these proactive measures, organizations can better protect themselves from the EvilToken campaign and other sophisticated phishing attacks.
