John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Microsoft built device code authentication so your smart TV could log in without a keyboard. Simple, right? Show a code, punch it into a real Microsoft page on your phone, done.
Now that same flow is being sold as a phishing subscription on Telegram.
EvilTokens is a phishing-as-a-service platform that weaponizes device code auth to hijack M365 accounts. It’s already hit 340+ organizations across at least five countries. The trick that makes it so dangerous? Victims authenticate on Microsoft’s real login page. No fake URLs. No cloned portals. Even MFA doesn’t help because the victim completes their MFA challenge on the genuine site.
The lures are role-targeted. Finance gets invoices. HR gets payroll docs. Everything looks like normal business communication. Once a victim enters the code and authenticates, EvilTokens grabs their refresh token. That’s persistent access to email, files, Teams, the works. No password needed again.
This technique started as nation-state tradecraft. Russian APT groups pioneered it in early 2025. Took about a year to land on Telegram as a commodity service. That timeline keeps shrinking.
The fix exists but most orgs haven’t flipped the switch. Conditional Access policies can restrict device code flows to managed devices only. If you don’t have a legit use case for them (and most orgs don’t), block them entirely. Today, not after the next board meeting.