Back to Intelligence

EvilTokens PhaaS: OAuth Device Code Flow Bypass – Detection and Defense

SA
Security Arsenal Team
May 19, 2026
6 min read

Introduction

In February 2026, a new threat actor known as EvilTokens operationalized a "Social Engineering-as-a-Service" (PhaaS) platform that has rapidly compromised over 340 Microsoft 365 organizations across five countries in just five weeks.

Unlike traditional credential harvesting, this campaign does not require a fake login page. Instead, it abuses the legitimate OAuth 2.0 Device Authorization Grant flow. Attackers trick users into entering a short code at the legitimate microsoft.com/devicelogin portal and completing their standard MFA challenge. Because the interaction occurs on the official Microsoft domain, traditional email filters and URL reputation engines fail to block it, and the MFA challenge is successfully completed by the victim, granting the attacker a persistent, authenticated session. Defenders must act immediately to detect device code logins and restrict application consent permissions.

Technical Analysis

Affected Products & Platforms:

  • Microsoft 365 (Exchange Online, SharePoint Online, OneDrive)
  • Azure Active Directory (Entra ID)

Attack Vector & Mechanism: The attack leverages the OAuth 2.0 Device Authorization Grant (RFC 8628), designed for input-constrained devices like smart TVs or IoT devices. EvilTokens has weaponized this flow for human-in-the-loop attacks.

  1. Initiation: The attacker (or EvilTokens automation) requests a device code and user code from Microsoft.
  2. Social Engineering: The victim receives a message (email, Teams, SMS) instructing them to verify their identity by entering the short code at microsoft.com/devicelogin.
  3. Consent & Auth: The victim navigates to the legitimate URL, enters the code, and logs in. Crucially, they complete the MFA prompt.
  4. Token Exchange: Once the victim authenticates, the attacker's polling service receives a Refresh Token and Access Token.
  5. Access: The attacker gains access to the victim's M365 data (email, files) via the Microsoft Graph API, often bypassing Conditional Access policies that trust the device or location context of the attacker's system if not strictly configured.

Exploitation Status:

  • Status: Confirmed Active Exploitation (In-the-wild)
  • Threat Actor: EvilTokens (PhaaS Platform)
  • Known IOCs: Use of microsoft.com/devicelogin combined with specific OAuth scope requests (e.g., mail.read, files.read).

Detection & Response

SIGMA Rules

YAML
---
title: Potential OAuth Device Code Flow Login
id: 8f4c1b2e-5a6d-4b3c-9e1f-2a3b4c5d6e7f
status: experimental
description: Detects sign-ins where the authentication method is Device Code Flow, which is uncommon for standard user workstations and may indicate a phishing attempt like EvilTokens.
references:
  - https://attack.mitre.org/techniques/T1528/
  - https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-device-code
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.credential_access
  - attack.t1528
logsource:
  product: azure
  service: signin_logs
detection:
  selection:
    AuthenticationDetails|contains: 'Device Code Flow'
  filter_legit_iot:
    DeviceDetail|contains: 'IoT' # Optional filter if environment uses IoT
  condition: selection | not filter_legit_iot
falsepositives:
  - Legitimate use of IoT devices or CLI tools (e.g., Azure CLI) requiring device code
level: high
---
title: EvilTokens - Consent to Application via Device Flow
id: a9e2d3c4-5f6a-4b7c-8d1e-2a3b4c5d6e7f
status: experimental
description: Detects when a user consents to an application, specifically looking for patterns associated with the EvilTokens PhaaS or high-risk permissions granted immediately after a device code interaction.
references:
  - https://thehackernews.com/2026/05/the-new-phishing-click-how-oauth.html
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.initial_access
  - attack.t1078.004
logsource:
  product: azure
  service: audit_logs
detection:
  selection_consent:
    OperationName|startswith:
      - 'Consent to application'
      - 'Add OAuth2PermissionGrant'
  selection_risky_app:
    TargetResourceDisplayName|contains:
      - 'EvilTokens'
      - 'Microsoft365'
      - 'M365 Support'
  condition: all of selection_*
falsepositives:
  - Legitimate application registration by administrators
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Device Code Flow Sign-ins
SigninLogs
| where AuthenticationDetails contains "Device Code Flow"
| extend AppId = AppId, DeviceDetail = DeviceDetail
| project TimeGenerated, UserPrincipalName, AppId, StatusCode, ConditionalAccessStatus, AuthenticationDetails, DeviceDetail
| sort by TimeGenerated desc

// Correlate with Risky App Consents
let RiskyApps = dynamic(["EvilTokens", "M365 Support", "Office365 Verify"]);
AuditLogs
| where OperationName in ("Consent to application", "Add OAuth2PermissionGrant", "Add appRoleAssignmentToPrincipal")
| where TargetResources[0].DisplayName has_any (RiskyApps)
| project TimeGenerated, Caller, OperationName, TargetResources, InitiatedBy
| sort by TimeGenerated desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for browser history artifacts indicating interaction with microsoft.com/devicelogin
-- Note: Requires access to browser history files (Chrome/Edge)

SELECT * FROM foreach(
    glob(globs='*/History', root=OSPath("/Users/*/Library/Application Support/Google/Chrome/Default")), 
    x => parse_csv(filename=x.file, accessor='sqlite', query='SELECT url, last_visit_time, title FROM urls WHERE url LIKE "%microsoft.com/devicelogin%"')
)
WHERE url =~ 'microsoft.com/devicelogin'

Remediation Script (PowerShell)

PowerShell
# Requires Microsoft Graph PowerShell Module
# Connect-MgGraph -Scopes "Application.Read.All", "AppRoleAssignment.ReadWrite.All", "Policy.ReadWrite.ConditionalAccess"

# Function to identify and report ServicePrincipals matching EvilTokens patterns
function Find-EvilTokensServicePrincipals {
    param(
        [string[]]$SuspiciousKeywords = @("EvilTokens", "M365 Support", "DeviceLogin", "OauthVerify")
    )

    $apps = Get-MgServicePrincipal -All
    $rogueApps = $apps | Where-Object { 
        $keywords = $SuspiciousKeywords -join "|"
        $_.DisplayName -match $keywords -or $_.AppId -match $keywords
    }

    if ($rogueApps) {
        Write-Host "[ALERT] Found potentially malicious service principals:" -ForegroundColor Red
        $rogueApps | Select-Object Id, DisplayName, AppId, PublisherName
        return $rogueApps
    } else {
        Write-Host "[INFO] No obviously malicious service principals found based on keywords." -ForegroundColor Green
    }
}

# Function to remove App Role Assignments (Consent) for a specific App ID
function Revoke-EvilTokensPermissions {
    param(
        [string]$AppId
    )

    $sp = Get-MgServicePrincipal -Filter "AppId eq '$AppId'"
    if (-not $sp) {
        Write-Host "[ERROR] Service Principal with AppId $AppId not found." -ForegroundColor Red
        return
    }

    $assignments = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $sp.Id
    if ($assignments) {
        Write-Host "[ACTION] Removing $($assignments.Count) assignments for app $($sp.DisplayName)..." -ForegroundColor Yellow
        foreach ($assignment in $assignments) {
            Remove-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $sp.Id -AppRoleAssignmentId $assignment.Id
            Write-Host "[SUCCESS] Revoked assignment for user $($assignment.PrincipalId)" -ForegroundColor Green
        }
    }
}

# Execute Detection
Find-EvilTokensServicePrincipals

Remediation

To defend against the EvilTokens OAuth Device Code Flow attack, organizations should implement the following measures immediately:

  1. Disable Device Code Flow for User Accounts: If users do not require CLI or IoT device authentication, block the "Device Code Flow" authentication method.

    • Action: Navigate to Microsoft Entra admin center > Authentication methods > Policies > Authentication methods. Configure "Device Code Flow" to be disabled for specific groups or the entire organization.

  2. Restrict App Consent: Ensure users cannot consent to applications accessing organizational data.

    • Action: Go to Entra admin center > Enterprise applications > Consent and permissions > User consent settings. Set to "Do not allow user consent" or configure an app consent workflow for administrator review.

  3. Conditional Access Policies: Implement policies that block legacy authentication or high-risk sign-ins, though Device Code Flow often appears as "Modern". Monitor for sign-ins from impossible travel contexts or unfamiliar device IDs immediately following a Device Code Flow event.

  4. Revocation of Compromised Sessions: Identify compromised users (via Detection logs) and invalidate their refresh tokens.

    • Action: Revoke-MgUserSignInSession in PowerShell or use the "Revoke sessions" button in the Entra Admin Center user blade.

  5. User Awareness: Educate users that legitimate Microsoft support will never ask them to enter a code at microsoft.com/devicelogin unless they are personally configuring a device (like a TV) at that exact moment.

Related Resources

Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub

penetration-testingred-teamoffensive-securityexploitvulnerability-researchoauthm365mfa-bypass

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action