EvilTokens hijacks M365 accounts — how to block it
New phishing-as-a-service kit bypasses MFA entirely through Microsoft 365 device code flow. Here is how to block it.
A new phishing-as-a-service platform called EvilTokens has hit over 340 organizations worldwide. The attackers exploit Microsoft's OAuth device code flow to hijack M365 accounts — and MFA does not help.
What happened
EvilTokens is sold on Telegram and gives attackers a complete toolkit for stealing Microsoft 365 sessions. The victim receives an email with a PDF or HTML attachment containing a QR code or link. Clicking it leads to a page impersonating Adobe Acrobat or DocuSign.
The page shows a verification code and tells the user to click "Continue to Microsoft". That takes them to Microsoft's real device login page — but the code ties the session to the attacker's app. Result: full access to the victim's email, OneDrive and Teams.
Over 1,000 domains have been confirmed hosting EvilTokens pages. The campaign has hit organizations in the US, Canada, Australia, France and the UAE.
Why this matters for SMBs
Device code phishing bypasses all MFA methods — including FIDO2 and passkeys. It does not matter how strong your MFA is if the user approves the connection themselves. Companies on M365 Business Premium without Conditional Access policies blocking device code flow are wide open.
What to do now
-
Block device code flow in Conditional Access. Go to Entra Admin Center → Conditional Access → New policy. Block "Device code flow" as a grant control.
-
Review sign-in logs. Search for sign-ins with authenticationProtocol = deviceCode from unexpected locations.
-
Enable Defender for Office 365 anti-phishing policies with impersonation protection.
-
Train your staff. "Never enter a verification code from an email you did not expect."
How we can help
We offer a quick Conditional Access review (1-2 hours) where we block device code flow and audit your sign-in logs. Want us to check your environment? Get in touch.