Recent research describes a phishing kit called EvilTokens. It is actively targeting organizations in the U.S. and Europe, especially those in finance and other high-value sectors. Barracuda recommends deploying browser-aware phishing analysis and strengthening Microsoft 365 OAuth and device-code controls. These measures can help prevent EvilTokens-style account takeovers.
What is the threat?
EvilTokens is a sophisticated phishing kit that targets Microsoft 365 accounts by abusing device-code OAuth authentication instead of stealing credentials. Rather than sending victims to a fake login page, it guides them through Microsoft’s legitimate device login process, tricking users into granting account access. This allows attackers to obtain access tokens and permissions without ever capturing a password.
The kit is particularly evasive because its phishing content is AES-GCM encrypted and only decrypted within the victim’s browser. As a result, many traditional email, web, and URL filtering tools see only benign-looking content and may miss the phishing workflow entirely. Once authorization is completed, victims are redirected to legitimate Microsoft resources while attackers retain ongoing access to the compromised account.
Why is it noteworthy?
EvilTokens stands out because it abuses legitimate OAuth and device-code authentication mechanisms, allowing malicious activity to blend in with normal Microsoft login behavior. Its use of browser-side decryption also creates a blind spot for security tools that cannot inspect rendered web content.
The kit has been highlighted in recent threat intelligence reporting and reflects a growing trend toward identity-focused phishing attacks. Together, these capabilities make EvilTokens an effective framework for bypassing traditional defenses while directly targeting Microsoft 365 accounts.
What is the exposure or risk?
Organizations that rely on Microsoft 365 face increased risk if users are tricked into completing a malicious device-code login. Because attackers gain access tokens and OAuth permissions rather than passwords, password resets alone may not fully remediate an incident. Security teams should also revoke tokens and remove unauthorized application consent grants.
Compromised accounts may allow attackers to access email, files, cloud applications, and other sensitive resources, potentially leading to data theft, fraud, or business email compromise (BEC). Organizations that rely primarily on static URL inspection or basic network monitoring may struggle to detect these attacks, giving threat actors more time to operate undetected.
What are the recommendations?
Barracuda strongly recommends that organizations take the following steps to reduce the risk of exploitation and strengthen defenses against this and similar threats:
- Strengthen OAuth and device-code controls: Restrict device-code authentication where possible, enforce Conditional Access policies, and regularly review application permissions and consent grants.
- Revoke tokens, not just passwords: Reset passwords, revoke refresh tokens, sign out active sessions, and remove suspicious application consents after a suspected compromise.
- Enforce phishing-resistant MFA: Require MFA for all users and prioritize authenticator apps or security keys over SMS-based methods.
- Deploy browser-aware phishing protection: Use security tools that can inspect rendered web pages and detect phishing content hidden through browser-side decryption.
- Monitor identity activity: Watch for unusual sign-ins, device-code logins, new privileged applications, and unexpected consent grants.
- Strengthen email and web security: Block known EvilTokens indicators using both reputation-based and behavioral detection technologies.
- Educate users: Train employees to be cautious of authentication requests they did not initiate, even when they appear on legitimate Microsoft pages.
- Conduct threat hunting: Investigate logs for evidence of device-code abuse, suspicious OAuth activity, and other related indicators of compromise.
- Review third-party applications: Remove unused integrations and limit excessive permissions granted to connected Microsoft 365 applications.
References
For more in-depth information about the recommendations, please visit the following link:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.

