This is EvilTokens, the new ‘phishing’ that circumvents multi-factor authentication and accesses corporate accounts | artificial intelligence | Microsoft

Tokens is a new phishing kit that allows attackers to gain access to corporate accounts, even when they have multi-factor authentication (MFA), by operating covertly through legitimate Microsoft services.

`; document.body.appendChild(modalWrapper); let figcaption = modalWrapper.querySelector(“figcaption”); if(figcaption) figcaption.style.display=”none”; modalWrapper.querySelector(“.s-multimedia__close-modal”).addEventListener(“click”,()=>{modalWrapper.remove(); e.style.display=”flex”; if(caption) caption.style.display=”block”;});})})});});

These accounts are not even saved from this type of attack when they use multi-factor authentication, a system that has served as an insurmountable barrier for many of the cyber attacks that organizations often suffer.

“In this case, the victim interacts with a legitimate Microsoft page and completes a real authentication process, which makes the fraud much more difficult to detect,” says Albors to show the danger of this type of technique that appears as legitimate access when access is actually being authorized to a cybercriminal.

This new ploy, as explained by ESET, begins when attackers generate a valid device code and is incorporated into all those components and daily actions of any employee such as an email, an invoice and even access requests to corporate platforms.

The hook to break down the resistance that an employee might have in the face of a ‘phishing’ attack occurs when he or she is directed to a legitimate Microsoft page, where he or she ends up entering said code and ends up completing the authentication process.

Here, Albors warns that “this type of access can later be used for information theft, data exfiltration or launching corporate email compromise (BEC) attacks, especially against finance, human resources, logistics or sales departments.”

That EvilTokens is able to deceive the potential victim in this way is due to the fact that it uses the OAuth 2.0 device authorization flow, which is characterized by the convenience it offers to log in to devices such as Smart TVs or connected printers.

LOOK: World Cup 2026: the trends that mark the way of experiencing football on TikTok

With this type of ‘phishing’ attack, organizations face two serious problems. The first is that many of the indicators with which it can be identified that the victim is facing an attack of this nature are eliminated.

The second has to do with the recommendations, since they put the user in a state of alarm who will have to take more drastic and proactive measures to avoid falling into these new, more complex tricks.

These range, according to ESET, from being wary of any unexpected request to enter an authentication code to verifying which application is requesting permissions before an access approval, as well as not assuming that a request is secure just because it only occurs on a legitimate page.

Other recommendations are to inform the IT department of any code requests, stay alert for unusual startup notifications, and, if managing enterprise security, limit the use of device code flows when they are not strictly necessary.