This is EvilTokens, the new ‘phishing’ that circumvents multi-factor authentication and accesses corporate accounts

EvilTokens is a new ‘phishing’ kit with which attackers can have access to corporate accounts even when they have multi-factor authentication (MFA), by operating covertly through legitimate Microsoft services.

The cybersecurity company ESET has warned about EvilTokens, a ‘phishing’ kit as a service (PhaaS), which aims to compromise Microsoft 365 accounts through a system of deception through a legitimate authentication mechanism.

This ‘cybercrime as a service’ approach is already being used in advanced campaigns in which other types of approaches are used in attacks executed by Artificial Intelligence (AI), as happened when a single cybercriminal hacked 9 government agencies.

ESET Spain’s research and awareness director, Josep Albors, states that “for years we have taught users to be wary of suspicious links or fake login pages, but Attacks like EvilTokens show that criminals are adapting their tactics“.

The EvilTokens kit bases its ploy on an attack style that uses device codes that allow attackers to gain access to corporate accounts.

These accounts are not even saved from this type of attack when they use multi-factor authentication, a system that has served as an insurmountable barrier for many of the cyber attacks that organizations often suffer.

“In this case, the victim interacts with a legitimate Microsoft page and completes a real authentication process, which makes fraud much more difficult to detect,” says Albors to show the danger of this type of technique that appears as legitimate access when access is actually being authorized to a cybercriminal.

This new ploy, as ESET explains, begins when attackers generate valid device code and it is incorporated into all those components and everyday actions of any employee such as an email, an invoice and even requests for access to corporate platforms.

The hook to break down the resistance that an employee might have in the face of a ‘phishing’ attack occurs when they are directed to a legitimate Microsoft page, where they end up entering said code and ends up completing the authentication process.

Here, Albors warns that “this type of access can later be used for the information theft, data exfiltration or launching corporate email compromise (BEC) attacks, especially against finance, human resources, logistics or sales departments.”

That EvilTokens is able to deceive the potential victim in this way is due to the fact that uses the OAuth 2.0 device authorization flowwhich is characterized by the convenience it offers to log in to devices such as Smart TVs or connected printers.

With this type of ‘phishing’ attack, organizations face two serious problems. The first is that many of the indicators with which it can be identified that the victim is facing an attack of this nature are eliminated.

The second has to do with the recommendations, since they put the user who will have to take more drastic and proactive measures to avoid falling for these new tricks more complex.

These are, according to ESET, from Be wary of any unexpected request to enter an authentication code to verifying which application is requesting permissions before an access approval, as well as not assuming that a request is safe just because it only occurs on a legitimate page.

Other recommendations are inform IT of any code requestsstay alert for unusual startup notifications and, if managing a company’s security, limit the use of device code flows when they are not strictly necessary.